Secure, Efficient In-Process Memory Isolation

Isolating sensitive data and state can increase the security and robustness of many applications. Applications, such as isolating cryptographic session keys in a network-facing application or isolating frequently invoked native libraries in managed runtimes, require very frequent domain switching. In such applications, the overhead of kernel- or hypervisormediated domain switching is prohibitive. We suggest LwCs and ERIM to overcome these costs using novel kernel functionality and hardware-support (e.g., Intel MPK), respectively.

Wasm has become a popular lightweight, in-process sandbox and is, for example, used in production to isolate different clients on edge clouds and function-as-a-service platforms. Unfortunately, Spectre attacks can bypass Wasm’s isolation guarantees. Swivel hardens Wasm against this class of attacks by ensuring that potentially malicious code can neither use Spectre attacks to break out of the Wasm sandbox nor coerce victim code—another Wasm client or the embedding process—to leak secret data. We suggest Swivel, a new compiler framework for hardening WebAssembly (Wasm) against Spectre attacks.


Endoprocess: Programmable and Extensible Subprocess Isolation New Security Paradigms Workshop (NSPW), 2023.

Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFI ASPLOS, Distinguished Paper Award, 2023.


uSwitch: Fast Kernel Context Isolation with Implicit Context Switches IEEE S&P, 2023.


Segue & ColorGuard: Optimizing SFI Performance and Scalability on Modern x86 PLAS, 2022.


The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization arXiv, 2021.


Swivel: Hardening WebAssembly against Spectre USENIX Security, 2021.


ERIM: Secure, Efficient In-Process Isolation with Memory Protection Keys USENIX Security, Distinguished Paper Award and Internet Defense Prize, 2019.

PDF Code Slides Video

Light-Weight Contexts: An OS Abstraction for Safety and Performance USENIX OSDI, 2016.

PDF Code