A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL.
The file type is application/pdf.
Filters
Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86
2020
USENIX Security Symposium
Preserved Fulltext
Efficient and secure in-process isolation is in great demand, as evidenced in the shift towards JavaScript and the recent revival of memory protection keys. ...
We propose Donky, an efficient hardware-software codesign for strong in-process isolation based on dynamic memory protection domains. ...
Additional funding was provided by generous gifts from Intel and from Cloudflare. ...
dblp:conf/uss/SchrammelWSS0MG20
fatcat:f3rywxsejbdgbpomcyhhzre42q
EnclaveDom: Privilege Separation for Large-TCB Applications in Trusted Execution Environments
[article]
2020
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Other Versions
To evaluate the security and performance impact of EnclaveDom, we integrated EnclaveDom with the Graphene-SGX library OS. ...
EnclaveDom is implemented on Intel SGX using Memory Protection Keys (MPK) for memory tagging. ...
Acknowledgments We thank Mingwei Zhang, Michael Steiner, Bruno Vavala, Prakash Narayana Moorthy, Dmitrii Kuvaiskii, Mona Vij, Michael LeMay, Thomas Knauth, and Vinnie Scarlata for their feedback and insightful ...
arXiv:1907.13245v2
fatcat:ueoh2f5vizhdznbkgiesicaguu
ERIM: Secure, Efficient In-process Isolation with Memory Protection Keys (MPK)
[article]
2019
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
Note that this fulltext copy is not of the "primary" version of this work. The version it corresponds to is:
2018 pre-print arXiv:1801.06822v4 fatcat:uohp4m5lynfqjhlr4d6lunyvuiOther Versions
The key idea is to combine protection keys (MPKs), a feature recently added to x86 that allows protection domain switches in userspace, with binary inspection to prevent circumvention. ...
Isolating sensitive state and data can increase the security and robustness of many applications. ...
In concurrent work [21] , Hedayati et al. describe how to isolate userspace libraries using VMFunc or Intel MPK. ...
arXiv:1801.06822v5
fatcat:jndx6cko2zgf7je2nfscnb2mpm
The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization
[article]
2021
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL.
The file type is application/pdf.
Other Versions
We present, the Endokernel, a new process model and security architecture that nests an extensible monitor into the standard process for building efficient least-authority abstractions. ...
Our prototype, includes a new syscall monitor, the nexpoline, and explores the tradeoffs of implementing it with diverse mechanisms, including Intel Control Enhancement Technology. ...
Intel ® Memory Protection Keys (MPK) MPK [29] extends page tables with a 4-bit tag for labeling each mapping. ...
arXiv:2108.03705v2
fatcat:tovxud33k5crnlpqmnsrd4mfmu
FlexOS: Towards Flexible OS Isolation
[article]
2022
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL.
The file type is application/pdf.
Note that this fulltext copy is not of the "primary" version of this work. The version it corresponds to is:
2021 pre-print arXiv:2112.06566v1 fatcat:imjckof3pzeedio422x5akbadqOther Versions
At design time, modern operating systems are locked in a specific safety and isolation strategy that mixes one or more hardware/software protection mechanisms (e.g. user/kernel separation); revisiting ...
This modular LibOS is composed of fine-grained components that can be isolated via a range of hardware protection mechanisms with various data sharing strategies and additional software hardening. ...
Acknowledgements We would like to thank the anonymous reviewers, and our shepherd, Gerd Zellweger, for their comments and insights. ...
arXiv:2112.06566v3
fatcat:utcv5fawy5b47jhztwwtu33ura
Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX
[article]
2020
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Since its debut, SGX has been used in many applications, e.g., secure data processing. ...
It leverages Intel MPK for efficient memory isolation and the x86 single-step debugging mechanism to capture the event when an enclave is existing. ...
Usage of Intel MPK and SGX Intel MPK provides a hardware primitive to implement efficient intra-process isolation [31, 16, 30] . ...
arXiv:2010.12400v1
fatcat:mcsmo5sptbeergw63kfyel7iiy
Unlimited Lives: Secure In-Process Rollback with Isolated Domains
[article]
2022
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL.
The file type is application/pdf.
We propose secure rollback of isolated domains as an efficient and secure method of improving the resilience of software targeted by run-time attacks. ...
We show the practicability of our methodology by realizing a software library for Secure Domain Rollback (SDRoB) and demonstrate how SDRoB can be applied to real-world software. ...
We further thank Stijn Volckaert and his team at KU Leuven -Ghent for providing the infrastructure to run our experiments, and for his feedback on our work. ...
arXiv:2205.03205v1
fatcat:oxfh7viwrrb4ffdodxrl2ru4pm
Shining Light On Shadow Stacks
[article]
2019
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Other Versions
Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. ...
We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern ...
This research was supported by ONR awards N00014-17-1-2513, by CNS-1801601, and a gift from Intel corporation. ...
arXiv:1811.03165v2
fatcat:dff2u4n62jdafmuyzwftddhssy
SoK: Hardware Security Support for Trustworthy Execution
[article]
2019
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
In recent years, there have emerged many new hardware mechanisms for improving the security of our computer systems. ...
Hardware offers many advantages over pure software approaches: immutability of mechanisms to software attacks, better execution and power efficiency and a smaller interface allowing it to better maintain ...
The compiler and run-time library instrument the monitored code with new instructions to manage bounds. ...
arXiv:1910.04957v1
fatcat:5luczjg34ve67nm73xso5xhzx4
Dynamic attribute-based privacy-preserving genomic susceptibility testing
2019
Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing - SAC '19
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Also, we guarantee to protect the privacy of individuals in our proposed scheme. CCS CONCEPTS • Security and privacy → Privacy-preserving protocols; ...
We determine the challenges for the computations required to process the outsourced data and access control simultaneously within patient-doctor interactions. ...
We implement and examine our program using C++. The test environment is a Mac OSX operating system with Intel Core i5 processor, and the key size has 1024−bit length. ...
doi:10.1145/3297280.3297428
dblp:conf/sac/NamaziEAP19
fatcat:tbdqdgoszbeyldmouf7p4dvap4
CAP-VMs: Capability-Based Isolation and Sharing for Microservices
[article]
2022
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2022; you can also visit the original URL.
The file type is application/pdf.
MMU approaches, however, lead to cloud stacks with large TCBs in kernel space, and the page granularity requires inefficient OS interfaces for data sharing. ...
A cVM may include a library OS, minimizing its dependency on the cloud environment. cVMs efficiently exchange data through two capability-based primitives assisted by a small trusted monitor: (i) an asynchronous ...
Acknowledgements This work was partially funded by the UK Government's Industrial Strategy Challenge Fund (ISCF) under the Digital Security by Design (DSbD) Programme. ...
arXiv:2202.05732v1
fatcat:cwxrqi7ma5bb5eokwpcpscz4vy
IRON
2017
Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is application/pdf.
We argue security by modeling FE in the context of hardware elements, and prove that Iron satisfies the security model. * ...
Functional encryption (FE) is an extremely powerful cryptographic mechanism that lets an authorized entity compute on encrypted data, and learn the results in the clear. ...
After this point, an adversary who is in possession of the hardware can monitor and tamper with all the input coming in to the hardware and the corresponding outputs. Naveed et al. ...
doi:10.1145/3133956.3134106
dblp:conf/ccs/FischVBG17
fatcat:mr25zv2g7baalmzal72mrkhslq
MicroStache: A Lightweight Execution Context for In-Process Safe Region Isolation
[chapter]
2018
Lecture Notes in Computer Science
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2019; you can also visit the original URL.
The file type is application/pdf.
In this work we present, MicroStache, a specialized hardware mechanism and new process abstraction for accelerating safe region security solutions. ...
in the processor cache, allowing it to protect against cache side channel attacks. ...
In this way, each privileged operation must perform a domain switch, leaving regular instructions unchanged. Intel SGX, VMFUNC, and MPK, as well as ARM TrustZone provide domain switch isolation. ...
doi:10.1007/978-3-030-00470-5_17
fatcat:l6mtbpq4b5g3xkuufhwu76u7bq
Enclave-Aware Compartmentalization and Secure Sharing with Sirius
[article]
2020
arXiv
pre-print
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2020; you can also visit the original URL.
The file type is application/pdf.
Other Versions
e.g. threads, processes, address spaces, files, sockets, pipes) in both the secure and normal worlds. ...
Sirius replaces ad-hoc interactions in current TEE systems with a principled approach that adds strong inter- and intra-address space isolation and effectively eliminates a wide range of attacks. ...
EnclaveDom [54] utilizes Intel MPK to provide in-enclave memory isolation, and MPTEE [98] uses Intel MPX for providing protected shared memory. ...
arXiv:2009.01869v3
fatcat:bgqsmluzdjdkxliiun6ttijqty
Towards Time-Sensitive and Verifiable Data Aggregation for Mobile Crowdsensing
2021
Security and Communication Networks
Preserved Fulltext
A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL.
The file type is application/pdf.
Mobile crowdsensing combined with edge computing can improve service response speed, security, and reliability. ...
Moreover, IoT devices can verify outsourced computing, and edge nodes can verify and filter aggregated data. Finally, the security of the proposed scheme is theoretically proved. ...
In our proposed scheme, all data will be added with the timestamp, and the timestamp is protected by a hash function with a secret key. ...
doi:10.1155/2021/6679157
fatcat:naxjxuwbvjbcfmhbndve4ntzbm
« Previous
Showing results 1 — 15 out of 57 results