Domain Page-Table Isolation
This addresses the need for efficient hardware-enforced isolation in applications with multiple security domains, offering a practical solution for systems requiring fine-grained security without hardware modifications.
The paper tackled the problem of isolating security domains in applications without specialized hardware by proposing Domain Page-Table Isolation (DPTI), which uses memory freezing and stashing to achieve faster syscall filtering (outperforming seccomp-bpf) and more efficient SGX enclave confinement (outperforming existing solutions by 14.6%-22%).
Modern applications often consist of different security domains that require isolation from each other. While several solutions exist, most of them rely on specialized hardware, hardware extensions, or require less-efficient software instrumentation of the application. In this paper, we propose Domain Page-Table Isolation (DPTI), a novel mechanism for hardware-enforced security domains that can be readily used on commodity off-the-shelf CPUs. DPTI uses two novel techniques for dynamic, time-limited changes to the memory isolation at security-critical points, called memory freezing and stashing. We demonstrate the versatility and efficacy of DPTI in two scenarios: First, DPTI freezes or stashes memory to support faster and more fine-grained syscall filtering than state-of-the-art seccomp-bpf. With the provided memory safety guarantees, DPTI can even securely support deep argument filtering, such as string comparisons. Second, DPTI freezes or stashes memory to efficiently confine potentially untrusted SGX enclaves, outperforming existing solutions by 14.6%-22% while providing the same security guarantees. Our results show that DPTI is a viable mechanism to isolate domains within applications using only existing mechanisms available on modern CPUs, without relying on special hardware instructions or extensions