English

Automatic ISA analysis for Secure Context Switching

Operating Systems 2025-02-11 v1 Cryptography and Security

Abstract

Instruction set architectures are complex, with hundreds of registers and instructions that can modify dozens of them during execution, variably on each instance. Prose-style ISA specifications struggle to capture these intricacies of the ISAs, where often the important details about a single register are spread out across hundreds of pages of documentation. Ensuring that all ISA-state is swapped in context switch implementations of privileged software requires meticulous examination of these pages. This manual process is tedious and error-prone. We propose a tool called Sailor that leverages machine-readable ISA specifications written in Sail to automate this task. Sailor determines the ISA-state necessary to swap during the context switch using the data collected from Sail and a novel algorithm to classify ISA-state as security-sensitive. Using Sailor's output, we identify three different classes of mishandled ISA-state across four open-source confidential computing systems. We further reveal five distinct security vulnerabilities that can be exploited using the mishandled ISA-state. This research exposes an often overlooked attack surface that stems from mishandled ISA-state, enabling unprivileged adversaries to exploit system vulnerabilities.

Cite

@article{arxiv.2502.06609,
  title  = {Automatic ISA analysis for Secure Context Switching},
  author = {Neelu S. Kalani and Thomas Bourgeat and Guerney D. H. Hunt and Wojciech Ozga},
  journal= {arXiv preprint arXiv:2502.06609},
  year   = {2025}
}

Comments

15 pages, 6 figures, 2 tables, 4 listings

R2 v1 2026-06-28T21:38:47.425Z