Technical reports
Memory safety with CHERI capabilities: security analysis, language interpreters, and heap temporal safety
November 2022, 119 pages
This technical report is based on a dissertation submitted July 2022 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Trinity College.
DOI: 10.48456/tr-975
Abstract
CHERI (Capability Hardware Enhanced RISC Instructions) is a promising research processor-architecture protection model that facilitates memory safety and fine-grained compartmentalization for software. The architecture has reached a mature state and been integrated into Arm’s industrial-scale Morello system-on-chip, a large corpus of software has been adapted to support CHERI, and prior work has demonstrated that replacing integer pointers with CHERI capabilities can make C and C++ programs spatially safe. In this dissertation, I identify gaps that limit the ability of current mitigations based on CHERI to deliver real-world vulnerability protection, and I work towards addressing them.
I develop the memory-operations framework (MOF) for reasoning about memory-safety mitigations and the types of attacks they prevent. I apply the MOF to analyze CheriABI, the most sophisticated memory-safety mitigation built atop CHERI. I also evaluate CheriABI’s effectiveness in mitigating a set of real-world attacks that targeted devices running Apple’s iOS. Based on this evaluation, I identify two key areas in CHERI-supported memory safety that require improved protections.
One of these areas involves support for contemporary programming language interpreters, which have not previously been adapted to CHERI. Using Apple’s JavaScriptCore as a case study, I evaluate the feasibility, source-code compatibility, and security properties of adapting an interpreter that supports just-in-time compilation to CHERI. I determine that such an adaptation is feasible, practical, and can achieve parity with more typical applications in terms of memory protection.
The other area is providing temporal safety for userspace heaps, which CheriABI does not currently support. I introduce novel algorithms and software components that constitute a fully elaborated system for CHERI-based userspace heap temporal safety. I implement the system, which includes the Cornucopia kernel subsystem for sweeping capability revocation and a generic userspace library that encapsulates changes required for memory allocators, in CheriBSD for Morello. Relative to the CHERIvoke algorithm for heap temporal safety, which has previously been published but not implemented on CHERI hardware, the novel algorithms reduce application runtimes by up to 23.5% and pause times by up to 11,000x, potentially making temporal safety with CHERI feasible for large, real-world workloads.
Full text
PDF (1.2 MB)
BibTeX record
@TechReport{UCAM-CL-TR-975,
author = {Gutstein, Brett},
title = {{Memory safety with CHERI capabilities: security analysis,
language interpreters, and heap temporal safety}},
year = 2022,
month = nov,
url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-975.pdf},
institution = {University of Cambridge, Computer Laboratory},
doi = {10.48456/tr-975},
number = {UCAM-CL-TR-975}
}