1,101 research outputs found
Recommended from our members
Balancing Disruption and Deployability in the CHERI Instruction-Set Architecture (ISA)
For over two-and-a-half decades, dating to the first widespread commercial deployment of the Internet, commodity processor architectures have failed to provide robust and secure foundations for communication and commerce. This is in large part due to the omission of architectural features allowing efficient implementation of the Principle of Least Privilege, which dictates that software runs only with the rights it requires to operate [19, 20]. Without this support, the impact of inevitable vulnerabilities is multiplied as successful attackers gain easy access to unnecessary rights – and often, all rights – in software systems
Recommended from our members
Blueswitch: Enabling provably consistent configuration of network switches
Previous research on consistent updates for distributed network
configurations has focused on solutions for centralized networkconfiguration
controllers. However, such work does not address
the complexity of modern switch datapaths. Modern commodity
switches expose opaque configuration mechanisms, with minimal
guarantees for datapath consistency and with unclear configuration
semantics. Furthermore, would-be solutions for distributed consistent
updates must take into account the configuration guarantees
provided by each individual switch – plus the compositional problems
of distributed control and multi-switch configurations that
considerably transcend the single-switch problems. In this paper,
we focus on the behavior of individual switches, and demonstrate
that even simple rule updates result in inconsistent packet switching
in multi-table datapaths. We demonstrate that consistent configuration
updates require guarantees of strong switch-level atomicity
from both hardware and software layers of switches – even in a
single switch. In short, the multiple-switch problems cannot be
reasonably approached until single-switch consistency can be resolved.
We present a hardware design that supports a transactional configuration
mechanism, and provides packet-consistent configuration:
all packets traversing the datapath will encounter either the
old configuration or the new one, and never an inconsistent mix of
the two. Unlike previous work, our design does not require modifications
to network packets. We precisely specify the hardwaresoftware
protocol for switch configuration; this enables us to prove
the correctness of the design, and to provide well-specified invariants
that the software driver must maintain for correctness. We
implement our prototype switch design using the NetFPGA-10G
hardware platform, and evaluate our prototype against commercial
off-the-shelf switches.This work was jointly supported by the Defense Advanced Research
Projects Agency (DARPA) and the Air Force Research Laboratory
(AFRL), under contract FA8750-11-C-0249. The views,
opinions, and/or findings contained in this article/presentation are
those of the author/ presenter and should not be interpreted as representing
the official views or policies, either expressed or implied,
of the Department of Defense or the U.S. Government. We also acknowledge
the support of the UK EPSRC for contributing to parts
of our work, through grant EP/H040536/1. Additional data related
to this publication is available at the http://www.cl.cam.ac.
uk/research/srg/netfpga/blueswitch/ data repository.This is the author accepted manuscript. The final version is available from IEEE via http://dx.doi.org/10.1109/ANCS.2015.711011
Recommended from our members
CHERIvoke: Characterising pointer revocation using CHERI capabilities for temporal memory safety
A lack of temporal safety in low-level languages has led to an epidemic of use-after-free exploits. These have surpassed in number and severity even the infamous buffer-overflow exploits violating spatial safety. Capability addressing can directly enforce spatial safety for the C language by enforcing bounds on pointers and by rendering pointers unforgeable. Nevertheless, an efficient solution for strong temporal memory safety remains elusive.
CHERI is an architectural extension to provide hardware capability addressing that is seeing significant commercial and open- source interest. We show that CHERI capabilities can be used as a foundation to enable low-cost heap temporal safety by facilitating out-of-date pointer revocation, as capabilities enable precise and efficient identification and invalidation of pointers, even when using unsafe languages such as C. We develop CHERIvoke, a technique for deterministic and fast sweeping revocation to enforce temporal safety on CHERI systems. CHERIvoke quarantines freed data before periodically using a small shadow map to revoke all dangling pointers in a single sweep of memory, and provides a tunable trade-off between performance and heap growth. We evaluate the performance of such a system using high-performance x86 processors, and further analytically examine its primary overheads. When configured with a heap-size overhead of 25%, we find that CHERIvoke achieves an average execution-time overhead of under 5%, far below the overheads associated with traditional garbage collection, revocation, or page-table systems.EP/K026399/1, EP/P020011/1, EP/K008528/
Can a falling tree make a noise in two forests at the same time?
It is a commonplace to claim that quantum mechanics supports the old idea
that a tree falling in a forest makes no sound unless there is a listener
present. In fact, this conclusion is far from obvious. Furthermore, if a
tunnelling particle is observed in the barrier region, it collapses to a state
in which it is no longer tunnelling. Does this imply that while tunnelling, the
particle can not have any physical effects? I argue that this is not the case,
and moreover, speculate that it may be possible for a particle to have effects
on two spacelike separate apparatuses simultaneously. I discuss the measurable
consequences of such a feat, and speculate about possible statistical tests
which could distinguish this view of quantum mechanics from a ``corpuscular''
one. Brief remarks are made about an experiment underway at Toronto to
investigate these issues.Comment: 9 pp, Latex, 3 figs, to appear in Proc. Obsc. Unr. Conf.; Fig 2
postscript repaired on 26.10.9
CHERI: a research platform deconflating hardware virtualisation and protection
Contemporary CPU architectures conflate virtualization and protection,
imposing virtualization-related performance, programmability,
and debuggability penalties on software requiring finegrained
protection. First observed in micro-kernel research, these
problems are increasingly apparent in recent attempts to mitigate
software vulnerabilities through application compartmentalisation.
Capability Hardware Enhanced RISC Instructions (CHERI) extend
RISC ISAs to support greater software compartmentalisation.
CHERI’s hybrid capability model provides fine-grained compartmentalisation
within address spaces while maintaining software
backward compatibility, which will allow the incremental deployment
of fine-grained compartmentalisation in both our most trusted
and least trustworthy C-language software stacks. We have implemented
a 64-bit MIPS research soft core, BERI, as well as a
capability coprocessor, and begun adapting commodity software
packages (FreeBSD and Chromium) to execute on the platform
Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process
The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute.
In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice -- as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation -- and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation.
We do this for CHERI, an architecture with \emph{hardware capabilities} that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.This work was supported by EPSRC programme grant EP/K008528/1 (REMS: Rigorous Engineering for Mainstream Systems).
This work was supported by a Gates studentship (Nienhuis).
This project has received funding from the European Research Council
(ERC) under the European Union's Horizon 2020 research and innovation
programme (grant agreement 789108, ELVER).
This work was supported by the Defense
Advanced Research Projects Agency (DARPA) and the Air Force Research
Laboratory (AFRL), under contracts FA8750-10-C-0237 (CTSRD),
HR0011-18-C-0016 (ECATS),
and FA8650-18-C-7809 (CIFV)
CHERI: A hybrid capability-system architecture for scalable software compartmentalization
CHERI extends a conventional RISC Instruction-
Set Architecture, compiler, and operating system to support
fine-grained, capability-based memory protection to mitigate
memory-related vulnerabilities in C-language TCBs. We describe
how CHERI capabilities can also underpin a hardware-software
object-capability model for application compartmentalization
that can mitigate broader classes of attack. Prototyped as an
extension to the open-source 64-bit BERI RISC FPGA softcore
processor, FreeBSD operating system, and LLVM compiler,
we demonstrate multiple orders-of-magnitude improvement in
scalability, simplified programmability, and resulting tangible
security benefits as compared to compartmentalization based on
pure Memory-Management Unit (MMU) designs. We evaluate
incrementally deployable CHERI-based compartmentalization
using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin,
Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris
Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln,
Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W.
Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell,
Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and
Bjoern Zeeb, our anonymous reviewers, and shepherd Frank
Piessens, for their feedback and assistance. This work is part of
the CTSRD and MRC2 projects sponsored by the Defense Advanced
Research Projects Agency (DARPA) and the Air Force
Research Laboratory (AFRL), under contracts FA8750-10-C-
0237 and FA8750-11-C-0249. The views, opinions, and/or
findings contained in this paper are those of the authors and
should not be interpreted as representing the official views
or policies, either expressed or implied, of the Department
of Defense or the U.S. Government. We acknowledge the EPSRC
REMS Programme Grant [EP/K008528/1], Isaac Newton
Trust, UK Higher Education Innovation Fund (HEIF), Thales
E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.
Recommended from our members
CheriRTOS: A Capability Model for Embedded Devices
Embedded systems are deployed ubiquitously
among various sectors including automotive, medical, robotics
and avionics. As these devices become increasingly connected,
the attack surface also increases tremendously; new mechanisms
must be deployed to defend against more sophisticated attacks
while not violating resource constraints. In this paper we present
CheriRTOS on CHERI-64, a hardware-software platform atop
Capability Hardware Enhanced RISC Instructions (CHERI) for
embedded systems.
Our system provides efficient and scalable task isolation,
fast and secure inter-task communication, fine-grained memory
safety, and real-time guarantees, using hardware capabilities as
the sole protection mechanism. We summarize state-of-the-art se-
curity and memory safety for embedded systems for comparison
with our platform, illustrating the superior substrate provided
by CHERI’s capabilities. Finally, our evaluations show that a
capability system can be implemented within the constraints of
embedded systems
Preparation and Measurement of Three-Qubit Entanglement in a Superconducting Circuit
Traditionally, quantum entanglement has played a central role in foundational
discussions of quantum mechanics. The measurement of correlations between
entangled particles can exhibit results at odds with classical behavior. These
discrepancies increase exponentially with the number of entangled particles.
When entanglement is extended from just two quantum bits (qubits) to three, the
incompatibilities between classical and quantum correlation properties can
change from a violation of inequalities involving statistical averages to sign
differences in deterministic observations. With the ample confirmation of
quantum mechanical predictions by experiments, entanglement has evolved from a
philosophical conundrum to a key resource for quantum-based technologies, like
quantum cryptography and computation. In particular, maximal entanglement of
more than two qubits is crucial to the implementation of quantum error
correction protocols. While entanglement of up to 3, 5, and 8 qubits has been
demonstrated among spins, photons, and ions, respectively, entanglement in
engineered solid-state systems has been limited to two qubits. Here, we
demonstrate three-qubit entanglement in a superconducting circuit, creating
Greenberger-Horne-Zeilinger (GHZ) states with fidelity of 88%, measured with
quantum state tomography. Several entanglement witnesses show violation of
bi-separable bounds by 830\pm80%. Our entangling sequence realizes the first
step of basic quantum error correction, namely the encoding of a logical qubit
into a manifold of GHZ-like states using a repetition code. The integration of
encoding, decoding and error-correcting steps in a feedback loop will be the
next milestone for quantum computing with integrated circuits.Comment: 7 pages, 4 figures, and Supplementary Information (4 figures)
Beyond the PDP-11: Architectural support for a memory-safe C abstract machine
We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well documented impacts on security and reliability. Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.This work is part of the CTSRD and MRC2 projects that are sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750- 11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We gratefully acknowledge Google, Inc. for its sponsorship
- …