RISC-V Extensions for SLAT-based Sandboxing with Optimized Address Translation

Description

In virtualized systems a virtual memory address is translated through two levels of page tables: the first level

is responsible for isolating processes within a guest, while the second level is responsible for isolating the guests

themselves and the hypervisor. Unfortunately, this approach leads to suboptimal performance at runtime, as

translating a single memory address requires several memory accesses in the first stage, each of which may lead

to a full page table walk in the second stage.

In this work, we explore the idea of using a single translation stage to isolate both user-space processes and VMs

in virtualized systems, aiming to achieve the performance of non-virtualized settings while providing the same security

guarantees. We follow a hardware/software co-design approach that we call Second Translation Stage Isolation (STSI),

which facilitates guest OSes to achieve isolation with a single translation stage. In particular, STSI envisions an execution

environment where guests drop the page tables used in the first stage and uphold isolation by relying on the second-stage

tables, which are maintained in hypervisor memory where malicious guests can't modify their contents. To avoid increasing

the performance overhead by relying on the hypervisor for memory management operations, this work proposes custom hardware

extensions that allow guests to perform memory management operations on the second-stage tables without hypervisor intervention.

We provide hardware support for managing multiple second-stage tables and add a custom instruction to allow a guest OS to change

the active second-stage table without hypervisor intervention. Additionally, we allow a guest OS to securely manage its second-stage

table entries directly, without the need to perform hypercalls. As a further optimization, we provide support for user-space hypercalls,

which allow user-space processes to call hypervisor functions without having to first trap into the guest OS. We implement STSI on

RISC-V, an open standard instruction set architecture.

Our performance evaluation shows that switching the active SLAT table is 2.4 times slower than switching the active PT, which is however

neutralized by the faster address translation process at runtime. We also measure a 42.28% reduction in latency when using userspace

hypercalls compared to a syscall+hypercall from the guest, and we observe that D-Cache and DTLB misses reduce by 22.64% and 11.76%

respectively, while the overall number of D-Cache accesses decreases by 49.72%.