Efficient Sealable Protection Keys for RISC-V

Abstract

This paper proposes SealPK, an efficient hardware-assisted intra-process isolation mechanism for the RISC-V open ISA, designed to overcome limitations found in modern processors like Intel MPK. SealPK dramatically expands domain capacity to 1024 unique domains and prevents the critical protection key use-after-free vulnerability using a lazy de-allocation approach. To further enhance security, the technique incorporates three novel sealing features that prevent tampering with allocated domains, associated pages, and their permissions.

Report

Key Highlights

• Introduction of SealPK: A novel, efficient hardware-assisted intra-process isolation mechanism designed specifically for the RISC-V open Instruction Set Architecture (ISA).
• Expanded Domain Capacity: Supports up to 1024 unique isolation domains, significantly exceeding the 16 domains provided by Intel Memory Protection Keys (MPK).
• Security Fixes: Prevents the critical protection key use-after-free vulnerability common in existing systems by utilizing a lazy de-allocation strategy.
• Novel Sealing Features: Includes three innovative sealing mechanisms to protect allocated domains, their associated pages, and granted permissions from unauthorized modification or tampering.
• Feasibility Demonstrated: SealPK was implemented on a RISC-V Rocket processor, integrated with necessary OS support, and prototyped on an FPGA.

Technical Details

• Architecture Target: RISC-V architecture.
• Mechanism Name: SealPK (Sealable Protection Keys).
• Comparison Point: Addresses the reliance on costly kernel operations (used by systems like ARM and IBM Power) and the domain limit/use-after-free flaw of Intel MPK.
• Domain Capacity: Supports 1024 unique domains, catering to software requiring many isolation boundaries (e.g., OpenSSL).
• Vulnerability Mitigation: Protection key use-after-free is addressed via a lazy de-allocation approach.
• Sealing Functionality: Three novel features protect against modification of (1) allocated domains, (2) memory pages linked to domains, and (3) the permissions associated with those domains.
• Validation: Implementation included modifications to the RISC-V Rocket processor and operating system support, demonstrated using an isolated shadow stack on an FPGA prototype.

Implications

• Strengthened RISC-V Security: Provides the RISC-V ecosystem with a robust, high-capacity, and secure hardware primitive for memory isolation, facilitating the development of trusted software components.
• Enabling Complex Use Cases: The massive expansion in domain count (1024 vs. 16) allows complex applications that require numerous isolation boundaries, which were previously impractical with solutions like Intel MPK, to utilize hardware protection keys effectively.
• Efficient Context Switching: Allows user-space processes to manage isolation efficiently without incurring the performance penalty associated with frequent kernel mode switches.
• Open Hardware Security: Offers a standardized and open-source approach to memory protection key technology for RISC-V that inherently addresses known security flaws (like use-after-free) present in closed-source commercial alternatives.