cheriabi
play

CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , - PowerPoint PPT Presentation

Jun 09, 2023 •125 likes •430 views

CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson, Alexander Richardson, Peter G. Neumann, Simon W. Moore, John Baldwin, David Chisnall, James Clarke, Nathaniel Wesley Filardo, Khilan Gudka, Alexandre

  1. CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson, Alexander Richardson, Peter G. Neumann, Simon W. Moore, John Baldwin, David Chisnall, James Clarke, Nathaniel Wesley Filardo, Khilan Gudka, Alexandre Joannou, Ben Laurie, A. Theodore Markettos, J. Edward Maste, Alfredo Mazzinghi, Edward Napierala, Robert Norton, Michael Roe, Peter Sewell, Stacey Son, Jonathan Woodruff SRI International, University of Cambridge, Microsoft Research, Google, Inc Approved for public release; distribution is unlimited. This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and HR0011- 18-C-0016 (“ECATS”). The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. 1

  2. Punchline: it really does work • Full FreeBSD operating system with spatial and referential memory safety • Covers programs, libraries, and linkers • Kernel access to user memory • Performance is generally acceptable • Significant 3 rd -party software works: PostgreSQL database, Webkit 2

  3. Introduction to CHERI • CHERI introduces a new register type: the capability • In addition to integer and floating point • CHERI capabilities grant access to bounded regions of virtual address space • Protected by tags Watson, et al. CHERI: a research platform deconflating hardware virtualization and protection. RESoLVE 2012. Woodruff, et al. The CHERI capability model: Revisiting RISC in an age of risk . ISCA 2014. 3

  4. Architectural CHERI capabilities 1-bit v tag permissions (31 bits) capability 256-bit length (64 bits) virtual address (64 bits) address (64 bits) base (64 bits) Allocation Architectural CHERI capabilities extend pointers with: Tags protect capabilities in registers and memory • Bounds limit range of address space accessible via a pointer • Virtual Permissions limit operations – e.g., load, store, instruction fetch • address space 4

  5. 128-bit compressed capabilities 1-bit v tag capability permissions compressed bounds relative to address 128-bit address (64 bits) • Compress bounds relative to 64-bit virtual address • Floating-point bounds mechanism constrains bounds alignment Allocation • Security properties maintained (e.g., provenance, monotonicity) • Strong C-language support (e.g., for out-of-bound pointers) • DRAM tag density from 0.4% to 0.8% of physical memory size Virtual • Full prototype with full software stack on FPGA address space • Implications for memory allocators, object alignment, etc 5

  6. CHERI memory operation • All memory access via CHERI capabilities • Explicit (new instructions): • Capability load, store, branch, jump • Implicit (legacy MIPS ISA): • via Default Data Capability (DDC) or Program Counter Capability (PCC) 6

  7. CHERI capability manipulation • Capabilities are used and manipulated in capability registers with capability instructions • Manipulations are monotonic (can only reduce bounds and permissions) • CAndPerm cd, cb, rt • CSetAddr cd, cs, rs • Capabilities can be stored in memory, protected by tags • Non-capability stores clear tags 7

  8. Capabilities as C pointers • CHERI capabilities are designed for use as C pointers • Allowed to be out of bounds between dereferences • Can store 64-bit integers (untagged) • No protection tables or privileged operations • Two compilation modes: • Hybrid: __capability annotation applied to select pointers • Pure-capability: all pointers are capabilities Chisnall, et al. Beyond the PDP-11: Processor support for a memory-safe C abstract machine. ASPLOS 2015. 8

  9. CheriABI: Pure-capability process environment • Built on CheriBSD (FreeBSD modified for CHERI) • All program pointers are capabilities • Including syscall arguments and return values • Goal: Bounds are minimized • C-language objects • Pointers provided by the kernel • Goal: run pure-capability programs with simple recompilation Watson, et al. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. Oakland 2015. Chisnall, et al. CHERI-JNI: Sinking the Java security model into the C. ASPLOS 2017. 9

  10. Implementation: kernel • CheriABI is implemented as a compat layer (i.e. freebsd32) • The kernel is a hybrid CHERI-C program • Pointers to userspace are annotated with __capability and are capabilities. • Select data structures (e.g. struct iovec , signal bits) converted to store capabilities. • All userspace access via capabilities • Capability aware versions of userspace access functions: copyin_c / copyout_c / fueword_c , etc • Non “ _c ” verisons return error for CheriABI processes • Capabilities not copied to/from userspace by default • Special copyincap/copyoutcap used to ensure copy is intentional 10

  11. Abstract capabilities How should the systems programmer think about bounds? New concept: abstract capability • Set of permissions of the process • Tracks ghost state across swapping, etc • Constructed and maintained by a collaboration of the kernel and language runtime 12

  12. System startup Power-on state Early boot DDC RWX 0x0 - 0xFF…FF DDC RW- 0x0 - 0xFF…FF Registers PCC RWX 0x0 - 0xFF…FF PCC R-X 0x0 - 0xFF…FF C1-31 NULL C1-31 Working set UserRoot RWX 0x0-0x0000007F…FF SwapRoot RWX 0x0 - 0xFF…FF Memory All tags clear 13

  13. Execve Initial register values UserRoot RWX 0x0-0x0000007F…FF DDC NULL PCC RWX CSP RW- C03 RW- Kernel Userspace Thread Stack Program binary Process Run-time linker arguments auxargs environ argv Arg & environ strings 14

  14. Virtual-memory system • Programmer visible: • Provides capabilities to newly mapped regions via mmap() and shmat() • Alters and frees mappings • Abstract capability maintenance: • Ensures correct virtual to physical mappings • Preserves stored capabilities in swapped pages 15

  15. Virtual-memory system: mmap • mmap() allocates virtual address space and changes mappings • In CheriABI returns a bounded pointer • Imprecise mapping requests rejected • User must round-up unpresentable requests • Permissions are set based on page permissions • PROT_MAX() extension allows PROT_NONE mappings for reservation 16

  16. Virtual-memory system: swap … Tag bitmap SwapRoot RWX 0x0 - 0xFF…FF Tag-free storage Kernel Userspace User page User page Cap1 RW- 0x… - 0x… Cap1 RW- 0x… - 0x… Cap2 Cap2 ` R-- 0x… - 0x… R-- 0x… - 0x… 17

  17. Run-time linker • Loads and links dynamic libraries • Resolves symbols and synthesizes capabilities • Jumps to program entry point • Provides on-demand loading of libraries and supports exception handling 18

  18. C runtime • Objects allocated by malloc() are bounded to requested size • realloc() adjusts bounds or allocates new storage • Thread-local storage is bounded • Currently to per-thread storage • Compiler generated code sets bounds on stack, automatic, and global objects as required 19

  19. System calls read(fd, buffer, nbyte); TCB copyout(kaddr, buffer, len); v0 SYS_READ … a0 fd kern_readv(td, fd, {buffer, nbyte}); c3 RW- buffer cheriabi_read(td, uap); a1 nbyte Kernel Userspace Thread Stack buffer 20

  20. Kernel code changes: read() int user_read(struct thread *td, int fd, void * __capability buf, size_t nbyte) { Called by sys_read() and struct uio auio; cheriabi_read() kiovec_t aiov; if (nbyte > IOSIZE_MAX) return (EINVAL); IOVEC_INIT_C(&aiov, buf, nbyte); auio.uio_iov = &aiov; New init macro for struct iovec … return (kern_readv(td, fd, &auio)); } 21

  21. Required changes: pointer provenance if ((nstrings = realloc(we->we_strings, we->we_nbytes)) == NULL) { error = WRDE_NOSPACE; goto cleanup; } for (i = 0; i < vofs; i++) - if (we->we_wordv[i] != NULL) - we->we_wordv[i] += nstrings - we->we_strings ; + if (we->we_wordv[i] != NULL) { + we->we_wordv[i] = nstrings + + (we->we_wordv[i] - we->we_strings); + } we->we_strings = nstrings; Listing 1: Typical example of a pointer provenance bug. Here array of strings is extended 23

  22. Required changes: summary • Userspace: 1% (~200) of files required changes • Concentrated in libraries • Most programs require no changes • Kernel: <6% of files (~750) required changes • Pervasive changes to iovec , signal handlers, network interface ioctl handlers • A pure-capability kernel could reduce changes • Many changes improve code quality • We have upstreamed many to FreeBSD (compat32 improvements, etc) 24

  23. Capability bounds minimization (OpenSSL) all malloc glob relocs syscall kern stack exec 120000 Most capabilities bound small regions Small number 100000 B e t of whole t (<<1page) e Number of capabilities r shared-object 80000 references remain in 60000 startup code 40000 20000 Stack references 0 2 2 2 5 2 8 2 11 2 14 2 17 2 20 2 23 Size 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Relational Contracts and the Value of Loyalty Simon Board Department of Economics, UCLA November

Relational Contracts and the Value of Loyalty Simon Board Department of Economics, UCLA November

Introduction Model OneSided Commitment Full Problem Private Cost Information Rents End Relational Contracts and the Value of Loyalty Simon Board Department of Economics, UCLA November 20, 2009 Introduction Model OneSided

727 views • 44 slides
A Space Optimal Streaming Algorithm for Sketching Small Moments Daniel M. Kane Jelani Nelson

A Space Optimal Streaming Algorithm for Sketching Small Moments Daniel M. Kane Jelani Nelson

Introduction F p Algorithm Lower Bounds Conclusion A Space Optimal Streaming Algorithm for Sketching Small Moments Daniel M. Kane Jelani Nelson David P. Woodruff Harvard MIT IBM Almaden December 18, 2009 Introduction F p Algorithm Lower

1.14k views • 77 slides
Sparse Johnson-Lindenstrauss Transforms Jelani Nelson MIT May 24, 2011 joint work with Daniel

Sparse Johnson-Lindenstrauss Transforms Jelani Nelson MIT May 24, 2011 joint work with Daniel

Sparse Johnson-Lindenstrauss Transforms Jelani Nelson MIT May 24, 2011 joint work with Daniel Kane (Harvard) Metric Johnson-Lindenstrauss lemma Metric JL (MJL) Lemma, 1984 Every set of n points in Euclidean space can be embedded into O (

1.06k views • 58 slides
Quantum Chebyshevs Inequality and Applications Yassine Hamoudi, Frdric Magniez IRIF ,

Quantum Chebyshevs Inequality and Applications Yassine Hamoudi, Frdric Magniez IRIF ,

Quantum Chebyshevs Inequality and Applications Yassine Hamoudi, Frdric Magniez IRIF , Universit Paris Diderot, CNRS QUDATA 2019 arXiv: 1807.06456 Buffons needle A needle dropped randomly on a floor with equally spaced parallel

1.03k views • 76 slides
Randomness in Computing L ECTURE 27 Last time Stationary distributions Random walks on

Randomness in Computing L ECTURE 27 Last time Stationary distributions Random walks on

Randomness in Computing L ECTURE 27 Last time Stationary distributions Random walks on graphs Algorithm for - -PATH Today Sublinear algorithms Differential privacy 4/29/2020 Sofya Raskhodnikova;Randomness in

873 views • 34 slides
Communication Complexity David P. Woodruff IBM Almaden Talk Outline 1. Information Theory

Communication Complexity David P. Woodruff IBM Almaden Talk Outline 1. Information Theory

Information Theory for Communication Complexity David P. Woodruff IBM Almaden Talk Outline 1. Information Theory Concepts 2. Distances Between Distributions 3. An Example Communication Lower Bound Randomized 1-way Communication

471 views • 25 slides
Stochastic Programming Models with Decision Dependent Probabilities David L. Woodruff Graduate

Stochastic Programming Models with Decision Dependent Probabilities David L. Woodruff Graduate

Stochastic Programming Models with Decision Dependent Probabilities David L. Woodruff Graduate School of Management University of California, Davis October 2003 1 Outline Overview of the modeling issues Beyond the state of the art

598 views • 23 slides
Translating Evidence Into Practice Susan E. Shapiro, PhD, RN Associate Chief Nursing Officer,

Translating Evidence Into Practice Susan E. Shapiro, PhD, RN Associate Chief Nursing Officer,

Translating Evidence Into Practice Susan E. Shapiro, PhD, RN Associate Chief Nursing Officer, Emory susan.shapiro@ emoryhealthcare.org Healthcare Assistant Dean for Strategic Clinical Initiatives, Nell Hodgson Woodruff School of Nursing

276 views • 16 slides
Joshua Brody and Amit Chakrabarti Dartmouth College 24 th CCC, 2009, Paris Joshua Brody 1

Joshua Brody and Amit Chakrabarti Dartmouth College 24 th CCC, 2009, Paris Joshua Brody 1

Gap-Hamming Lower Bound July 18, 2009 Lower Bounds for Gap-Hamming-Distance and Consequences for Data Stream Algorithms Joshua Brody and Amit Chakrabarti Dartmouth College 24 th CCC, 2009, Paris Joshua Brody 1 Gap-Hamming Lower Bound July

1.28k views • 61 slides
On the communication complexity of sparse set disjointness and exists-equal problems Mert

On the communication complexity of sparse set disjointness and exists-equal problems Mert

On the communication complexity of sparse set disjointness and exists-equal problems Mert Saglam University of Washington Joint work with Gbor Tardos Communication complexity f(X,Y)=? X Y Alice Bob R: Shared random source R

1.94k views • 136 slides
Navigation and Zooming Navigation and Zooming Histories in a Zoomable Zoomable User Interface

Navigation and Zooming Navigation and Zooming Histories in a Zoomable Zoomable User Interface

Overview Overview Navigation Patterns and Usability of Zoomable Navigation Patterns and Usability of Zoomable User Interfaces with and without an Overview User Interfaces with and without an Overview Domain Name Based Visualization of Web

188 views • 8 slides
Examining Service Excellence in Higher Education for Adult Learners: A Text-mining Analysis Lee

Examining Service Excellence in Higher Education for Adult Learners: A Text-mining Analysis Lee

Examining Service Excellence in Higher Education for Adult Learners: A Text-mining Analysis Lee Yew Haur, Guan Chong and Chia Allan Introduc)on Background and Mo)va)on Higher educa,on is increasingly embraced by

854 views • 27 slides
Local Naming and Scope These slides borrow heavily from Ben Woods

Local Naming and Scope These slides borrow heavily from Ben Woods

Local Naming and Scope These slides borrow heavily from Ben Woods Fall 15 slides, some of which are in turn based on Dan Grossmans material from

585 views • 30 slides
LSST- FRANCE 8 June 2016 Dominique Fouchez, CPPM Supernovae Dark Energy science with LSST The

LSST- FRANCE 8 June 2016 Dominique Fouchez, CPPM Supernovae Dark Energy science with LSST The

News from the The DESC Supernova Working Group LSST- FRANCE 8 June 2016 Dominique Fouchez, CPPM Supernovae Dark Energy science with LSST The DESC SN-WG program Isotropy constraints Dark Energy constraints BAO with supernovae Two LSST

603 views • 22 slides
Word Meaning: Distributional Representations &amp; Word Sense Disambiguation CMSC 723 / LING 723

Word Meaning: Distributional Representations &amp; Word Sense Disambiguation CMSC 723 / LING 723

Word Meaning: Distributional Representations &amp; Word Sense Disambiguation CMSC 723 / LING 723 / INST 725 Marine Carpuat Slides credit: Dan Jurafsky Reminders Read the syllabus Make sure you have access to piazza Get started on

691 views • 54 slides
BUI LDI NG THE MOVEMENT TO REVERSE OBESI TY I N SOUTH CAROLI NA Carole Garner MPH, RD,LD Team

BUI LDI NG THE MOVEMENT TO REVERSE OBESI TY I N SOUTH CAROLI NA Carole Garner MPH, RD,LD Team

BUI LDI NG THE MOVEMENT TO REVERSE OBESI TY I N SOUTH CAROLI NA Carole Garner MPH, RD,LD Team Leader Engagem ent and Coordination, Robert W ood Johnson Foundation Center to Prevent Childhood Obesity April 14, 2010 Groundw ork STATE OF

579 views • 37 slides
CCLHO-CHEAC Chronic Disease Prevention Leadership Project Survey Preliminary Results October

CCLHO-CHEAC Chronic Disease Prevention Leadership Project Survey Preliminary Results October

CCLHO-CHEAC Chronic Disease Prevention Leadership Project Survey Preliminary Results October 10, 2012 2 Survey Highlights 42 responses from city and county health departments Response rate: 70% Focus areas Sugar-sweetened

863 views • 19 slides
A spoonful of sugar: Harnessing language to achieve your goals Ceri Newton-Sargunar

A spoonful of sugar: Harnessing language to achieve your goals Ceri Newton-Sargunar

A spoonful of sugar: Harnessing language to achieve your goals Ceri Newton-Sargunar @HotCupOfTeaPls. ffgtjkhvnmk mj; ;/# Shift no. 1: Goal framing Shift no. 2: Side-stepping our monkey minds Shift no. 3: Re-directing

1.18k views • 75 slides
The shape of things to come? Fixed costs, the new format bill and the Briggs reforms Andrew Post

The shape of things to come? Fixed costs, the new format bill and the Briggs reforms Andrew Post

The shape of things to come? Fixed costs, the new format bill and the Briggs reforms Andrew Post QC Hailsham Chambers Topics 1. The change thats already with us: Fixed Recoverable Costs 2. The change thats probably on its way: the new

1.04k views • 72 slides
S yntax Darrell Larsen Linguistics 101 Introduction Syntactic Categories Constituency Tests

S yntax Darrell Larsen Linguistics 101 Introduction Syntactic Categories Constituency Tests

Introduction Syntactic Categories Constituency Tests Notes S yntax Darrell Larsen Linguistics 101 Introduction Syntactic Categories Constituency Tests Notes O utline I ntroduction S yntactic C ategories C onstituency T ests N otes

1.35k views • 55 slides
LEED for Homes v4.0 Jay Hall Jay Hall &amp; Associates, Inc. March 18, 2015 Education Provider

LEED for Homes v4.0 Jay Hall Jay Hall &amp; Associates, Inc. March 18, 2015 Education Provider

Intro to LEED for Homes v4.0 Jay Hall Jay Hall &amp; Associates, Inc. March 18, 2015 Education Provider Formerly Founded 2000 LEED for Homes Provider 501(c)3 non-profit; mission: We exist to empower people to make healthier and

1.04k views • 70 slides
Meeting of the ICAR Working Group on Milk Recording of Sheep Niagara Falls, USA, 17 June 2008

Meeting of the ICAR Working Group on Milk Recording of Sheep Niagara Falls, USA, 17 June 2008

Meeting of the ICAR Working Group on Milk Recording of Sheep Niagara Falls, USA, 17 June 2008 Draft agenda Changes in the constitution of the group Main activities of the WG over the last 2 years Presentation of the results of the

805 views • 52 slides
Lea rning F rom Data Y aser S. Abu-Mostafa Califo rnia Institute of T

Lea rning F rom Data Y aser S. Abu-Mostafa Califo rnia Institute of T

Outline of the Course 11. Overtting ( Ma y 8 ) 12. Regula rization ( Ma y 10 ) 1. The Lea rning Problem ( Ap ril 3 ) 13. V alidation ( Ma y 15 ) 2. Is Lea rning F easible? ( Ap ril 5 ) 14. Supp o rt V

520 views • 20 slides
How to Work on and Save Project Using Google Slides 1. Sign in to Google www.google.com. It should

How to Work on and Save Project Using Google Slides 1. Sign in to Google www.google.com. It should

How to Work on and Save Project Using Google Slides 1. Sign in to Google www.google.com. It should look like this, but your initial or picture will be there instead of an F. 2. Click on the grid (3 rows of dots) near top of your screen by your

271 views • 5 slides

More recommend