Towards using Capability Machines for Secure Compilation - CHERI
-
Upload
akram-el-korashy -
Category
Engineering
-
view
82 -
download
3
Transcript of Towards using Capability Machines for Secure Compilation - CHERI
![Page 1: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/1.jpg)
1/17
Formalizing Capability MachinesIs CHERI a promising target architecture for secure
compilation?
Akram El-Korashy1,2 Marco Patrignani1 Deepak Garg1
1Max Planck Institute for Software Systems, Saarbrücken
2Max Planck Institute for Informatics, IMPRS-CS, Saarbrücken
Saarland Informatics Campus (SIC), 13 Sep 2016
![Page 2: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/2.jpg)
2/17
What are Capability Machines?
What is Secure Compilation?
Capabilities, part of theaddressing mechanism
I Capabilities, unforgeableI Permissions field enables
some operations.
Secure Compilation,preserving security-relevantproperties
![Page 3: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/3.jpg)
2/17
What are Capability Machines?
What is Secure Compilation?
Capabilities, part of theaddressing mechanism
I Capabilities, unforgeableI Permissions field enables
some operations.
Secure Compilation,preserving security-relevantproperties
![Page 4: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/4.jpg)
2/17
What are Capability Machines? What is Secure Compilation?
Capabilities, part of theaddressing mechanism
I Capabilities, unforgeableI Permissions field enables
some operations.
Secure Compilation,preserving security-relevantproperties
![Page 5: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/5.jpg)
2/17
What are Capability Machines? What is Secure Compilation?
Capabilities, part of theaddressing mechanism
I Capabilities, unforgeableI Permissions field enables
some operations.
Secure Compilation,preserving security-relevantproperties
I Full abstraction: esp.preserving observationalequivalence
![Page 6: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/6.jpg)
3/17
Goal of this thesis
Build a paper formal modelof a capability machine:
“CHERI”..
I
X
Simplify instructionssemantics.
I
X
Prove capabilityunforgeability.
..to reason about securitybuilding blocks for secure
compilation.
I Goal is NOT to formally verify CHERI!
![Page 7: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/7.jpg)
3/17
Goal of this thesis
Build a paper formal modelof a capability machine:
“CHERI”..
I XSimplify instructionssemantics.
I XProve capabilityunforgeability.
..to reason about securitybuilding blocks for secure
compilation.
I Show CFI enforcement.
I XShow memorycompartmentalization.
I Goal is NOT to formally verify CHERI!
![Page 8: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/8.jpg)
3/17
Goal of this thesis
Build a paper formal modelof a capability machine:
“CHERI”..
I XSimplify instructionssemantics.
I XProve capabilityunforgeability.
..to reason about securitybuilding blocks for secure
compilation.
I Show CFI enforcement.
I XShow memorycompartmentalization.
I Goal is NOT to formally verify CHERI!
![Page 9: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/9.jpg)
4/17
What is a capability?
A capability is an unforgeable token that gives its ownerpermission(s) to access a particular entity or object in acomputer system. [Levy, 1984]
I In CHERI, a capability is normal 256-bit data, interpretedas values for region bounds, permissions, etc..
I In CHERI, a security domain owns a capability on amemory region.
![Page 10: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/10.jpg)
4/17
What is a capability?
A capability is an unforgeable token that gives its ownerpermission(s) to access a particular entity or object in acomputer system. [Levy, 1984]
I In CHERI, a capability is normal 256-bit data, interpretedas values for region bounds, permissions, etc..
I In CHERI, a security domain owns a capability on amemory region.
![Page 11: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/11.jpg)
4/17
What is a capability?
A capability is an unforgeable token that gives its ownerpermission(s) to access a particular entity or object in acomputer system. [Levy, 1984]
I In CHERI, a capability is normal 256-bit data, interpretedas values for region bounds, permissions, etc..
I In CHERI, a security domain owns a capability on amemory region.
![Page 12: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/12.jpg)
5/17
If it is normal data, how to guarantee unforgeability?
Historically [Fabry, 1974], two approaches
“Tagged” approach
Mixed data-capability
Tags determine whethercapability operation is
allowed.
“Partitioned” approach
Segregated data-capability
Capability operations areallowed on only the capability
partition of the memory.
![Page 13: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/13.jpg)
5/17
If it is normal data, how to guarantee unforgeability?
Historically [Fabry, 1974], two approaches
“Tagged” approach
Mixed data-capability
Tags determine whethercapability operation is
allowed.
“Partitioned” approach
Segregated data-capability
Capability operations areallowed on only the capability
partition of the memory.
![Page 14: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/14.jpg)
5/17
If it is normal data, how to guarantee unforgeability?
Historically [Fabry, 1974], two approaches
“Tagged” approachMixed data-capability
Tags determine whethercapability operation is
allowed.
“Partitioned” approach
Segregated data-capability
Capability operations areallowed on only the capability
partition of the memory.
![Page 15: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/15.jpg)
5/17
If it is normal data, how to guarantee unforgeability?
Historically [Fabry, 1974], two approaches
“Tagged” approachMixed data-capability
Tags determine whethercapability operation is
allowed.
“Partitioned” approachSegregated data-capability
Capability operations areallowed on only the capability
partition of the memory.
![Page 16: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/16.jpg)
6/17
CHERI combines both approaches:Two Register Files, Memory, Where are capabilities stored?[Norton, 2016, Woodruff, 2014]
CHERI ISA guarantees unforgeability ofcapabilities.
![Page 17: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/17.jpg)
6/17
CHERI combines both approaches:Two Register Files, Memory, Where are capabilities stored?[Norton, 2016, Woodruff, 2014]
CHERI ISA guarantees unforgeability ofcapabilities.
![Page 18: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/18.jpg)
6/17
CHERI combines both approaches:Two Register Files, Memory, Where are capabilities stored?[Norton, 2016, Woodruff, 2014]
CHERI ISA guarantees unforgeability ofcapabilities.
![Page 19: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/19.jpg)
6/17
CHERI combines both approaches:Two Register Files, Memory, Where are capabilities stored?[Norton, 2016, Woodruff, 2014]
CHERI ISA guarantees unforgeability ofcapabilities.
![Page 20: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/20.jpg)
6/17
CHERI combines both approaches:Two Register Files, Memory, Where are capabilities stored?[Norton, 2016, Woodruff, 2014]
CHERI ISA guarantees unforgeability ofcapabilities.
![Page 21: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/21.jpg)
7/17
A CHERI capability in a nutshell [Woodruff et al., 2014, Watson et al., 2015]
A capability is a 256-bit unforgeablevalue
![Page 22: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/22.jpg)
7/17
A CHERI capability in a nutshell [Woodruff et al., 2014, Watson et al., 2015]
A capability is a 256-bit unforgeablevalue
![Page 23: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/23.jpg)
7/17
A CHERI capability in a nutshell [Woodruff et al., 2014, Watson et al., 2015]
A capability is a 256-bit unforgeablevalue
![Page 24: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/24.jpg)
7/17
A CHERI capability in a nutshell [Woodruff et al., 2014, Watson et al., 2015]
A capability is a 256-bit unforgeablevalue
![Page 25: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/25.jpg)
7/17
A CHERI capability in a nutshell [Woodruff et al., 2014, Watson et al., 2015]
A capability is a 256-bit unforgeablevalue
![Page 26: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/26.jpg)
8/17
Overview of the CHERI machine
CHERI instruction execution
![Page 27: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/27.jpg)
8/17
Overview of the CHERI machine
CHERI instruction execution
![Page 28: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/28.jpg)
8/17
Overview of the CHERI machine
CHERI instruction execution
![Page 29: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/29.jpg)
8/17
Overview of the CHERI machine
CHERI instruction execution
![Page 30: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/30.jpg)
9/17
Our formal model of the CHERI ISA
Decoupled addressing and authorization, no relativeaddressing
![Page 31: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/31.jpg)
9/17
Our formal model of the CHERI ISA
Decoupled addressing and authorization, no relativeaddressing
![Page 32: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/32.jpg)
9/17
Our formal model of the CHERI ISA
Decoupled addressing and authorization, no relativeaddressing
![Page 33: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/33.jpg)
9/17
Our formal model of the CHERI ISA
Decoupled addressing and authorization, no relativeaddressing
![Page 34: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/34.jpg)
10/17
Our formal model of the CHERI ISA - Simplifications
Our formal model
I Word-addressableI Based on BinOp and a
couple of moveoperations
I Goes stuckI Models uniprocessor
CHERI
I Byte-addressableI Based on complete MIPS
I Raises exceptionsI Offers synchronization
instructions
![Page 35: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/35.jpg)
10/17
Our formal model of the CHERI ISA - Simplifications
Our formal model
I Word-addressableI Based on BinOp and a
couple of moveoperations
I Goes stuckI Models uniprocessor
CHERI
I Byte-addressableI Based on complete MIPS
I Raises exceptionsI Offers synchronization
instructions
![Page 36: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/36.jpg)
10/17
Our formal model of the CHERI ISA - Simplifications
Our formal model
I Word-addressableI Based on BinOp and a
couple of moveoperations
I Goes stuckI Models uniprocessor
CHERI
I Byte-addressableI Based on complete MIPS
I Raises exceptionsI Offers synchronization
instructions
![Page 37: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/37.jpg)
11/17
Our formal model of the CHERI ISAExamples from the Instruction Set 1/2
load rd rs cc must contain a valid capability on address reg(rs) thatprovides the load permission.
![Page 38: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/38.jpg)
11/17
Our formal model of the CHERI ISAExamples from the Instruction Set 1/2
load rd rs cc must contain a valid capability on address reg(rs) thatprovides the load permission.
![Page 39: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/39.jpg)
11/17
Our formal model of the CHERI ISAExamples from the Instruction Set 1/2
load rd rs cc must contain a valid capability on address reg(rs) thatprovides the load permission.
![Page 40: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/40.jpg)
11/17
Our formal model of the CHERI ISAExamples from the Instruction Set 1/2
load rd rs cc must contain a valid capability on address reg(rs) thatprovides the load permission.
![Page 41: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/41.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 42: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/42.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 43: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/43.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 44: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/44.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 45: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/45.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 46: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/46.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 47: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/47.jpg)
12/17
Our formal model of the CHERI ISAExamples from the Instruction Set 2/2
ccall cc cdcc: sealed code capability, cd: sealed data capability, Newprotection domain to be called
![Page 48: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/48.jpg)
13/17
Our formal model of the CHERI ISACapability Unforgeability
TheoremIf a permission does not exist on an allocated address at theinitial state, then this permission can never appear after any
execution sequence.
![Page 49: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/49.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () { ⇐=20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 50: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/50.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B(); ⇐=21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 51: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/51.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1(); ⇐=22 }23 }
Current Active Compartment
![Page 52: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/52.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() { ⇐=13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 53: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/53.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A(); ⇐=14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 54: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/54.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this); ⇐=15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 55: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/55.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) { ⇐=4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 56: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/56.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1); ⇐=5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 57: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/57.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1); ⇐=5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 58: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/58.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1); =⇒5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 59: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/59.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 } ⇐=6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 60: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/60.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 } ⇐=16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 }23 }
Current Active Compartment
![Page 61: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/61.jpg)
14/17
What we mean by Compartmentalization
Compartmentalization - DefinitionA compartment is code and data memory, along with legal externaljump destinations and load/store addresses. (similar to the paper on
Micropolicies [De Amorim et al., 2015])
1 class A {2 private fieldA1;3 public methodA1(B obj) {4 foo(obj.fieldB1);5 }6 }78 class B {9 public fieldB1;
10 private fieldB2;1112 public methodB1() {13 a_in_B1 = new A();14 a_in_B1.methodA1(this);15 }16 }1718 class Main {19 main () {20 bMain = new B();21 bMain.methodB1();22 } ⇐=23 }
Current Active Compartment
![Page 62: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/62.jpg)
15/17
Theorem - Execution confined to compartments
A state’s restricteveness to a compartments set preserved byexecution, Some illegal behaviors prohibited
![Page 63: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/63.jpg)
15/17
Theorem - Execution confined to compartments
A state’s restricteveness to a compartments set preserved byexecution, (1) Illegal to load foreign capabilities
![Page 64: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/64.jpg)
15/17
Theorem - Execution confined to compartments
A state’s restricteveness to a compartments set preserved byexecution, (1) Illegal to load foreign capabilities
![Page 65: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/65.jpg)
15/17
Theorem - Execution confined to compartments
A state’s restricteveness to a compartments set preserved byexecution, (2) Illegal to jump arbitrarily, only entry points
![Page 66: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/66.jpg)
15/17
Theorem - Execution confined to compartments
A state’s restricteveness to a compartments set preserved byexecution, (2) Illegal to jump arbitrarily, only entry points
![Page 67: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/67.jpg)
15/17
Theorem - Execution confined to compartments
A state’s restricteveness to a compartments set preserved byexecution, (3) Illegal to read/write unshared data
![Page 68: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/68.jpg)
16/17
Summary
I Capability-based ISAI Capability UnforgeabilityI Compartmentalization Preservation
I Future: Dynamically share dataI Future: Paper formalization of a secure compiler to CHERI
Thank you!
![Page 69: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/69.jpg)
16/17
Summary
I Capability-based ISAI Capability UnforgeabilityI Compartmentalization PreservationI Future: Dynamically share dataI Future: Paper formalization of a secure compiler to CHERI
Thank you!
![Page 70: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/70.jpg)
16/17
Summary
I Capability-based ISAI Capability UnforgeabilityI Compartmentalization PreservationI Future: Dynamically share dataI Future: Paper formalization of a secure compiler to CHERI
Thank you!
![Page 71: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/71.jpg)
17/17
References I
[De Amorim et al., 2015] De Amorim, A. A., Dénes, M., Giannarakis, N., Hritcu, C., Pierce, B. C., Spector-Zabusky,A., and Tolmach, A. (2015).Micro-policies: Formally verified, tag-based security monitors.In Security and Privacy (SP), 2015 IEEE Symposium on, pages 813–830. IEEE.
[Fabry, 1974] Fabry, R. S. (1974).Capability-based addressing.Commun. ACM, 17(7):403–412.
[Levy, 1984] Levy, H. M. (1984).Capability-Based Computer Systems.Butterworth-Heinemann, Newton, MA, USA.
[Norton, 2016] Norton, R. M. (2016).Hardware support for compartmentalisation.Technical Report UCAM-CL-TR-887, University of Cambridge, Computer Laboratory.
[Watson et al., 2015] Watson, R. N., Woodruff, J., Neumann, P. G., Moore, S. W., Anderson, J., Chisnall, D., Dave,N., Davis, B., Gudka, K., Laurie, B., et al. (2015).Cheri: A hybrid capability-system architecture for scalable software compartmentalization.In Security and Privacy (SP), 2015 IEEE Symposium on, pages 20–37. IEEE.
[Woodruff et al., 2014] Woodruff, J., Watson, R. N., Chisnall, D., Moore, S. W., Anderson, J., Davis, B., Laurie, B.,Neumann, P. G., Norton, R., and Roe, M. (2014).The cheri capability model: Revisiting risc in an age of risk.SIGARCH Comput. Archit. News, 42(3):457–468.
[Woodruff, 2014] Woodruff, J. D. (2014).CHERI: A RISC capability machine for practical memory safety.Technical Report UCAM-CL-TR-858, University of Cambridge, Computer Laboratory.
![Page 72: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/72.jpg)
1/2
Backup I
Semantics of ccall instruction for compartmentalization
m(pc) = 〈0, ccall cc cd cdd〉 cr ` callable(cc,cd)cc′ = unsealed(cr(cc)) cd ′ = unsealed(cr(cd))
pcc′ = cc′ cr ′ = {cdd 7→ cd ′}pc′ = compute_call_address(cr(cc′))
pcc ` executable(pc)〈m, r , cr ,pc, pcc, next_free〉 → 〈m, r , cr ′,pc′, pcc′, next_free〉
(ccall)
CompartmentA 5-tuple of sets of addresses,c = (Code,Data, J,L,S) ∈ 2Addr × 2Addr × 2Addr × 2Addr × 2Addr
is called a compartment iff (c.J ∪ c.Code) ∩ (c.S ∪ c.Data) = ∅.We refer to c.Code ∪ c.Data as the address space of c. Werefer to c.J as the set of legal jump targets, and c.L/c.S as theset of legal load/store targets.
![Page 73: Towards using Capability Machines for Secure Compilation - CHERI](https://reader033.fdocuments.in/reader033/viewer/2022051318/5877acec1a28ab826e8b72e9/html5/thumbnails/73.jpg)
2/2
Backup IIDisjoint compartmentsTwo compartments ci , cj are said to be disjoint, writtenci ∩ cj = ∅ iff (ci .Code ∪ ci .Data) ∩ (cj .Code ∪ cj .Data) = ∅.
A valid set of compartmentsA set C ⊂ 2Addr × 2Addr × 2Addr × 2Addr × 2Addr is a valid set ofcompartments iff every c ∈ C is a compartment and(⋃
ci∈Cci .J ∪ ci .Code) ∩ (
⋃ci∈C
ci .S ∪ ci .Data) = ∅ and
∀ci , cj ∈ C. i 6= j ⇒ ci ∩ cj = ∅ and⋃
c∈C(c.L ∪ c.S) ⊆
⋃c∈C
c.Data
and⋃
c∈Cc.J ⊆
⋃c∈C
c.Code.
Capability register file and memory more restrictive than acompartment, and a compartment setA pair of capability register file and memory 〈cr ,m〉 is said to bemore restrictive than compartment and a compartment set〈c∗,C〉, written 〈cr ,m〉 � 〈c∗,C〉 iff: . . .