-
Mon CHÈRI <3 Adapting Capability Hardware Enhanced RISC with Conditional Capabilities
Authors:
Merve Gülmez,
Håkan Englund,
Jan Tobias Mühlberg,
Thomas Nyman
Abstract:
Up to 10% of memory-safety vulnerabilities in languages like C and C++ stem from uninitialized variables. This work addresses the prevalence and lack of adequate software mitigations for uninitialized memory issues, proposing architectural protections in hardware. Capability-based addressing, such as the University of Cambridge's CHERI, mitigates many memory defects, including spatial and temporal…
▽ More
Up to 10% of memory-safety vulnerabilities in languages like C and C++ stem from uninitialized variables. This work addresses the prevalence and lack of adequate software mitigations for uninitialized memory issues, proposing architectural protections in hardware. Capability-based addressing, such as the University of Cambridge's CHERI, mitigates many memory defects, including spatial and temporal safety violations at an architectural level. However, current CHERI designs do not handle undefined behavior from uninitialized variables. We extend the CHERI capability model to include "conditional capabilities", enabling memory-access policies based on prior operations. This allows enforcement of policies that satisfy memory safety objectives such as "no reads to memory without at least one prior write" (Write-before-Read). We present our architecture extension, compiler support, and a detailed evaluation of our approach using the QEMU full-system simulator and our modified FPGA-based CHERI-RISCV softcore. Our evaluation shows Write-before-Read conditional capabilities are practical, with high detection accuracy while adding a small (~3.5%) overhead to the existing CHERI architecture.
△ Less
Submitted 11 July, 2024;
originally announced July 2024.
-
Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust
Authors:
Merve Gülmez,
Thomas Nyman,
Christoph Baumann,
Jan Tobias Mühlberg
Abstract:
Rust is a popular memory-safe systems programming language. In order to interact with hardware or call into non-Rust libraries, Rust provides \emph{unsafe} language features that shift responsibility for ensuring memory safety to the developer. Failing to do so, may lead to memory safety violations in unsafe code which can violate safety of the entire application. In this work we explore in-proces…
▽ More
Rust is a popular memory-safe systems programming language. In order to interact with hardware or call into non-Rust libraries, Rust provides \emph{unsafe} language features that shift responsibility for ensuring memory safety to the developer. Failing to do so, may lead to memory safety violations in unsafe code which can violate safety of the entire application. In this work we explore in-process isolation with Memory Protection Keys as a mechanism to shield safe program sections from safety violations that may happen in unsafe sections. Our approach is easy to use and comprehensive as it prevents heap and stack-based violations. We further compare process-based and in-process isolation mechanisms and the necessary requirements for data serialization, communication, and context switching. Our results show that in-process isolation can be effective and efficient, permits for a high degree of automation, and also enables a notion of application rewinding where the safe program section may detect and safely handle violations in unsafe code.
△ Less
Submitted 13 June, 2023;
originally announced June 2023.
-
Exploring the Environmental Benefits of In-Process Isolation for Software Resilience
Authors:
Merve Gülmez,
Thomas Nyman,
Christoph Baumann,
Jan Tobias Mühlberg
Abstract:
Memory-related errors remain an important cause of software vulnerabilities. While mitigation techniques such as using memory-safe languages are promising solutions, these do not address software resilience and availability. In this paper, we propose a solution to build resilience against memory attacks into software, which contributes to environmental sustainability and security.
Memory-related errors remain an important cause of software vulnerabilities. While mitigation techniques such as using memory-safe languages are promising solutions, these do not address software resilience and availability. In this paper, we propose a solution to build resilience against memory attacks into software, which contributes to environmental sustainability and security.
△ Less
Submitted 3 June, 2023;
originally announced June 2023.
-
Unlimited Lives: Secure In-Process Rollback with Isolated Domains
Authors:
Merve Gülmez,
Thomas Nyman,
Christoph Baumann,
Jan Tobias Mühlberg
Abstract:
The use of unsafe programming languages still remains one of the major root causes of software vulnerabilities. Although well-known defenses that detect and mitigate memory-safety related issues exist, they don't address the challenge of software resilience, i.e., whether a system under attack can continue to carry out its function when subjected to malicious input. We propose secure rollback of i…
▽ More
The use of unsafe programming languages still remains one of the major root causes of software vulnerabilities. Although well-known defenses that detect and mitigate memory-safety related issues exist, they don't address the challenge of software resilience, i.e., whether a system under attack can continue to carry out its function when subjected to malicious input. We propose secure rollback of isolated domains as an efficient and secure method of improving the resilience of software targeted by run-time attacks. We show the practicability of our methodology by realizing a software library for Secure Domain Rollback (SDRoB) and demonstrate how SDRoB can be applied to real-world software.
△ Less
Submitted 21 April, 2023; v1 submitted 6 May, 2022;
originally announced May 2022.