A comparison of two context allocation approaches for fast protected calls

Secure computing systems require the implementation of protection domains and a safe way of transferring control across such domains. Isolating the contexts (activation stacks) of the caller and the callee, to avoid unintended information flow, is a fundamental requirement for implementing cross-domain transfers. We present and evaluate two approaches for implementing contexts for cross-domain calls in a conventional pipelined architecture retrofitted with a simple capability mechanism. The first and the more traditional approach is to use separate context segments for the caller and the callee. The second is to use a unified context segment supported by some modest hardware for avoiding unintended information flow. Simulation results indicate that the unified context solution performs markedly better than the separate context solution. Also, the overall overhead of the protected call mechanism using the unified context is about 10-30%-a price that may be worth paying for the resulting security