You Shall Not (by)Pass! Practical, Secure, and Fast PKU-based Sandboxing
Invited talk: Alexios Voulimeneas presented "You Shall Not (by)Pass! Practical, Secure, and Fast PKU-based Sandboxing" (Eurosys'22) in visio the 1/12/2022 at 14h00.
Memory Protection Keys for Userspace (PKU) is a recent hardware feature that allows programs to assign virtual memory pages to protection domains, and to change domain access permissions using inexpensive, unprivileged instructions. Several in-process memory isolation approaches leverage this feature to prevent untrusted code from accessing sensitive program state and data. Typically, PKU-based isolation schemes need to be used in conjunction with mitigations such as CFI because untrusted code, when compromised, can otherwise bypass the PKU access permissions using unprivileged instructions or operating system APIs. Recently, researchers proposed fully self-contained PKU-based memory isolation schemes that do not rely on other mitigations. These systems use exploit-proof call gates to transfer control between trusted and untrusted code, as well as a sandbox that prevents tampering with the PKU infrastructure from untrusted code. In this paper, we show that these solutions are not complete. We first develop two proof-of-concept attacks against a state-of-the-art PKU-based memory isolation scheme. We then present Cerberus, a PKU-based sandboxing framework that can overcome limitations of existing sandboxes. We apply Cerberus to several memory isolation schemes, and show that it is practical, efficient, and secure.
Since 2020, I am a Postdoctoral Scholar in the imec-DistriNet research group at KU Leuven’s Technology Campus in Ghent, Belgium. My specific research interests are in systems security, operating systems, computer networks, and distributed systems. I have a keen interest in software diversity, sandboxing, compartmentalization, hardware-enforced security, debugging, and application monitoring and replication. Before joining KU Leuven, I spent five amazing years in Professor Michael Franz’s Secure Systems Lab at the Donald Bren School of Information and Computer Science at UC Irvine. I obtained my PhD degree from UC Irvine in 2020. In my PhD thesis, I proposed new techniques to improve the security and performance of N-Variant eXecution (NVX) systems.Before that, I completed my undergraduate studies at Athens University of Economics and Business/Department of Informatics, Greece. I have also done internships at Oracle Labs and Apple.