# Heap Isolation ## Scenarios ```mermaid flowchart BT subgraph priviliged[Hypervisor] GodC[Page Allocator] end subgraph unprivileged[Guest VM] subgraph CA[Container A] hA(Heap A) hAB(Heap A-B) hAC(Heap A-C) hABC(Heap A-B-C) end subgraph CB[Container B] hB(Heap B) hBA(Heap A-B) hBC(Heap B-C) hBAC(Heap A-B-C) end subgraph CC[Container C] hC(Heap C) hCB(Heap B-C) hCA(Heap A-C) hCAB(Heap A-B-C) end hAB .- hBA hABC .- hBAC .- hCAB .- hABC hBC .- hCB hAC .- hCA end CA ==> CC CA ==> CB CB ==> CC unprivileged ==VM-Exit==> priviliged ``` ```mermaid flowchart BT subgraph priviliged[Hypervisor] GodC[Page Allocator] end subgraph unprivileged[Guest VM] subgraph CA[Container A] hA(Heap A) hAB(Heap A-B) hACD(Heap A-C-D) hAE(Heap A-E) end subgraph CB[Container B] hB(Heap B) hBA(Heap A-B) end subgraph CC[Container C] hC(Heap C) hCAD(Heap A-C-D) end subgraph CD[Container D] hD(Heap D) hDAC(Heap A-C-D) end subgraph CE[Container E] hE(Heap E) hEA(Heap A-E) end hAB .- hBA hACD .- hCAD .- hDAC hAE .- hEA end CA ===> CB CA ==> CC CC ====> CD CC ==> CE unprivileged ==VM-Exit==> priviliged ``` ### Hypervisor Page Table Example ```mermaid flowchart TD R[Root] --> B0[16Kib] & B1[16Kib] B0 --> B00[8Kib] & B01[8Kib, flag=2] B1 --> B10[8Kib] & B11[8Kib, flag=0] B10 --> B100[4Kib, free] & B101[4Kib, flag=3] B00 --> B000[4Kib, flag=0] & B001[4Kib, flag=1] ``` ### Flag Map example | Flag | 0 | 1 | 2 | 3 | | ------------- | --- | --- | --- | --- | | Access Bitmap | 100 | 010 | 001 | 101 | ## Isolation Rules - Allocated objects should only be accessible in Components where they are explicitly accessed ## Page-Allocator Rules - No double-free - Allocations translate the same way for all EPT-views - Single fixed allocator region (cannot be changed when set) - pages are zeroed on free/allocation to prevent data transfer - pages are made inaccessible on free for all views ## Argue Hypervisor Page-Allocator ### Con - complicated to implement - many changes in the hypervisor - less flexible guest application ### Pro - allocator metadata inaccessible for guest (no manipulation possible) - no vmfunc necessary for heap metadata isolation ## Argue Guest Page-Allocator ### Con - metadata isolation requires additional EPT-view - not isolated metadata could be manipulated to change behaviour of other components - make memory run out - create VM-Exits through invalid access attempts - unclear if this could be a problem ### Pro - guests can have custom allocator implementation - --- # Old ## Hypervisor Rules - Mappings must be identity mappings from the original KVM memory view to another EPT-view - Mappings can only be created for memory that is either currently unused in the source and all target views, or when the requesting EPT index has access to that range - Mappings can be cleared only if the requesting view has access to that range. The requesting view can however clear the mapping of another view. ## Counter Page Table Page Table that contains mapping counters instead of physical addresses in the lowest layer - initialized with 0 - increment for every mapped page per view - decrement on unmapping - when count is 0 --> page not mapped to any view in EPTP-List ## Allocation Scenarios ### Private Allocator A allocates Object 1. Check if there is enough space left, if not: 1.1. Ask for private pages from hypervisor 2. Pop free block from freelist ### Private Allocator A frees Object 1. Insert free block into freelist and do block compaction 2. Check if resulting free block contains more than the maximum block size, if so: 2.1. Return pages to hypervisor ### Shared Allocator A-B allocates Object 1. Check if there is enough space left, if not: 1.1. Ask hypervisor to map shared pages to both A and B 2. Pop free block from freelist ### Shared Allocator A-B frees Object 1. Insert free block into freelist and do block compaction 2. Check if resulting free block contains more than the maximum block size, if so: 2.1. Return pages to hypervisor, so both A and B cannot access them anymore # ... stack 1 (component 1) shared stack 1 (component 1 & 2) stack 2 (component 2) shared 2 stack 3