Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust

Merve Gülmez, Thomas Nyman, Christoph Baumann, Jan Tobias Mühlberg

TL;DR

Unsafe Rust FFI exposes memory-safety risks when interfacing with non-Rust code. The authors implement SDRaD-FFI, an in-process isolation solution that uses Memory Protection Keys (MPK) via the SDRaD C library to shield safe Rust code from unsafe domains, with macro-based automation for argument passing and error handling. They compare against process-based Sandcrust, showing significantly lower context-switch overhead and favorable performance when data exchange is substantial; Abomonation-based serialization can approach baseline performance, though overhead remains driven by memory copies. The study highlights security hardening needs for PKU/PKRU and hardware advances, while providing a practical, drop-in-like approach to isolate unsafe functionality in Rust and offering open-source provenance for further experimentation.

Abstract

Rust is a popular memory-safe systems programming language. In order to interact with hardware or call into non-Rust libraries, Rust provides \emph{unsafe} language features that shift responsibility for ensuring memory safety to the developer. Failing to do so, may lead to memory safety violations in unsafe code which can violate safety of the entire application. In this work we explore in-process isolation with Memory Protection Keys as a mechanism to shield safe program sections from safety violations that may happen in unsafe sections. Our approach is easy to use and comprehensive as it prevents heap and stack-based violations. We further compare process-based and in-process isolation mechanisms and the necessary requirements for data serialization, communication, and context switching. Our results show that in-process isolation can be effective and efficient, permits for a high degree of automation, and also enables a notion of application rewinding where the safe program section may detect and safely handle violations in unsafe code.

Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust

TL;DR

Unsafe Rust FFI exposes memory-safety risks when interfacing with non-Rust code. The authors implement SDRaD-FFI, an in-process isolation solution that uses Memory Protection Keys (MPK) via the SDRaD C library to shield safe Rust code from unsafe domains, with macro-based automation for argument passing and error handling. They compare against process-based Sandcrust, showing significantly lower context-switch overhead and favorable performance when data exchange is substantial; Abomonation-based serialization can approach baseline performance, though overhead remains driven by memory copies. The study highlights security hardening needs for PKU/PKRU and hardware advances, while providing a practical, drop-in-like approach to isolate unsafe functionality in Rust and offering open-source provenance for further experimentation.

Abstract

Rust is a popular memory-safe systems programming language. In order to interact with hardware or call into non-Rust libraries, Rust provides \emph{unsafe} language features that shift responsibility for ensuring memory safety to the developer. Failing to do so, may lead to memory safety violations in unsafe code which can violate safety of the entire application. In this work we explore in-process isolation with Memory Protection Keys as a mechanism to shield safe program sections from safety violations that may happen in unsafe sections. Our approach is easy to use and comprehensive as it prevents heap and stack-based violations. We further compare process-based and in-process isolation mechanisms and the necessary requirements for data serialization, communication, and context switching. Our results show that in-process isolation can be effective and efficient, permits for a high degree of automation, and also enables a notion of application rewinding where the safe program section may detect and safely handle violations in unsafe code.
Paper Structure (36 sections, 7 figures, 5 tables)

This paper contains 36 sections, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. This Paper and Contributions
  3. Background
  4. Rust-FFI
  5. Foreign function interface
  6. Process-based Isolation
  7. Automatic software compartmentalization
  8. Sandcrust
  9. In-Process Isolation
  10. Software fault isolation
  11. Memory protection keys
  12. Protection keys for userspace
  13. PKRU-Safe and XRust
  14. Secure rewind and discard
  15. Problem Statement
  16. ...and 21 more sections

Figures (7)

  • Figure 1: Transformation of sandbox macro. The angled orange boxed are SDRaD functionality, while rounded blue boxes are new glue logic for parameter passing and error handling.
  • Figure 2: Microbenchmark of context switch latency for different sandboxing mechanisms. Numbers for PKRU-Safe have been extrapolated from literature.
  • Figure 3: Execution Time of snappy with different isolation mechanisms for different numbers of bytes.
  • Figure 4: Measuring snappy execution time for SDRaD-FFI
  • Figure : Snappy: Detailed table of Execution Times measurements (\ref{['fig:perf1_abomonation']})
  • ...and 2 more figures