NanoZone: Scalable, Efficient, and Secure Memory Protection for Arm CCA
Arm Confidential Computing Architecture (CCA) currently isolates at the granularity of an entire Confidential Virtual Machine (CVM), leaving intra-VM bugs such as Heartbleed unmitigated. The state-of-the-art narrows this to the process level, yet still cannot stop attacks that pivot within the same process, and prior intra-enclave schemes are either too slow or incompatible with CVM-style isolation. We extend CCA with a three-tier zone model that spawns an unlimited number of lightweight isolation domains inside a single process, while shielding them from kernel-space adversaries. To block domain-switch abuse, we also add a fast user-level Code-Pointer Integrity (CPI) mechanism. We developed two prototypes: a functional version on Arm's official simulator to validate resistance against intra-process and kernel-space adversaries, and a performance variant on Arm development boards evaluated for session-key isolation within server applications, in-memory key-value protection, and non-volatile-memory data isolation. NanoZone incurs roughly a 20% performance overhead while retaining 95% throughput compared to the system without fine-grained isolation.
View on arXiv@article{liu2025_2506.07034,
title={ NanoZone: Scalable, Efficient, and Secure Memory Protection for Arm CCA },
author={ Shiqi Liu and Yongpeng Gao and Mingyang Zhang and Jie Wang },
journal={arXiv preprint arXiv:2506.07034},
year={ 2025 }
}