SCALPEL: Exploring the Limits of Tag-enforced Compartmentalization

Abstract

We present Secure Compartments Automatically Learned and Protected by Execution using Lightweight metadata (SCALPEL), a tool for automatically deriving compartmentalization policies and lowering them to a tagged architecture for hardware-accelerated enforcement. SCALPEL allows a designer to explore high-quality points in the privilege-reduction vs. performance overhead tradeoff space using analysis tools and a detailed knowledge of the target architecture to make best use of the available hardware. SCALPEL automatically implements hundreds of compartmentalization strategies across the privilege-performance tradeoff space, all without manual tagging or code restructuring. SCALPEL uses two novel optimizations for achieving highly performant policies: the first is an algorithm for packing policies into working sets of rules for favorable rule cache characteristics, and the second is a rule prefetching system that allows it to exploit the highly predictable nature of compartmentalization rules. To create policies, SCALPEL introduces a quantitative privilege metric (the Overprivilege Ratio) that is used to drive its algorithmic compartment generation. We implement SCALPEL on a FreeRTOS stack and target a tag-extended RISC-V core. Our results show that SCALPEL-created policies can reduce overprivilege by orders of magnitude with hundreds of logical compartments while imposing low overheads (<5%).