NDSS 2025 – TME-Box: Scalable In-Process Isolation Through Intel TME-MK Memory Encryption
嗯,用户让我总结一篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,抓住关键点。 文章标题是“TME-Box: Scalable In-Process Isolation through Intel TME-MK Memory Encryption”,看起来是关于内存加密和隔离技术的。作者来自Graz大学和Cloudflare。摘要部分提到,现有的进程内隔离机制无法满足现代云的需求,比如MPK只有16个保护域,不够隔离成千上万的云工作者。 所以他们提出了TME-Box,利用Intel的TME-MK技术来实现轻量级、高效的进程内隔离。通过编译器工具插入加密密钥,确保沙箱只能访问自己的加密内存区域。这种方法支持从缓存行到整个页面的细粒度访问控制,并且可以支持多达32K个并发沙箱。 性能方面,他们用SPEC CPU2017测试,数据隔离的几何平均开销是5.2%,代码和数据一起是9.7%。这说明性能影响不大,适合实际应用。 总结一下,文章介绍了一种新的隔离技术TME-Box,利用Intel的技术实现高效的进程内沙箱隔离,并且性能良好。这样总结应该符合用户的要求。 </think> 文章介绍了TME-Box技术,通过利用Intel TME-MK内存加密实现轻量级、高效的进程内隔离。该技术支持细粒度访问控制和大规模并发沙箱,并在SPEC CPU2017基准测试中展示了较低的性能开销。 2025-12-18 16:0:0 Author: securityboulevard.com(查看原文) 阅读量:1 收藏

Session 6B: Confidential Computing 1

Authors, Creators & Presenters: Martin Unterguggenberger (Graz University of Technology), Lukas Lamster (Graz University of Technology), David Schrammel (Graz University of Technology), Martin Schwarzl (Cloudflare, Inc.), Stefan Mangard (Graz University of Technology)
PAPER
TME-Box: Scalable In-Process Isolation through Intel TME-MK Memory Encryption
Efficient cloud computing relies on in-process isolation to optimize performance by running workloads within a single process. Without heavy-weight process isolation, memory safety errors pose a significant security threat by allowing an adversary to extract or corrupt the private data of other co-located tenants. Existing in-process isolation mechanisms are not suitable for modern cloud requirements, e.g., MPK’s 16 protection domains are insufficient to isolate thousands of cloud workers per process. Consequently, cloud service providers have a strong need for lightweight in-process isolation on commodity x86 machines. This paper presents TME-Box, a novel isolation technique that enables fine-grained and scalable sandboxing on commodity x86 CPUs. By repurposing Intel TME-MK, which is intended for the encryption of virtual machines, TME-Box offers lightweight and efficient in-process isolation. TME-Box enforces that sandboxes use their designated encryption keys for memory interactions through compiler instrumentation. This cryptographic isolation enables fine-grained access control, from single cache lines to full pages, and supports flexible data relocation. In addition, the design of TME-Box allows the efficient isolation of up to 32K concurrent sandboxes. We present a performance-optimized TME-Box prototype, utilizing x86 segment-based addressing, that showcases geomean (geometric mean) performance overheads of 5.2 % for data isolation and 9.7 % for code and data isolation, evaluated with the SPEC CPU2017 benchmark suite.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations’ YouTube Channel.

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/cTmZ1eCs08E?si=SXqLZwqWJ9pTOAro


文章来源: https://securityboulevard.com/2025/12/ndss-2025-tme-box-scalable-in-process-isolation-through-intel-tme-mk-memory-encryption/
如有侵权请联系:admin#unsafe.sh