Application compartmentalization and privilege separation are our primary weapons against ever-increasing security threats and privacy concerns on connected devices. Despite significant progress, it is still challenging to privilege separate inside an application address space and in multithreaded environments, particularly on resource-constrained and mobile devices. We propose MicroGuards, a lightweight kernel modification and set of security primitives and APIs aimed at flexible and fine-grained in-process memory protection and privilege separation in multithreaded applications. MicroGuards take advantage of hardware support in modern CPUs and are high-level enough to be adaptable to various architectures. This paper focuses on enabling MicroGuards on embedded and mobile devices running Linux kernel and utilizes tagged memory support to achieve good performance. Our evaluation show that MicroGuards add small runtime overhead (less than 3.5\%), minimal memory footprint, and are practical to get integrated with existing applications to enable fine-grained privilege separation.

翻译：应用程序分域与权限分离是应对联网设备日益增长的安全威胁和隐私问题的主要手段。尽管取得了显著进展，但在应用地址空间内部和多线程环境下实现权限分离仍具挑战性，尤其是在资源受限和移动设备上。我们提出了MicroGuards，这是一种轻量级内核修改方案及一组安全原语与API，旨在为多线程应用提供灵活细粒度的进程内内存保护和权限分离。MicroGuards利用现代CPU的硬件支持，并且具有足够高的抽象层级以适配不同架构。本文重点在运行Linux内核的嵌入式和移动设备上实现MicroGuards，并利用标签化内存支持来实现良好性能。评估表明，MicroGuards的运行时开销很小（低于3.5%），内存占用极低，并且能够与现有应用集成以实现细粒度权限分离。