A Least-Privilege Memory Protection Model for Modern Hardware

by   Reto Achermann, et al.

We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading to the related problems of numerous security bugs in memory management code (for example programming IOMMUs), and an inability of mainstream OSes to securely manage the complete set of hardware resources on, say, a phone System-on-Chip. Our new work is based on a recent formal model of address translation hardware which views the machine as a configurable network of address spaces. We refine this to capture existing address translation hardware from modern SoCs and accelerators at a sufficiently fine granularity to model minimal rights both to access memory and configure translation hardware. We then build an executable specification in Haskell, which expresses the model and metadata structures in terms of partitioned capabilities. Finally, we show a fully functional implementation of the model in C created by extending the capability system of the Barrelfish research OS. Our evaluation shows that our unoptimized implementation has comparable (and in some cases) better performance than the Linux virtual memory system, despite both capturing all the functionality of modern hardware addressing and enabling least-privilege, decentralized authority to access physical memory and devices.


page 4

page 10


Secure Memory Management on Modern Hardware

Almost all modern hardware, from phone SoCs to high-end servers with acc...

Formalizing Memory Accesses and Interrupts

The hardware/software boundary in modern heterogeneous multicore compute...

SPARTA: A Divide and Conquer Approach to Address Translation for Accelerators

Virtual memory (VM) is critical to the usability and programmability of ...

The Virtual Block Interface: A Flexible Alternative to the Conventional Virtual Memory Framework

Computers continue to diversify with respect to system designs, emerging...

Zeno: A Scalable Capability-Based Secure Architecture

Despite the numerous efforts of security researchers, memory vulnerabili...

The Cost of Software-Based Memory Management Without Virtual Memory

Virtual memory has been a standard hardware feature for more than three ...

Modal Abstractions for Virtualizing Memory Addresses

Operating system kernels employ virtual memory management (VMM) subsyste...

Please sign up or login with your details

Forgot password? Click here to reset