CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation

Xie，Mengyao1; Wu，Chenggang1,2; Zhang，Yinqian3; Xu，Jiali1; Lai，Yuanming1; Kang，Yan1; Wang，Wei1; Wang，Zhe2,4

10.1145/3548606.3559344

2022-11-07

1543-7221

Proceedings of the ACM Conference on Computer and Communications Security

2989-3002

Intel control-flow enforcement technology (CET) is a new hardware feature available in recent Intel processors. It supports the coarse-grained control-flow integrity for software to defeat memory corruption attacks. In this paper, we retrofit CET, particularly the write-protected shadow pages of CET used for implementing shadow stacks, to develop a generic and efficient intra-process memory isolation mechanism, dubbed CETIS. To provide user-friendly interfaces, a CETIS framework was developed, which provides memory file abstraction for the isolated memory regions and a set of APIs to access said regions. CETIS also comes with a compiler-assisted tool chain for users to build secure applications easily. The practicality of using CETIS to protect CPI, CFIXX, and JIT-compilers was demonstrated, and the evaluation reveals that CETIS is performed better than state-of-the-art intra-memory isolation mechanisms, such as MPK.

intel cet intra-process memory isolation memory file abstraction

其他

英语

2-s2.0-85143051818

Scopus

1.Sklp,Institute of Computing Technology,Cas,University of Chinese Academy of Sciences,Beijing,China
2.Zhongguancun Laboratory,Beijing,China
3.Department of Computer Science and Engineering,SUSTech Research Institute of Trustworthy Autonomous Systems,SUSTech,Shenzhen,China
4.Sklp,Institute of Computing Technology,Cas,Beijing,China

Xie，Mengyao,Wu，Chenggang,Zhang，Yinqian,et al. CETIS: Retrofitting Intel CET for Generic and Efficient Intra-process Memory Isolation[C],2022:2989-3002.