Efficient cloud computing relies on in-process isolation to optimize performance by running workloads within a single process. Without heavy-weight process isolation, memory safety errors pose significant security threat allowing an adversary extract or corrupt the private data of other co-located tenants. Existing mechanisms are not suitable for modern requirements, e.g., MPK's 16 protection domains insufficient isolate thousands workers per Consequently, service providers have strong need lightweight commodity x86 machines. This paper presents TME-Box, novel technique that enables fine-grained and scalable sandboxing CPUs. By repurposing Intel TME-MK, which is intended encryption virtual machines, TME-Box offers efficient isolation. enforces sandboxes use their designated keys interactions through compiler instrumentation. cryptographic access control, from cache lines full pages, supports flexible relocation. In addition, design allows up 32K concurrent sandboxes. We present performance-optimized prototype, utilizing segment-based addressing, showcases geomean overheads 5.2 % 9.7 code evaluated with SPEC CPU2017 benchmark suite.

Load

Load