Abstract.
Inter-process isolation has been deployed in operating systems for decades, but secure intra-process isolation remains an active research topic. Achieving secure intra-process isolation within an operating system process is notoriously difficult, but viable solutions that securely consolidate workloads into the same process have the potential to be extremely valuable. In this work, we present native principal isolation, a technique to enforce intra-process security policies defined over a program’s application binary interface (ABI) that restrict threads’ access to process memory. A separate memory protection mechanism then enforces these policies. We present ThreadLock, a system that enforces these policies using memory protection keys (MPKs) present on recent Intel CPUs. We demonstrate that ThreadLock efficiently restricts access to both thread-local data and sensitive information present in real workloads. We show how ThreadLock protects data within 3 real world applications, including the Apache web server, Redis in-memory data store, and MySQL relational database management system (RDBMS) with little performance overhead (+1.06% in the worst case). Furthermore, we show ThreadLock stops real world attacks against these popular programs. Our results show that native principal isolation is expressive enough to define effective intra-process security policies for real programs and that these policies may be enforced without requiring any change to a program’s source or binary. Furthermore, ThreadLock efficiently enforces these policies with MPKs, a readily available and easy to use instruction set extension.