Facebook has awarded a $100,000 prize to a team of academics from Germany for developing a new code isolation technique that can be used to safeguard sensitive data while it’s being processed inside a computer.
The award is named the Internet Defense Prize, and is a $100,000 cash reward that Facebook has been giving out yearly since 2014 to the most innovative research presented at USENIX, a leading security conference that takes place every year in mid-August in the US.
This year’s winners are six academics from Germany-based Saarland University and the Max Planck Institute for Software Systems.
The six-man research team developed ERIM, a new technique that combines both hardware and software security features to provide a new way of isolating sensitive data processed inside a computer.
The novelty of this technique is that ERIM does this with little performance overhead, making it ideal for deployment in real-world environments.
The ancient problem of isolating sensitive data — efficiently
Isolating sensitive data during execution has always been a problem. Home computers or servers need to keep an application’s most sensitive data secure while the app is running.
For example, servers need to isolate cryptographic keys in a network-facing service, so an attacker connecting to the server won’t be able to grab encryption or session keys by using vulnerabilities in the server software.
Similarly, attackers can exploit vulnerabilities in an app’s linked components/libraries to extract sensitive user data processed by a different component — for example, a browser’s PDF library can grant attackers access to passwords or cookies.
For these reasons, finding a way to isolate data has always been an ongoing issue. Over the years, several methods have been proposed for dealing with this problem.
At the software level, there’s software fault isolation (SFI), while at the hardware level there’s nested paging, VMFUNC, or MPK. However, both types of protections are known to require modifications to an app’s code and compiler system, or are known to incur performance overheads when executing code from untrusted sources. This overhead has been measured to vary between 10% and 42%, which is quite the performance impact that many companies running production systems aren’t willing to take.
What is ERIM
ERIM was created to address this performance overhead on some CPU architectures, namely on Intel x86 CPUs.
The new technique works by leveraging Intel memory protection keys (MPKs), a new hardware-based security feature added to Intel CPUs since the mid-2010s, which allows data being processed inside an Intel CPU to be split across multiple CPU memory virtual pages.
Each memory page is signed by a 4-bit domain ID, allowing an app’s process space to be split into smaller domains where data can be safely processed (to achieve in-process data isolation).
The problem is that when apps leverage the new Intel MPK security feature, switching between these domains slows down the speed at which an app can read desired data — and, hence, it’s performance.
Furthermore, just using MPK doesn’t guarantee in-process data isolation, as a malicious component can grant itself the ability to modify the PKRU, a register that controls which app components can write to which CPU virtual memory page — effectively neutralizing MPK as a security feature.
What ERIM brings to the table is a near-zero performance overhead while also using a binary inspection technique to watch out for PKRU modifications.
ERIM can determine if these PKRU modifications are “safe” and even rewrite binary code to eliminate “unintentional occurrences of PKRU-updating instructions,” effectively keeping an app’s MPK implementation secure from malicious code attempting to bypass the feature.
According to the research team, ERIM tests have revealed performance overheads of under 1% for apps that need to make over 100,000 switches between CPU memory pages — something that happens a lot in web servers.
Tests with ERIM applied to NGINX showed that an ERIM-protected web server had a web requests throughoutput of within 5% of a normal server.
This would make it cost-effective to deploy the technique to protect sensitive data such as encryption or session keys on this type of web server.
Furthermore, ERIM also outperformed all other code isolation techniques, such as SFI MPX, VMFUNC, or LwC.
In addition, the research team claimed that ERIM can be applied with little effort to new and existing applications, doesn’t require compiler changes, and can run on a stock Linux kernel — eliminating all the other issues that made in-process code isolation a problem for the developer community.
“The authors’ approach stands out because it achieves much better runtime efficiency due to lower overhead, which makes it practical for real-world use in production environments,” said Pieter Hooimeijer, Engineering Manager at Facebook.
“If this type of defense finds widespread use, it will help eliminate an entire class of security exploits.”
Additional details are available in this PDF of the ERIM white paper that was presented at USENIX last week. The paper’s title is “ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK).”