Software bugs in many different variants can potentially leak sensitive data to an attacker. Implementing a separation mechanism for security domains can prevent incorrect or malicious code to leak sensitive data from one security domain to another. This work presents a separation mechanism based on labeling security domains with a label in tagged memory, at word-level granularity, called color labeling.

Utilizing a tagged architecture based on the RISC-V architecture, color labeling assigns colors (denoting a security domain) to individual memory words, cache lines, registers and peripherals. Using a simple set of hardware enforced policies, data protection is ensured. Control flow integrity is maintained with the
help of additional tag bits that denote code and valid jump addresses. New instructions have been added for functions that handle data residing in multiple security domains.

Software support is implemented in the Rust compiler. The compiler is enhanced with macros to support the coloring concept via source level annotations. Incorrect use of labels is reported during compilation. An external tool is used to generate tag information and generate a security report with information on
variable coloring and special function use and construction. Using the external tool keeps the changes to the compiler minimal, thereby reducing the maintenance burden and the required trust in the compiler as well. The report can be used in a security audit.

The concept is implemented on an instruction set architecture simulator. The toolchain modifications and the concept itself have been tested on this simulator. Testing showed the concept can prevent cross-security domain information leaks under several common attack patterns. The overhead due to the execution of additional instructions in the executable code depends on the actual code. Tests with the typical target application OpenVPN-NL showed a less than 5% increase in instruction count for the most commonly called functions.

By designing or redesigning software specifically for color labeling, this overhead can possibly be further reduced. Further testing, specifically on an actual hardware implementation is recommended.

Due to timing constraints, the concept has not been implemented in hardware. However, the hardware performance costs are estimated to be negligible. The area requirements are substantial: implementing the concept in the RISC-V softcore requires double the external memory capacity and FPGA resource utilization is estimated to require 14% more ALMs and 74% more internal memory blocks.