CheriRTOS: A Capability Model for Embedded Devices

Embedded systems are deployed ubiquitously among various sectors including automotive, medical, robotics and avionics. As these devices become increasingly connected, the attack surface also increases tremendously; new mechanisms must be deployed to defend against more sophisticated attacks while not violating resource constraints. In this paper we present CheriRTOS on CHERI-64, a hardware-software platform atop Capability Hardware Enhanced RISC Instructions (CHERI) for embedded systems. Our system provides efficient and scalable task isolation, fast and secure inter-task communication, fine-grained memory safety, and real-time guarantees, using hardware capabilities as the sole protection mechanism. We summarize state-of-the-art se- curity and memory safety for embedded systems for comparison with our platform, illustrating the superior substrate provided by CHERI’s capabilities. Finally, our evaluations show that a capability system can be implemented within the constraints of embedded systems

Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. We also acknowledge the Engineering and Physical Sciences Research Council (EPSRC) REMS Programme Grant [EP/K008528/1], the EPSRC Impact Acceleration Account [EP/K503757/1], EPSRC/ARM iCASE studentship [13220009], Microsoft studentship [MRS2011-031], the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version of the article can be found at: http://ieeexplore.ieee.org/document/7723791

Efficient tagged memory

We characterize the cache behavior of an in-memory tag table and demonstrate that an optimized implementation can typically achieve a near-zero memory traffic overhead. Both industry and academia have repeatedly demonstrated tagged memory as a key mechanism to enable enforcement of powerful security invariants, including capabilities pointer integrity, watchpoints, and information-flow tracking. A single-bit tag shadowspace is the most commonly proposed requirement, as one bit is the minimum metadata needed to distinguish between an untyped data word and any number of new hardware-enforced types. We survey various tag shadowspace approaches and identify their common requirements and positive features of their implementations. To avoid non-standard memory widths, we identify the most practical implementation for tag storage to be an in-memory table managed next to the DRAM controller. We characterize the caching performance of such a tag table and demonstrate a DRAM traffic overhead below 5\% for the vast majority of applications. We identify spatial locality on a page scale as the primary factor that enables surprisingly high table cache-ability. We then demonstrate tag-table compression for a set of common applications. A hierarchical structure with elegantly simple optimizations reduces DRAM traffic overhead to below 1\% for most applications. These insights and optimizations pave the way for commercial applications making use of single-bit tags stored in commodity memory

CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment

The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world behavior of operating systems, run-time environments, and applications. When the process model, user-kernel interactions, dynamic linking, and memory management are all considered, we observe that simple derivation of architectural capabilities is insufficient to describe appropriate access to memory. We bridge this conceptual gap with a notional \emph{abstract capability} that describes the accesses that should be allowed at a given point in execution, whether in the kernel or userspace. To investigate this notion at scale, we describe the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) for complete spatial and referential memory safety. We show that awareness of abstract capabilities, coupled with CHERI architectural capabilities, can provide more complete protection, strong compatibility, and acceptable performance overhead compared with the pre-CHERI baseline and software-only approaches. Our observations also have potentially significant implications for other mitigation techniques.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (``CTSRD'') and HR0011-18-C-0016 (``ECATS''). The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ERC ELVER Advanced Grant (789108), Arm Limited, HP Enterprise, and Google, Inc. Approved for Public Release, Distribution Unlimited

Circulating angiopoietin-2 is a marker for early cardiovascular disease in children on chronic dialysis.

Cardiovascular disease (CVD) is increasingly recognised as a complication of childhood chronic kidney disease (CKD) even in the absence of diabetes and hypertension. We hypothesized that an alteration in angiopoietin-1 and -2, growth factors which regulate endothelial and vascular function could be involved. We report that the endothelial survival factor, angiopoietin-1 is low in children with pre-dialysis CKD whereas the pro-inflammatory angiopoietin-2 is elevated in children on dialysis. In dialysis patients, angiopoietin-2 positively correlated with time on dialysis, systolic blood pressure, and carotid artery intima media thickness. Elevated angiopoietin-2 levels in dialysis versus pre-dialysis CKD patients were also associated with an anti-angiogenic (high soluble VEGFR-1 and low VEGF-A) and pro-inflammatory (high urate, E-selectin, P-selectin and VCAM-1) milieu. Ang-2 was immunodetected in arterial biopsy samples whilst the expression of VEGF-A was significantly downregulated in dialysis patients. Serum urate correlated with angiopoietin-2 levels in dialysis patients and addition of uric acid was able to induce rapid release of angiopoietin-2 from cultured endothelial cells. Thus, angiopoietin-2 is a marker for cardiovascular disease in children on chronic dialysis and may act as an anti-angiogenic and pro-inflammatory effector in this context. The possibility that the release of angiopoietin-2 from endothelia is mediated by urate should be explored further

Cornucopia: Temporal safety for CHERI heaps

Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke, a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach. Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++ temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2% and a worst-case of 8.9% for concurrent revocation on compatible SPEC CPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and HR0011-18-C-0016 (“ECATS”). We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ABP Grant (EP/P020011/1), the ERC ELVER Advanced Grant (789108), the Gates Cambridge Trust, Arm Limited, HP Enterprise, and Google, Inc

Writing Class In and Out: Constructions of Class in Elite Businesswomen's Autobiographies

The final version of this paper has been published in Sociology, November 2020 by SAGE Publications Ltd, All rights reserved. © The Authors, 2020. It is available at: https://journals.sagepub.com/home/socThis article explores how meanings of class are constructed in elite businesswomen’s autobiographies. It extends existing sociological studies of elites in two ways. First, by theorising the cultural mechanisms that contribute to the reproduction of business elites, and second, by examining the hitherto under-researched gendered aspects of the reproduction of business elites, and the legitimisation of wealth. We show how these autobiographical texts acknowledge class yet render it irrelevant through discursive repertoires of ordinariness, a universal gender struggle and the unimportance of wealth. We argue that in doing so the genre of elite businesswomen autobiographies contributes to the cultural erasure of class, perpetuating messages that contribute to the creation of a cultural milieu in which class and wealth inequalities remain unquestioned. In an economic context where social disparities continue to grow, the article importantly furthers our understanding of the cultural means by which a plutocratic elite holds on to power

Activation of Human T-Helper/Inducer Cell, T-Cytotoxic Cell, B-Cell, and Natural Killer (NK)-Cells and induction of Natural Killer Cell Activity against K562 Chronic Myeloid Leukemia Cells with Modified Citrus Pectin

<p>Abstract</p> <p>Background</p> <p>Modified citrus pectin (MCP) is known for its anti-cancer effects and its ability to be absorbed and circulated in the human body. In this report we tested the ability of MCP to induce the activation of human blood lymphocyte subsets like T, B and NK-cells.</p> <p>Methods</p> <p>MCP treated human blood samples were incubated with specific antibody combinations and analyzed in a flow cytometer using a 3-color protocol. To test functionality of the activated NK-cells, isolated normal lymphocytes were treated with increasing concentrations of MCP. Log-phase PKH26-labeled K562 leukemic cells were added to the lymphocytes and incubated for 4 h. The mixture was stained with FITC-labeled active form of caspase 3 antibody and analyzed by a 2-color flow cytometry protocol. The percentage of K562 cells positive for PKH26 and FITC were calculated as the dead cells induced by NK-cells. Monosaccharide analysis of the MCP was performed by high-performance anion-exchange chromatography with pulse amperometric detection (HPAEC-PAD).</p> <p>Results</p> <p>MCP activated T-cytotoxic cells and B-cell in a dose-dependent manner, and induced significant dose-dependent activation of NK-cells. MCP-activated NK-cells demonstrated functionality in inducing cancer cell death. MCP consisted of oligogalacturonic acids with some containing 4,5-unsaturated non-reducing ends.</p> <p>Conclusions</p> <p>MCP has immunostimulatory properties in human blood samples, including the activation of functional NK cells against K562 leukemic cells in culture. Unsaturated oligogalacturonic acids appear to be the immunostimulatory carbohydrates in MCP.</p