Overview

This repo contains our implementation of the compartmentalization scheme described in our NDSS '22 paper here. In the paper, we showed that compartmentalization vulnerabilities are the most common class of CVEs, and developed a novel enforcement mechanism for compartmentalization policies. Our mechanism leverages ARM MTE and PAC, which both provides efficient checks and minimizes the software TCB. To measure the performance of our scheme, we compartmentalized the IPv6 and NFTables kernel modules, and evaluated using Apache and by browsing the Alexa Top 50 websites. Here we provided the kernel source files with out annotations to define the compartments, as well as the LLVM compiler pass we use to add the required checks to enforce our scheme.