Conversation

Amazon EC2 exposes Memory Protection Keys and uses Skylake-SP Xeons for t3.nano and above so I'll be testing the initial implementation of metadata hardening via MPK on EC2. It wasn't exposed in Google Cloud Engine VMs despite compatible processors.

Quote Tweet

Daniel Micay

@DanielMicay

Oct 20, 2018

I'm working on integrating Memory Protection Keys (lwn.net/Articles/64379) into my hardened allocator for protecting the metadata. Unfortunately, I can't verify it works and has low enough overhead until I get access to a Skylake-SP CPU so it will be stuck in a separate branch.

Show this thread

Daniel Micay

@DanielMicay

Initial messy implementation of the feature appears to work well: github.com/AndroidHardeni A protection key is assigned to the read/write portions of the allocator metadata region. Access is enabled for the thread when entering the allocator code and disabled before returning.

2:46 AM · Oct 23, 2018Twitter Web Client

Replying to

All of the writable allocator state is easily covered by this. The only other state is in the global ro data structure which is made permanently read-only after initialization. I'll need to figure out how well it performs (seems quite cheap). It's definitely easy to use MPK.