CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Watson, Robert N. M.; Woodruff, Jonathan; Neumann, Peter G.; Moore, Simon W.; Anderson, Jonathan; Chisnall, David; Dave, Nirav; Davis, Brooks; Gudka, Khilan; Laurie, Ben; Murdoch, Steven J.; Norton, Robert M.; Roe, Michael; Son, Stacey; Vadera, Munraj

doi:10.1109/sp.2015.9

Cited by 170 publications

(181 citation statements)

References 35 publications

(44 reference statements)

Supporting

Mentioning

155

Contrasting

Order By: Relevance

“…Secondly, the fat-pointer scheme shows that hardware-based approaches can enforce spatial memory safety at very low overhead [32]. Tagged architectures and capability-based systems can also provide a possible direction for mitigating such attacks [58]. b) Randomization: One possible defense against timing channel attacks, such as the one outlined in this paper, is to continuously rerandomize the safe region and ASLR, before an attacker can disclose enough information about the memory layout to make an attack practical.…”

Section: Possible Countermeasuresmentioning

confidence: 99%

“…Other efforts such as Cling [4], Memcheck [38], and AddressSanitizer [48] only provide temporal pointer safety to prevent dangling pointer bugs such as use-after-free. A number of hardware-enforced memory safety techniques have also been proposed including the Low-Fat pointer technique [32] and CHERI [58] which minimize the overhead of memory safety checks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

113

View full text Add to dashboard Cite

Abstract-Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware; on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proofof-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.

show abstract

Section: Possible Countermeasuresmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

113

View full text Add to dashboard Cite

show abstract

“…This identification can be accomplished by viewing existing systems in a component manner [40][17], forming an active research direction of legacy system reverse engineering [43]. In the literature, many modeling techniques are proposed to discover architecture modular structure inside of legacy source code [42][44] [38].…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…However, enterprise legacy software systems tend to be large and complex. The analysis of system architecture therefore becomes a difficult task [10][15] [40]. To solve this problem, the current study proposes an approach that decomposes software architecture to reduce the complexity associated with analyzing large scale architecture artifacts.…”

Section: Discussionmentioning

confidence: 99%

“…As a consequence of this limitation, static analysis does not present sufficient information to study the interactions of source modules [26][27] [34]. Recording dynamic information of a program can provide us with sufficient knowledge about message exchanges and modular interactions during the program execution period [40][41] [19]. However, this technique faces two major issues: (i) the overwhelming volume of tracing data [29][36] and (ii) incomplete coverage of the code [25] [13].…”

Section: Architecture Decomposition Partitionmentioning

confidence: 99%

See 1 more Smart Citation

Software Design Analysis with Dynamic System Run-Time Architecture Decomposition

Wu¹,

Vinayak²

2017

IJSEA

View full text Add to dashboard Cite

show abstract

A framework for application partitioning using trusted execution environments

Atamli-Reineh

Paverd

Petracca

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

Summary The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel's Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system (OS). However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematisation in the design of partitioning schemes. To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse‐grained partitioning, in which the whole application is included in a single TEE, through to ultra‐fine partitioning, in which each piece of security‐sensitive code and data is protected in an individual TEE. Although partitioning schemes themselves are application specific, we establish application‐independent relationships between the types we have defined. Because these relationships have an impact on both the security and performance of the partitioning scheme, we envisage that our framework can be used by software architects to guide the design of application partitioning schemes. To demonstrate the applicability of our framework, we have carried out case studies on two widely used software packages, the Apache Web server and the OpenSSL library. In each case study, we provide four high‐level partitioning schemes—one for each of the types in our framework. We also systematically review the related work on hardware‐enforced partitioning by categorising previous research efforts according to our framework. Copyright © 2017 John Wiley & Sons, Ltd.

show abstract

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Cited by 170 publications

References 35 publications

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Software Design Analysis with Dynamic System Run-Time Architecture Decomposition

A framework for application partitioning using trusted execution environments

Contact Info

Product

Resources

About