Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute. In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice -- as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation -- and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation. We do this for CHERI, an architecture with \emph{hardware capabilities} that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.This work was supported by EPSRC programme grant EP/K008528/1 (REMS: Rigorous Engineering for Mainstream Systems). This work was supported by a Gates studentship (Nienhuis). This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement 789108, ELVER). This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (CTSRD), HR0011-18-C-0016 (ECATS), and FA8650-18-C-7809 (CIFV)

CHERI: A hybrid capability-system architecture for scalable software compartmentalization

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.

Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. We also acknowledge the Engineering and Physical Sciences Research Council (EPSRC) REMS Programme Grant [EP/K008528/1], the EPSRC Impact Acceleration Account [EP/K503757/1], EPSRC/ARM iCASE studentship [13220009], Microsoft studentship [MRS2011-031], the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version of the article can be found at: http://ieeexplore.ieee.org/document/7723791

Characterizing Family Physicians Who Refer to Telepsychiatry in Ontario

INTRODUCTION: Telepsychiatry can improve access to psychiatric services for those who otherwise cannot easily access care. Family physicians are gatekeepers to specialized care in Ontario, so it is essential to understand predictors relating to referrals to telepsychiatry to better plan services and increase telepsychiatry adoption. METHODS: This study used an annual retrospective cross-sectional study design to compare physicians who referred their patients to telepsychiatry each year from fiscal year (FY) 2008 to FY 2016. A 1-year (FY 2016) comparison of family physicians who referred to telepsychiatry (FPTs) compared to family physicians who did not refer to telepsychiatry (FPNTs) matched (1:2) by region was also conducted. Finally, we used statistical modeling to understand the predictors of referring to telepsychiatry among physicians. RESULTS: Between FY 2008 and FY 2016, the number of patients receiving telepsychiatry increased from 925 visits to 13,825 visits. Thirty-two percent of Ontario primary care physicians referred to telepsychiatry in 2016. Several characteristics were notably different between FPTs and FPNTs: FPTs were more likely to be from a residence with less than 10,000 people, to have more nurse practitioners in the practice, and to be from a family health team than FPNTs. Rostered patients of FPTs were more likely to reside in rural areas, have more clinical complexity, and to utilize more mental health services compared to FPNTs. CONCLUSIONS: There has been an increase in the use of telepsychiatry by patients and family physicians over the study period, although there remains opportunity for significant growth. Family physicians who live in rural areas, are part of an FHT, have more NPs, with more rural and complex patients were more likely to refer to telepsychiatry. As recent pro-telemedicine policies support the growth of telepsychiatry, this study will serve as an important baseline

CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment

The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world behavior of operating systems, run-time environments, and applications. When the process model, user-kernel interactions, dynamic linking, and memory management are all considered, we observe that simple derivation of architectural capabilities is insufficient to describe appropriate access to memory. We bridge this conceptual gap with a notional \emph{abstract capability} that describes the accesses that should be allowed at a given point in execution, whether in the kernel or userspace. To investigate this notion at scale, we describe the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) for complete spatial and referential memory safety. We show that awareness of abstract capabilities, coupled with CHERI architectural capabilities, can provide more complete protection, strong compatibility, and acceptable performance overhead compared with the pre-CHERI baseline and software-only approaches. Our observations also have potentially significant implications for other mitigation techniques.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (``CTSRD'') and HR0011-18-C-0016 (``ECATS''). The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ERC ELVER Advanced Grant (789108), Arm Limited, HP Enterprise, and Google, Inc. Approved for Public Release, Distribution Unlimited

Cornucopia: Temporal safety for CHERI heaps

Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke, a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but modeled only architectural limits and did not consider the full implementation or evaluation of the approach. Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++ temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2% and a worst-case of 8.9% for concurrent revocation on compatible SPEC CPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (“CTSRD”) and HR0011-18-C-0016 (“ECATS”). We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ABP Grant (EP/P020011/1), the ERC ELVER Advanced Grant (789108), the Gates Cambridge Trust, Arm Limited, HP Enterprise, and Google, Inc

Illness Schema Activation and the Effects of Illness Seasonality on Accessibility of Implicit Illness-Related Information

The Common-Sense Model (CSM) of illness self-regulation is a leading theoretical framework describing the process by which an individual recognizes that he or she is physically ill and subsequently attempts to manage that illness state. The CSM proposes that people possess schematically organized implicit cognitive representations of health threats comprising information about illness such as symptoms, causes, label, duration, consequences, and procedures for managing threat [1, 2, 3, 4]. The proposed function of these stored knowledge structures is to activate a self-regulation process that might protect or restore a state of well-being [5]. The CSM proposes that the schematic representation is centrally activated by detection of deviations from the normal functioning self (i.e., experienced symptoms). The identification of illness and the initiation of self-management attempts follow from the search for illness-relevant cognitive structures and the matching of the content of illness schema to the symptomatic experience. For example, a headache (a symptomatic deviation from normal somatic experience) might activate illness schemata containing the cognitive representation of “headache” such as “hangover,” “dehydration,” or “flu.” The matching of the symptom to a particular illness schema will follow from the search and match to other aspects of plausible illness representations, such as its probable cause or duration (timeline).Full Tex

Spatiotemporal variation of the epifaunal assemblages associated to Sargassum muticum on the NW Atlantic coast of Morocco

Epifaunal assemblages inhabiting the non-indigenous macroalga Sargassum muticum (Yendo) Fensholt were investigated on two physically distinct intertidal rocky (S1) and sandy (S2) sites along the Atlantic coast of Morocco. The objective of this study was to test whether the habitat-forming marine alga S. muticum invasive in these sites supported different epifaunal assemblages under different environmental conditions and through time. The gastropods Steromphala umbilicalis, S. pennanti, and Rissoa parva and the isopod Dynamene bidentata were the most contributive species to the dissimilarity of epifaunal assemblage structure between both sites throughout seasons. SIMPER analysis showed a dissimilarity of 58.3-78.5% in the associated species composition of S. muticum between study sites with respect to sampling season. Species diversity and total abundance were significantly higher at the rocky site compared to the sandy site. PERMANOVA analyses showed significant differences of associated epifaunal assemblage structure for the season and site interaction. Accordingly, site and season were determinant factors conditioning the role of habitat in structuring epifaunal assemblages.info:eu-repo/semantics/publishedVersio