Modern computer systems implement memory protection as part of virtual address translation, limiting it to the granularity of whole pages, which have grown to be 4KB or more. System developers tolerate this antique form of memory protection because previous attempts at fine-grained memory protection, for example capabilities or segmentation, have proven ungainly to program and difficult to engineer for high performance. Efficient fine-grained memory protection would remove the need for the cumbersome workarounds that appear regularly in research conferences, and would enable a new class of robust extensible software systems.

This talk presents a new solution for fine-grained memory protection called Mondriaan Memory Protection (MMP). MMP supports multiple protection domains sharing the same address space. Each domain has its own permissions table which supports (32-bit) word-level protection for arbitrary runs of words at any word boundary. Space overheads are reduced with a compressed permissions table structure, and run-time overheads are reduced by using two-levels of hardware permissions caching. Even under heavy use, space overhead is less than 9% and memory reference overhead is less than 8%. MMP works with linear addresses and so is compatible with existing instruction sets and operating systems.

The talk will cover the obvious and non-obvious data structures that are required for MMP's good performance. The talk will also discuss extensions to MMP, and present preliminary data on using MMP to enforce module boundaries in the Linux kernel.