Parallel Memory Permissions and Their Applications
A process can voluntarily set memory protections to different portions of its address space. As threads in a process share the same address space, they are equally bound to its protections. We explore the concept of parallel memory permissions, a powerful technique that allows multiple threads to execute in parallel while having different permissions to the same address space, and we show it may be implemented on commodity hardware without requiring special hardware primitives. Parallel memory permissions makes it practical and easy to apply various tools and protection schemes in multi-threaded applications; practical because it does not hinder threads from executing in parallel and easy because by virtue of not segmenting a process's address space, applications require little modifications (if any) to benefit from it.
We demonstrate this first with SandTrap, a Dynamic Information-Flow Tracking (DIFT) tool for machine code on Android. SandTrap complements TaintDroid and addresses its key limitation: the inability to track information flows when an app calls third-party native functions. The key to SandTrap is on-demand DIFT, where DIFT is performed only when threads access data that needs to be tracked. Otherwise, they run unmodified without any DIFT overhead. As Android apps are inherently multi-threaded, on-demand DIFT in SandTrap requires parallel memory permissions. It allows SandTrap to set different sets of memory protections on a thread, depending on whether it is running third-party native code, and it does so without hindering the parallelism of the app. The current prototype of SandTrap runs on a real smartphone device with unmodified apps downloaded from the Google Play Store, such as Instagram.
Next, we present DoubleVision, a system that addresses the problem of stray memory accesses, in which a thread might accidentally read or write to memory-mapped application resources. These stray accesses often occur because of bugs in the application code and they can violate the integrity or confidentiality of resources in memory. We show how DoubleVision uses parallel memory permissions to restrict a thread from inadvertently accessing such resources, without requiring significant refactoring of the application.