CTSRD CRASH-worthy Trustworthy Systems Research and Development - - PowerPoint PPT Presentation

ctsrd
SMART_READER_LITE
LIVE PREVIEW

CTSRD CRASH-worthy Trustworthy Systems Research and Development - - PowerPoint PPT Presentation

Jul 14, 2023 32 likes •257 views

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11: Architectural support for a memory-safe C abstract machine David Chisnall , Colin Rothwell , Brooks Davis , Robert N.M. Watson ,

slide-1
SLIDE 1

CTSRD

CRASH-worthy Trustworthy Systems Research and Development

CTSRD

Beyond the PDP-11:

Architectural support for a memory-safe C abstract machine

David Chisnall†, Colin Rothwell†, Brooks Davis‡, Robert N.M. Watson†, Jonathan Woodruff†, Munraj Vadera†, Simon W. Moore†, Peter G. Neumann‡, and Michael Roe†

Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11- C-0249. The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

†University of Cambridge ‡SRI International

slide-2
SLIDE 2

Why bring the PDP-11 into it?

  • First target for C
  • Flat, byte-addressable memory
  • C split memory into objects purely in

software

  • All widely deployed C implementations

follow this model

2
slide-3
SLIDE 3

Memory safety for compartmentalisation

  • Processes are isolated by hardware (MMU),

but expensive

  • Fine-grained compartmentalisation needs:
  • Cheap compartments
  • Fine-grained sharing
3
slide-4
SLIDE 4

From compartments to

  • bjects
  • Sharing requires

pointers with enforced bounds and permissions

  • Can we use this

mechanism for every pointer?

4

Process A Process B Pointer Buffer Process A Pointer Buffer

slide-5
SLIDE 5

The initial CHERI ISA

  • All memory accesses via a capability

register

  • ISA allows reducing capabilities
  • Tagged memory protects capabilities
5
slide-6
SLIDE 6

Binary compatibility

6

More compatible More safe n64 Pure MIPS Pure-capability All pointers are capabilities Hybrid Some pointers are capabilities

slide-7
SLIDE 7

The prototype CPU

  • 64-bit MIPS-compatible ISA (≈R4000)
  • CHERI ISA extensions
  • Runs at 100MHz on FPGA
  • Full software stack
7
slide-8
SLIDE 8

Real world code

  • A lot of C is implementation defined
  • Most real C code does interesting things

with pointers

  • Case study: tcpdump does most of them

(on untrusted data, running as root)

8

Supporting just the standard isn’t enough

slide-9
SLIDE 9

Common pointer idioms

  • Full list in the paper
  • Around 2M lines of C code surveyed
  • Thousands of instances found
  • Breaking them is not acceptable!
9
slide-10
SLIDE 10

Example: The mask idiom

10

// The low bit of an aligned pointer is // always 0, so we can hide a flag in it int *set_flag(int *b) { return (int*)((intptr_t)b | 1); }

00x1601231230

slide-11
SLIDE 11

Example: The mask idiom

10

// The low bit of an aligned pointer is // always 0, so we can hide a flag in it int *set_flag(int *b) { return (int*)((intptr_t)b | 1); }

00x1601231230 00x1601231231

slide-12
SLIDE 12

Example: Invalid Intermediates

11

Buffer Pointer End

slide-13
SLIDE 13

Example: Invalid Intermediates

11

Buffer Pointer End

Pointer += x;

slide-14
SLIDE 14

Example: Invalid Intermediates

11

Buffer Pointer End

Pointer += x; if (Pointer > End)

slide-15
SLIDE 15

Example: Invalid Intermediates

11

Buffer Pointer End

Pointer += x; if (Pointer > End) Pointer = End - 1;

slide-16
SLIDE 16

Capabilities

12

Unforgeable Monotonic length and permissions Grant rights

Base ¡[64] Length ¡[64] Permissions ¡[32] Type ¡[24]

Experimental ¡[136]

Old CHERI Capabilities:

slide-17
SLIDE 17 13

Fat Pointers

Describe a point Add metadata

slide-18
SLIDE 18

Capabilities

14

Fat Pointers

Unforgeable Monotonic length and permissions Grant rights Describe a point

+

Add metadata

slide-19
SLIDE 19

Capabilities

14

Fat Pointers

Unforgeable Monotonic length and permissions Grant rights Describe a point

+

Add metadata

slide-20
SLIDE 20

New CHERI Capabilities

  • CHERI capabilities extended to include an
  • ffset field
  • Checks apply only on dereference
15

Base ¡[64] Length ¡[64] Permissions ¡[32] Type ¡[24]

Reserved ¡[8]

Offset ¡[64]

slide-21
SLIDE 21

It’s alive!

  • Fully supports real-world C pointer use.
  • Negligible overhead in tcpdump
  • More performance evaluation in the paper
16
slide-22
SLIDE 22

Conclusions

  • We have shown that a capability model can

provide a memory-safe C abstract machine

  • This paves the way for fine-grained

compartmentalisation of C programs

  • Come and see us at IEEE Security and

Privacy for the next part of the story!

17

http://chericpu.org