Projekte pro Jahr
Abstract
Efficient cloud computing relies on in-process isolation to optimize performance by running workloads within a single process. Without heavy-weight process isolation, memory safety errors pose a significant security threat by allowing an adversary to extract or corrupt the private data of other co-located tenants. Existing in-process isolation mechanisms are not suitable for modern cloud requirements, e.g., MPK’s 16 protection domains are insufficient to isolate thousands of cloud workers per process. Consequently, cloud service providers have a strong need for lightweight in-process isolation on commodity x86 machines.
This paper presents TME-Box, a novel isolation technique that enables fine-grained and scalable sandboxing on commodity x86 CPUs. By repurposing Intel TME-MK, which is intended for the encryption of virtual machines, TME-Box offers lightweight and efficient in-process isolation. TME-Box enforces that sandboxes use their designated encryption keys for memory interactions through compiler instrumentation. This cryptographic isolation enables fine-grained access control, from single cache lines to full pages, and supports flexible data relocation. In addition, the design of TME-Box allows the efficient isolation of up to 32K concurrent sandboxes. We present a performance-optimized TME-Box prototype, utilizing x86 segment-based addressing, that showcases geomean performance overheads of 5.2 % for data isolation and 9.7 % for code and data isolation, evaluated with the SPEC CPU2017 benchmark suite.
This paper presents TME-Box, a novel isolation technique that enables fine-grained and scalable sandboxing on commodity x86 CPUs. By repurposing Intel TME-MK, which is intended for the encryption of virtual machines, TME-Box offers lightweight and efficient in-process isolation. TME-Box enforces that sandboxes use their designated encryption keys for memory interactions through compiler instrumentation. This cryptographic isolation enables fine-grained access control, from single cache lines to full pages, and supports flexible data relocation. In addition, the design of TME-Box allows the efficient isolation of up to 32K concurrent sandboxes. We present a performance-optimized TME-Box prototype, utilizing x86 segment-based addressing, that showcases geomean performance overheads of 5.2 % for data isolation and 9.7 % for code and data isolation, evaluated with the SPEC CPU2017 benchmark suite.
Originalsprache | englisch |
---|---|
Titel | Network and Distributed System Security (NDSS) Symposium 2025 |
DOIs | |
Publikationsstatus | Angenommen/In Druck - 2025 |
Veranstaltung | Network and Distributed System Security Symposium 2025: NDSS 2025 - San Diego, USA / Vereinigte Staaten Dauer: 23 Feb. 2025 → 28 Feb. 2025 https://www.ndss-symposium.org/ndss2025/ |
Konferenz
Konferenz | Network and Distributed System Security Symposium 2025 |
---|---|
Kurztitel | NDSS 2025 |
Land/Gebiet | USA / Vereinigte Staaten |
Ort | San Diego |
Zeitraum | 23/02/25 → 28/02/25 |
Internetadresse |
Fingerprint
Untersuchen Sie die Forschungsthemen von „TME-Box: Scalable In-Process Isolation through Intel TME-MK Memory Encryption“. Zusammen bilden sie einen einzigartigen Fingerprint.-
AWARE - Hardware-gewährleistete Softwaresicherheit
Mangard, S. (Teilnehmer (Co-Investigator))
1/05/22 → 30/04/25
Projekt: Forschungsprojekt
-
SEIZE - Secure Edge-Geräte für industrielle Zero-Trust Umgebungen
Mangard, S. (Teilnehmer (Co-Investigator))
1/01/22 → 31/12/24
Projekt: Forschungsprojekt