[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84839-en":3,"doc-seo-84839-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84839,8796095462418,"Noah","https://ap-avatar.wpscdn.com/avatar/80000253c1241d02b47?x-image-process=image/resize,m_fixed,w_180,h_180&k=1778826106357471780",6,"Technology","Completes Universal Compartmentalisation and Programming Model For Arm Permission Overlay Extension 2","Arm Permission Overlay Extension (POE) enables intra-process isolation using memory protection keys, partitioning virtual memory into regions with permissions reconfigurable without higher exception-level handling. POE cannot provide privilege separation, so protection domains mainly support software fault isolation. POE2 strengthens security with additional registers and tables, where effective permissions depend on spatial indices of code and memory, operation type, and a thread temporal index attribute. The work analyzes POE2 and proposes a universal programming model that abstracts spatial/temporal complexity while enabling practical intra-process partitioned patterns.","Complets: Universal Compartmentalisation and Programming Model For Arm Permission Overlay Extension 2  \nVasily A. Sartakov  \nHuawei R&D  \narXiv :2607 .05569v 1 [ cs .OS] 6 Jul 2026  \nAbstract  \nArm Permission Overlay Extension (POE) is an intra-process isolation mechanism based on memory protection keys. This mechanism partitions virtual memory into regions whose access permissions can be reconfigured without invoking higher exception levels. Because POE does not enforce privilege separation, POE-based protection domains are applicable only as a software fault-isolation technique.  \nThe POE2 is an isolation mechanism that substan  \ntially extends POE1 . Dealing with memory protection keys, it also introduces new registers and tables that regulate the operations permitted for code executing within protection domains associated with different keys. A permission is determined by the spatial index of the executing code (i.e., the protection key associated with code), the spatial index of the accessed memory, the operation type, and a new attribute of the thread context: its temporal index.  \nPOE2 provides stronger security guarantees than POE1, but also introduces considerable architectural complexity. Effective permissions arise from the interaction of multiple hardware components, making direct programming non-trivial and prone to subtle errors. In the paper, we present a detailed analysis of POE2 and introduce a universal programming model with a strong security model for POE2-based systems. The model abstracts the complexity of spatial and temporal indices while enabling typical patterns of partitioned software constructed using intra-process isolation.  \n1 Introduction  \nVirtual memory and processes are fundamental mechanisms that enable isolated program execution. Each program executes within its own address space, without visibility into how virtual addresses are backed by hardware or whether other programs exist. If virtual address spaces are isolated and no pages are shared, programs cannot directly influence one another and may communicate only through the privileged intermediary – the kernel.  \nThe kernel serves as this privileged intermediary and provides mechanisms to configure the Memory Management Unit (MMU) . Interaction between processes requires transitions into privileged mode, which impose performance overhead on communicating programs. Consequently, the trade-off between the size of the Trusted Computing Base (TCB) and communication performance is driven by practical considerations: secure deployments favour finer-grained isolation with higher communication costs, whereas less secure deployments permit more monolithic software with lower overhead.  \nOne approach to reducing the overhead associated with process-based isolation – commonly referred to as the MMU tax – is to employ intra-process isolation mechanisms and construct communication primitives that avoid privileged transitions. Over the last decade, several techniques have been proposed: Intel Memory Protection Keys (MPK) [14] and Arm Permission Overlay Exten-  \nkernel  \nFigure 1: Communication between isolated parties:⃝1 IPC between processes using kernel;  Crosscompartment calls without the kernel  \nsion (POE) [1] allow assigning protection keys to memory pages and modifying page attributes without kernel involvement. Once keys are assigned, the effective permissions of associated pages are determined by the key’s permissions, and updates to key attributes do not require kernel mediation. Using these extensions, prior work has demonstrated fine-grained software partitioning with low performance overhead [16] .  \nA key limitation of Arm POE and Intel MPKis the absence of privilege separation within compartments – software components isolated using protection keys. With MPK, compartmentalised code can modify access rights of other compartments via the wrpkru instruction [10] . On Arm, compartmentalised code can similarly modify the POR_ELx register. In ","cbCaie4QsPKX8uw3","https://ap.wps.com/l/cbCaie4QsPKX8uw3","pdf",292490,1,10,"English","en",105,"# Introduction\n## Motivation: Reduce MMU tax and kernel mediation\n## Limitation of POE1 and MPK: lack of privilege separation\n## POE2: privilege separation and new permission determination\n## Contribution overview","[{\"question\":\"What problem does Arm POE2 aim to solve compared with traditional process isolation?\",\"answer\":\"POE2 targets the overhead of kernel-mediated communication in process-based isolation by enabling intra-process isolation primitives that avoid privileged transitions while still improving isolation guarantees.\"},{\"question\":\"Why is POE1 limited for security beyond software fault isolation?\",\"answer\":\"POE1 lacks privilege separation within compartments, allowing isolated code to adjust protection state without trustworthy mediation, so it cannot reliably contain adversarial execution.\"},{\"question\":\"How does POE2 determine effective permissions for code execution?\",\"answer\":\"Effective permissions are computed from a combination of spatial indices tied to the executing code location and accessed memory, the operation type, and a thread-context temporal index attribute.\"}]",1784198642,25,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"completes-universal-compartmentalisation-and-programming-model-for-arm-permission-overlay-extension-2","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/completes-universal-compartmentalisation-and-programming-model-for-arm-permission-overlay-extension-2/84839/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What problem does Arm POE2 aim to solve compared with traditional process isolation?","Question",{"text":75,"@type":76},"POE2 targets the overhead of kernel-mediated communication in process-based isolation by enabling intra-process isolation primitives that avoid privileged transitions while still improving isolation guarantees.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"Why is POE1 limited for security beyond software fault isolation?",{"text":80,"@type":76},"POE1 lacks privilege separation within compartments, allowing isolated code to adjust protection state without trustworthy mediation, so it cannot reliably contain adversarial execution.",{"name":82,"@type":73,"acceptedAnswer":83},"How does POE2 determine effective permissions for code execution?",{"text":84,"@type":76},"Effective permissions are computed from a combination of spatial indices tied to the executing code location and accessed memory, the operation type, and a thread-context temporal index attribute.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":21,"slug":133},"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]