ThreadLock: Native Principal Isolation Through Memory Protection Keys

Abstract

Inter-process isolation has been deployed in operating systems for decades, but secure intra-process isolation remains an active research topic. Achieving secure intra-process isolation within an operating system process is notoriously difficult. However, viable solutions that securely consolidate workloads into the same process have the potential to be extremely valuable. In this work, we present native principal isolation, a technique to restrict threads’ access to process memory by enforcing intra-process security policies defined over a program’s application binary interface (ABI). A separate memory protection mechanism then enforces these policies. We present ThreadLock, a system that enforces native principal isolation policies using memory protection keys (MPKs) present on recent Intel CPUs. We demonstrate that ThreadLock efficiently restricts access to both thread-local data and sensitive information present in real workloads. We show how ThreadLock protects data within 3 real world applications, including the Apache web server, Redis in-memory data store, and MySQL relational database management system (RDBMS) with little performance overhead (+1.06% in the worst case). Furthermore, we show ThreadLock stops real world attacks against these popular programs. Our results show that native principal isolation is expressive enough to define effective intra-process security policies for real programs and that these policies may be enforced using MPKs without requiring any change to a program’s source or binary.