Almost all modern hardware, from phone SoCs to high-end servers with accelerators, contain memory translation and protection hardware like IOMMUs, firewalls, and lookup tables which make it impossible to reason about, and enforce protection and isolation based solely on the processor's MMUs. This has led to numerous bugs and security vulnerabilities in today's system software. In this paper we regain the ability to reason about and enforce access control using the proven concept of a reference monitor mediating accesses to memory resources. We present a fine-grained, realistic memory protection model that makes this traditional concept applicable today, and bring system software in line with the complexity of modern, heterogeneous hardware. Our design is applicable to any operating system, regardless of architecture. We show that it not only enforces the integrity properties of a system, but does so with no inherent performance overhead and it is even amenable to automation through code generation from trusted hardware specifications.

中文翻译：

---

现代硬件上的安全内存管理

几乎所有现代硬件，从手机 SoC 到带有加速器的高端服务器，都包含内存转换和保护硬件，如 IOMMU、防火墙和查找表，这使得无法仅基于处理器的 MMU 进行推理和实施保护和隔离。这导致了当今系统软件中的许多错误和安全漏洞。在本文中，我们使用经过验证的参考监视器介导对内存资源的访问的概念，重新获得推理和强制执行访问控制的能力。我们提出了一个细粒度、现实的内存保护模型，使这一传统概念适用于今天，并使系统软件与现代异构硬件的复杂性保持一致。我们的设计适用于任何操作系统，无论架构如何。