Repository files navigation Awesome intra-domain isolation related projects
Control-Flow Attestation
ReCFA: Resillent Control-Flow Attestation, code
Stand Alone Provenance Tracking Runtime and Compiler Passes, code
Basic Data/Metadata Protection
Usage of Intel Memory Protection Keys (MPK) to protect Nginx Private Keys, code
CoMpk : Isolating Data in Private, and Secure Compartments, code
No Need to Hide: Protecting Safe Regions on Commodity Hardware, code
eXecute-Only Memory (XOM)
eXecutable-Only-Memory-Switch (XOM-Switch): Hiding your code from advanced code reuse attacks in one shot, code
System Call Interposer
Zpoline: a system call hook mechanism based on binary rewriting, code
System Call Interposition Without Compromise, code
ERIM: Secure, Efficient In-Process Memory Isolation using Intel MPK, code
Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries, code
libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK), code
libppkey: In-Process Memory Isolation for Modern Linux Systems, code
Guaranteeing Mutual Exclusion in Transactional Systems, code
ConfLLVM: A compiler for enforcing data confidentiality in low-level code, code
PKU pitfalls: Attacks on PKU-based memory isolation systems, code
Donky: Efficient In-Process Isolation for RISC-V and x86, code
Jenny: Securing syscalls for PKU-based memory isolation systems, code
You Shall Not (by)Pass! Practical, Secure, and Fast PKU-based Sandboxing, code
Multi-Variant Execution
Secure and Efficient In-process Monitor (and Library) Protection with Intel MPK, code
sMVX: Multi-Variant Execution on Selected Code Paths, code
Secure and Efficient Application Monitoring and Replication without Kernel Patches, code
Sharing is caring: secure and efficient shared memory support for MVEEs, code , zenodo
MPKAlloc: Efficient Heap Meta-Data Integrity Through Hardware Memory Protection Keys, code
VIP: Safeguard Value Invariant Property for Thwarting Critical Memory Corruption Attacks, code
Simplex: Repurposing Intel Memory Protection Extensions for Secure Storage, code
InversOS: Efficient Control-Flow Protection for AArch64 Applications with Privilege Inversion, code
Framework
Enclosures: language-based restriction of untrusted libraries, code
uSwitch: Fast Kernel Context Isolation with Implicit Context Switches, code
CAPACITY: Cryptographically-Authenticated Intra-process Isolation on ARM, code
Language Runtime Integration
WebAssembly Runtime
Put your memory in order: Efficient domain-based memory isolation for WASM applications, code
Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFI, code
Swivel: Hardening WebAssembly against Spectre, code
Cage: Hardware-Accelerated Safe WebAssembly, code
Auditing Frameworks Need Resource Isolation: A Systematic Study on the Super Producer Threat to System Auditing and Its Mitigation, code
Userspace OS Subsystem
Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation, code
Pegasus: Transparent and Unified Kernel-Bypass Networking for Fast Local and Remote Communication, code
Toast: A Heterogeneous Memory Management System, code
Fault Tolerance
Rewind & Discard: Improving Software Resilience using Isolated Domains, code
Serverless
Faastlane: Accelerating Function-as-a-Service Workflows, code
Rethinking Deployment for Serverless Functions: A Performance-first Perspective, code
Mixed-Language Security
TRust: A Compilation Framework for In-process Isolation to Protect Safe Rust against Untrusted Code, code
METASAFE: Compiling for Protecting Smart Pointer Metadata to Ensure Safe Rust Integrity, code
Secure Rewind & Discard of Isolated Domains for Foreign Function Interface in Rust, code
PKRU-Safe: Automatically Locking Down the Heap Between Safe and Unsafe Languages, code
Keeping Safe Rust Safe with Galeed, code
Dedicated Storage & File Systems
Persistent Memory
TENET: Memory Safe and Fault Tolerant Persistent Transactional Memory, code
File Systems
ctFS: Replacing file indexing with hardware memory translation through contiguous file allocation for persistent memory, code
MPFS: A Scalable User-Space Persistent Memory File System for Multiple Processes, code
Overcoming the Last Mile between Log-Structured File Systems and Persistent Memory via Scater Logging, code
Userspace Storage
Rearchitecting in-memory object stores for low latency, code
Aeolia: Fast and Secure Userspace Interrupt-Based Storage Stack, code
Basic Data/Metadata Protection
Fast Intra-Kernel Isolation and Security with IskiOS, code
Kernel compartmentalization
Preventing Kernel Hacks with HAKCs, code
BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS, code
Erebor: A Drop-In Sandbox Solution for Private Data Processing in Untrusted Confidential Virtual Machines, code , zenodo
GENESIS: A Generalizable, Efficient, and Secure Intra-kernel Privilege Separation, code
Kernel Extension & eBPF Security
MOAT: Towards Safe BPF Kernel Extension, code
Intra-Enclave/CVM isolation
SGXJail: Defeating Enclave Malware via Confinement, code
SGXLock: Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX, code
More Granular, Less Trust: Enforcing Intra-Process Isolation With Arm CCA in an Untrusted Management Environment, code
Intra-Unikernel isolation
Intra-Unikernel Isolation with Intel Memory Protection Keys, code
AlloyStack: A Library Operating System for Serverless Workflow Applications, code
Unishyper: A Rust-based Unikernel Enhancing Reliability and Efficiency of Embedded Systems, code
Intra-Unikraft Isolation
CubicleOS: A Library OS with Software Componentisation for Practical Isolation, code
FlexOS: Towards Flexible OS Isolation, code
uIO: Lightweight and Extensible Unikernels, code
SURE: Secure Unikernels Make Serverless Computing Rapid and Efficient, code
Reboot-Based Recovery of Unikernels at the Component Level, code
MorphOS: An Extensible Networked Operating System, code
About
awesome intra-domain isolation related projects
Resources
Stars
Watchers
Forks
You can’t perform that action at this time.