Awesome intra-domain isolation related projects

Intra-process isolation

• Control-Flow Attestation
  • ReCFA: Resillent Control-Flow Attestation, code
• Stand Alone Provenance Tracking Runtime and Compiler Passes, code
• Basic Data/Metadata Protection
  • Usage of Intel Memory Protection Keys (MPK) to protect Nginx Private Keys, code
  • CoMpk : Isolating Data in Private, and Secure Compartments, code
  • No Need to Hide: Protecting Safe Regions on Commodity Hardware, code
• eXecute-Only Memory (XOM)
  • eXecutable-Only-Memory-Switch (XOM-Switch): Hiding your code from advanced code reuse attacks in one shot, code
  • System Call Interposer
    • Zpoline: a system call hook mechanism based on binary rewriting, code
    • System Call Interposition Without Compromise, code
• ERIM: Secure, Efficient In-Process Memory Isolation using Intel MPK, code
• Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries, code
• libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK), code
• ConfLLVM: A compiler for enforcing data confidentiality in low-level code, code
• PKU pitfalls: Attacks on PKU-based memory isolation systems, code
• Donky: Efficient In-Process Isolation for RISC-V and x86, code
• Jenny: Securing syscalls for PKU-based memory isolation systems, code
• You Shall Not (by)Pass! Practical, Secure, and Fast PKU-based Sandboxing, code
• Multi-Variant Execution
  • Secure and Efficient In-process Monitor (and Library) Protection with Intel MPK, code
  • sMVX: Multi-Variant Execution on Selected Code Paths, code
  • Secure and Efficient Application Monitoring and Replication without Kernel Patches, code
  • Sharing is caring: secure and efficient shared memory support for MVEEs, code, zenodo
• MPKAlloc: Efficient Heap Meta-Data Integrity Through Hardware Memory Protection Keys, code
• VIP: Safeguard Value Invariant Property for Thwarting Critical Memory Corruption Attacks, code
• Simplex: Repurposing Intel Memory Protection Extensions for Secure Storage, code
• InversOS: Efficient Control-Flow Protection for AArch64 Applications with Privilege Inversion, code
• Framework
  • Enclosures: language-based restriction of untrusted libraries, code
  • uSwitch: Fast Kernel Context Isolation with Implicit Context Switches, code
• CAPACITY: Cryptographically-Authenticated Intra-process Isolation on ARM, code
• Language Runtime Integration
  • WebAssembly Runtime
    • Put your memory in order: Efficient domain-based memory isolation for WASM applications, code
    • Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFI, code
    • Swivel: Hardening WebAssembly against Spectre, code
    • Cage: Hardware-Accelerated Safe WebAssembly, code
• Auditing Frameworks Need Resource Isolation: A Systematic Study on the Super Producer Threat to System Auditing and Its Mitigation, code
• Userspace OS Subsystem
  • Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation, code
  • Pegasus: Transparent and Unified Kernel-Bypass Networking for Fast Local and Remote Communication, code
• Toast: A Heterogeneous Memory Management System, code
• Fault Tolerance
  • Rewind & Discard: Improving Software Resilience using Isolated Domains, code
• Serverless
  • Faastlane: Accelerating Function-as-a-Service Workflows, code
  • Rethinking Deployment for Serverless Functions: A Performance-first Perspective, code
• Mixed-Language Security
  • TRust: A Compilation Framework for In-process Isolation to Protect Safe Rust against Untrusted Code, code
  • METASAFE: Compiling for Protecting Smart Pointer Metadata to Ensure Safe Rust Integrity, code
  • Secure Rewind & Discard of Isolated Domains for Foreign Function Interface in Rust, code
  • PKRU-Safe: Automatically Locking Down the Heap Between Safe and Unsafe Languages, code
  • Keeping Safe Rust Safe with Galeed, code
• Dedicated Storage & File Systems
  • Persistent Memory
    • TENET: Memory Safe and Fault Tolerant Persistent Transactional Memory, code
  • File Systems
    • ctFS: Replacing file indexing with hardware memory translation through contiguous file allocation for persistent memory, code
    • MPFS: A Scalable User-Space Persistent Memory File System for Multiple Processes, code
    • Overcoming the Last Mile between Log-Structured File Systems and Persistent Memory via Scater Logging, code
  • Userspace Storage
    • Rearchitecting in-memory object stores for low latency, code
    • Aeolia: Fast and Secure Userspace Interrupt-Based Storage Stack, code

Intra-Kernel isolation

• Basic Data/Metadata Protection
  • Fast Intra-Kernel Isolation and Security with IskiOS, code
• Kernel compartmentalization
  • Preventing Kernel Hacks with HAKCs, code
  • BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS, code
  • Erebor: A Drop-In Sandbox Solution for Private Data Processing in Untrusted Confidential Virtual Machines, code, zenodo
• Kernel Extension & eBPF Security
  • MOAT: Towards Safe BPF Kernel Extension, code

Intra-Enclave/CVM isolation

• SGXJail: Defeating Enclave Malware via Confinement, code
• SGXLock: Towards Efficiently Establishing Mutual Distrust Between Host Application and Enclave for SGX, code
• More Granular, Less Trust: Enforcing Intra-Process Isolation With Arm CCA in an Untrusted Management Environment, code

Intra-Unikernel isolation

• Intra-Unikernel Isolation with Intel Memory Protection Keys, code
• AlloyStack: A Library Operating System for Serverless Workflow Applications, code
• Unishyper: A Rust-based Unikernel Enhancing Reliability and Efficiency of Embedded Systems, code
• Intra-Unikraft Isolation
  • CubicleOS: A Library OS with Software Componentisation for Practical Isolation, code
  • FlexOS: Towards Flexible OS Isolation, code
  • uIO: Lightweight and Extensible Unikernels, code
  • SURE: Secure Unikernels Make Serverless Computing Rapid and Efficient, code
  • Reboot-Based Recovery of Unikernels at the Component Level, code
  • MorphOS: An Extensible Networked Operating System, code