CheriRTOS: A Capability Model for Embedded Devices

Xia, Hongyan; Woodruff, Jonathan; Barral, Hadrien; Esswood, Lawrence; Joannou, Alexandre; Kovacsics, Robert; Chisnall, David; Roe, Michael; Davis, Brooks; Napierala, Edward; Baldwin, John A.; Gudka, Khilan; Neumann, Peter G.; Richardson, Alexander; Moore, Simon W.; Watson, Robert N. M.

doi:10.1109/iccd.2018.00023

Cited by 11 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One rigid limitation is of course the availability of the MPU, which is an optional unit. Many reasons let developers put aside the MPU even when there is one, should it be because of the hardware constraints, the power it drains or the timeto-market pressure and lack of time to set it up [22]- [24]. However, we argue the protection it provides is sufficient to reach a high level of security when correctly configured and our proposition aims to ease its adoption.…”

Section: Discussion and Limitations Of The Approachmentioning

confidence: 99%

Nested compartmentalisation for constrained devices

Dejon

Gaber

Grimaud

2021

2021 8th International Conference on Future Internet of Things and Cloud (FiCloud)

View full text Add to dashboard Cite

This paper presents a framework and implementation guidelines to set up nested compartmentalisation in constrained devices. All memory spaces are protected by the Memory Protection Unit (MPU). Current MPU-based systems offer efficient memory protection but are mostly tied to the fixed permission model provided by their operating system, kernel, hypervisor or by code instrumentation. New use cases evolve with the rise of the Internet of Things (IoT) ecosystems where software components could benefit from locally and dynamically established permissions. This includes a temporary nested subspace with restricted memory access rights. Our framework integrates subspace creation and management for runtime dynamic changes of the permission model for any level of abstraction. Global security policies of fixed permission models are reflected in the software architecture and the implementation of the framework. We also demonstrate the feasibility of providing nested compartmentalisation by showing how to leverage the MPU features.

show abstract

Section: Discussion and Limitations Of The Approachmentioning

confidence: 99%

Nested compartmentalisation for constrained devices

Dejon

Gaber

Grimaud

2021

2021 8th International Conference on Future Internet of Things and Cloud (FiCloud)

View full text Add to dashboard Cite

show abstract

“…Hence, CHERI does not use the nested encapsulation for wrappers that we study in this paper. However, CheriRTOS [14], a CHERI-aware real-time operating system, supports capability-based finegrained isolation for device drivers and would be a candidate implementation platform for our verified wrapper stacks.…”

Section: Related Workmentioning

confidence: 99%

Proving full-system security properties under multiple attacker models on capability machines

Strydonck

Georges

Guéneau

et al. 2022

2022 IEEE 35th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Assembly-level protection mechanisms (virtual memory, trusted execution environments, virtualization) make it possible to guarantee security properties of a full system in the presence of arbitrary attacker provided code. However, they typically only support a single trust boundary: code is either trusted or untrusted, and protection cannot be nested. Capability machines provide protection mechanisms that are more finegrained and that do support arbitrary nesting of protection. We show in this paper how this enables the formal verification of full-system security properties under multiple attacker models: different security objectives of the full system can be verified under a different choice of trust boundary (i.e. under a different attacker model). The verification approach we propose is modular, and is robust: code outside the trust boundary for a given security objective can be arbitrary, unverified attacker-provided code. It is based on the use of universal contracts for untrusted adversarial code: sound, conservative contracts which can be combined with manual verification of trusted components in a compositional program logic. Compositionality of the program logic also allows us to reuse common parts in the analyses for different attacker models. We instantiate the approach concretely by extending an existing capability machine model with support for memorymapped I/O and we obtain full system, machine-verified security properties about external effect traces while limiting the manual verification effort to a small trusted computing base relevant for the specific property under study.inv P (F x , P x , tp x ) read spec(d r pr(x) , d e pr(x) , d r pr(x) , False) inv st (d r pr(x) , d w pr(x) , d e pr(x) , d r x , d w x , d e x , F x , P x ) read spec(d r x , d e x , d r x , tp x )

show abstract

“…Memory isolation techniques for constrained devices are manyfold. Previously discussed MPUbased systems are hardware-rooted but there are hybrid approaches extending the list like TyTAN [13] based on Trustlite, SMART [14], Sancus [15], CheriRTOS [16]. However, they all modify the hardware in a way, for example by extending the CPU instructions or enhancing memory bus access logic.…”

Section: Related Workmentioning

confidence: 99%

From MMU to MPU: Adaptation of the Pip Kernel to Constrained Devices

Dejon¹,

Gaber²,

Grimaud³

2022

Artificial Intelligence, Soft Computing and Applications

View full text Add to dashboard Cite

This article presents a hardware-based memory isolation solution for constrained devices. Existing solutions target high-end embedded systems (typically ARM Cortex-A with a Memory Management Unit, MMU) such as seL4 or Pip (formally verified kernels) or target low-end devices such as ACES, MINION, TrustLite, EwoK but with limited flexibility by proposing a single level of isolation. Our approach consists in adapting Pip to inherit its flexibility (multiple levels of isolation) but using the Memory Protection Unit (MPU) instead of the MMU since the MPU is commonly available on constrained embedded systems (typically ARMv7 Cortex-M4 or ARMv8 Cortex-M33 and similar devices). This paper describes our design of Pip-MPU (Pip’s variant based on the MPU) and the rationale behind our choices. We validate our proposal with an implementation on an nRF52840 development kit and we perform various evaluations such as memory footprint, CPU cycles and energy consumption. We demonstrate that although our prototyped Pip-MPU causes a 16% overhead on both performance and energy consumption, it can reduce the attack surface of the accessible application memory from 100% down to 2% and the privileged operations by 99%. Pip-MPU takes less than 10 kB of Flash (6 kB for its core components) and 550 B of RAM.

show abstract

CheriRTOS: A Capability Model for Embedded Devices

Cited by 11 publications

References 15 publications

Nested compartmentalisation for constrained devices

Nested compartmentalisation for constrained devices

Proving full-system security properties under multiple attacker models on capability machines

From MMU to MPU: Adaptation of the Pip Kernel to Constrained Devices

Contact Info

Product

Resources

About