CAPACITY: Cryptographically-Enforced In-Process Capabilities for Modern ARM Architectures

In-process compartmentalization and access control have been actively explored to provide in-place and efficient isolation of in-process security domains. Many works have proposed compartmentalization schemes that leverage hardware features. Newer ARM architectures introduce Pointer Authentication (PA) and Memory Tagging Extension (MTE), adapting the reference validation model for memory safety and runtime exploit mitigation. Despite their potential, these features are underexplored in the context of userspace program compartmentalization. This paper presents Capacity, a novel hardware-assisted intraprocess access control design that embraces capability-based security principles. Capacity coherently incorporates the new hardware security features on ARM, based on the insight that the features already exhibit inherent capability characteristics. It supports the life-cycle protection of the domain's sensitive objects - starting from their import from the file system to their place in memory. With intra-process domains authenticated with unique PA keys, Capacity transforms file descriptors and memory pointers into cryptographically-authenticated references and completely mediates reference usage with its program instrumentation framework and an efficient system call monitor. We evaluate our Capacity-enabled NGINX web server prototype and other common applications in which sensitive resources are isolated into different domains. Our evaluation shows that Capacity incurs a low-performance overhead of approximately 17% for the single-threaded and 13.54% for the multi-threaded webserver.