|Facebook Awards $100K Prize For Code Isolation Using MPKs|
|Written by Kay Ewbank|
|Thursday, 29 August 2019|
A six-person team of data scientists has been awarded this year's $100K Internet Defense Prize by Facebook. The team developed a new hardware-enforced isolation technique for sensitive state and data using memory protection keys.
Facebook's Internet Defense Prize is awarded annually for research presented at the USENIX security conference that meaningfully makes the Internet more secure. Created in 2014, the award is funded by Facebook and offered in partnership with USENIX.
To qualify for the prize, researchers need to provide a working prototype that demonstrates significant contributions to the security of the internet, particularly in the areas of prevention and defense. The direction of the research is more important than the progress to date, and the idea is the winners will use the award to take their prototype to the next level for something practical, accessible and high impact.
Previous award winners have included projects on third-party cookie policies, and the detection of Credential Spearphishing in enterprise settings.
This year's winners from the Max Planck Institute for Software Systems, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg are researching secure, efficient In-process Isolation with Memory Protection Keys (MPKs). MPKs have recently been added to x86 CPUs to enable protection domain switches in userspace, with binary inspection to prevent circumvention.
The research is intended to provide an alternative way of isolating sensitive state and data. While this can already be carried out using page-based hardware isolation, it is only feasible when runtime references across isolation boundaries occur relatively infrequently. Applications such as the isolation of cryptographic session keys in network-facing services require very frequent domain switching. In such applications, the overhead of kernel- or hypervisor-mediated domain switching is prohibitive.
The researchers showed that their technique, called ERIM referring to Secure, Efficient In-process Isolation with Protection Keys (MKP), can be applied with little effort to new and existing applications, doesn't require compiler changes, can run on a stock Linux kernel, and has low runtime overhead even at high domain switching rates. The full paper is available as a PDF.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 29 August 2019 )|