FatPTE - Expanding Page Table Entries for Security

Modern computing systems have a strong need for security and require protection against attacks such as control-flow hijacking, information leakage, or data manipulation. As a solution, academia and industry propose essential security technologies operating on page granularity. Through metadata bits located in page table entries (PTEs), these technologies provide security with high efficiency. While PTE bits allow for highly efficient implementations, the reliance on spare bits is not future-proof. Due to the steady increase in memory capacity and the introduction of new security features, the spare bits are exhausted. Thus, the implementation of new features is impossible while the security of existing features is severely limited. In this work we introduce FatPTE, a novel approach that enhances page table entries with dedicated metadata regions for security features. Our design provides up to 192 metadata bits, thus far exceeding the 7 reserved bits of x86-64 and RISC-V. We perform a case study on academic and commercial PTE-based control-flow integrity, memory protection, and confidential computing features. Our findings show that FatPTE easily accommodates all bits needed by the considered features, thus highlighting the practical relevance of our design. We implement an x86-64 prototype using the gem5 system simulator as well as a RISC-V FPGA prototype using the CORE-V CVA6 processor. We evaluate FatPTE in four configurations derived from the
equirements identified in our case study. Our evaluation using SPEC CPU 2017 workloads yields a geomean performance overhead of 0.21% to 1.34% for the gem5 simulator and 0.51% to 1.99% for the FPGA prototype.