52 research outputs found
Recommended from our members
Pointer Provenance in a Capability Architecture
We design and implement a framework for tracking pointer
provenance, using our CHERI fat-pointer capability architec-
ture to facilitate analysis of security implications of program
pointer flows in both user and privileged code, with mini-
mal instrumentation. CHERI enforces pointer provenance
validity at the architectural level, in the presence of complex
pointer arithmetic and type casting. CHERI present new op-
portunities for provenance research: we discuss use cases
and highlight lessons and open questions from our work.DARPA/AFRL FA8750-10-C-0237, Google Chrome University Research Program Awar
Exploring C semantics and pointer provenance
The semantics of pointers and memory objects in C has been a vexed question for many years. C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on analyses that reason about provenance and initialisation status, not just runtime representations. The ISO WG14 standard leaves much of this unclear, and in some respects differs with de facto standard usage - which itself is difficult to investigate.
In this paper we explore the possible source-language semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. We aim to, as far as possible, reconcile the ISO C standard, mainstream compiler behaviour, and the semantics relied on by the corpus of existing C code. We present two coherent proposals, tracking provenance via integers and not; both address many design questions. We highlight some pros and cons and open questions, and illustrate the discussion with a library of test cases. We make our semantics executable as a test oracle, integrating it with the Cerberus semantics for much of the rest of C, which we have made substantially more complete and robust, and equipped with a web-interface GUI. This allows us to experimentally assess our proposals on those test cases. To assess their viability with respect to larger bodies of C code, we analyse the changes required and the resulting behaviour for a port of FreeBSD to CHERI, a research architecture supporting hardware capabilities, which (roughly speaking) traps on the memory safety violations which our proposals deem undefined behaviour. We also develop a new runtime instrumentation tool to detect possible provenance violations in normal C code, and apply it to some of the SPEC benchmarks. We compare our proposal with a source-language variant of the twin-allocation LLVM semantics proposal of Lee et al. Finally, we describe ongoing interactions with WG14, exploring how our proposals could be incorporated into the ISO standard
Recommended from our members
CHERI Concentrate: Practical Compressed Capabilities
We present CHERI Concentrate, a new fat-pointer compression scheme applied to CHERI, the most developed capability-pointer system at present. Capability fat-pointers are a primary candidate for enforcing fine-grained and non-bypassable security properties in future computer systems, although increased pointer size can severely affect performance. Thus, several proposals for capability compression have been suggested but these did not support legacy instruction sets, ignored features critical to the existing software base, and also introduced design inefficiencies to RISC-style processor pipelines. CHERI Concentrate improves on the state-of-the-art region-encoding efficiency, solves important pipeline problems, and eases semantic restrictions of compressed encoding, allowing it to protect a full legacy software stack. We analyze and extend logic from the open-source CHERI prototype processor design on FPGA to demonstrate encoding efficiency, minimize delay of pointer arithmetic, and eliminate additional load-to-use delay. To verify correctness of our proposed high-performance logic, we present a HOL4 machine-checked proof of the decode and pointer-modify operations. Finally, we measure a 50%-75% reduction in L2 misses for many compiled C-language benchmarks running under a commodity operating system using compressed 128-bit and 64-bit formats, demonstrating both compatibility with and increased performance over the uncompressed, 256-bit format
Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals
Direct Memory Access (DMA) attacks have been known for many years: DMA-enabled I/O peripherals have complete access to the state of a computer and can fully compromise it including reading and writing all of system memory.
With the popularity of Thunderbolt 3 over USB Type-C and smart internal devices, opportunities for these attacks to be performed casually with only seconds of physical access to a computer have greatly broadened. In response, commodity hardware and operating-system (OS) vendors have incorporated support for Input-Output Memory Management Units (IOMMUs), which impose memory protection on DMA, and are widely believed to protect against DMA attacks.
We investigate the state-of-the-art in IOMMU protection across OSes using a novel I/O security research platform, and find that current protections fall short when faced with a functional network peripheral that uses its complex interactions with the OS for ill intent, and demonstrate compromises against macOS, FreeBSD, and Linux, which notionally utilize IOMMUs to protect against DMA attackers. Windows only uses the IOMMU in limited cases and remains vulnerable.
Using Thunderclap, an open-source FPGA research platform we built, we explore a number of novel exploit techniques to expose new classes of OS vulnerability. The complex vulnerability space for IOMMU-exposed shared memory available to DMA-enabled peripherals allows attackers to extract private data (sniffing cleartext VPN traffic) and hijack kernel control flow (launching a root shell) in seconds using devices such as USB-C projectors or power adapters.
We have worked closely with OS vendors to remedy these vulnerability classes, and they have now shipped substantial feature improvements and mitigations as a result of our work.DARPA I2O FA8750-10-C-0237 ("CTSRD")
DARPA MTO HR0011- 18-C-0016 ("ECATS")
Arm Ltd
Google Inc
This work was also supported by EPSRC EP/R012458/1 (“IOSEC”)
Recommended from our members
CHERI JNI: Sinking the Java Security Model into the C
Java provides security and robustness by building a high- level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program – including the million lines used to implement the standard library – is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java’s security model to native code.
Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code.
We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.Defense Advanced Research Projects Agency
Google, Inc.
Isaac Newton Trust
Thales E-Securit
Recommended from our members
Purification and functional characterisation of rhiminopeptidase A, a novel aminopeptidase from the venom of Bitis gabonica rhinoceros
This study describes the discovery and characterisation of a novel aminopeptidase A from the venom of B. g. rhinoceros and highlights its potential biological importance. Similar to mammalian aminopeptidases, rhiminopeptidase A might be capable of playing roles in altering the blood pressure and brain function of victims. Furthermore, it could have additional effects on the biological functions of other host proteins by cleaving their N-terminal amino acids. This study points towards the importance of complete analysis of individual components of snake venom in order to develop effective therapies for snake bites
Modifying patterns of movement in people with low back pain -does it help? A systematic review
Background: Physiotherapy for people with low back pain frequently includes assessment and modification of lumbo-pelvic movement. Interventions commonly aim to restore normal movement and thereby reduce pain and improve activity limitation. The objective of this systematic review was to investigate: (i) the effect of movement-based interventions on movement patterns (muscle activation, lumbo-pelvic kinematics or postural patterns) of people with low back pain (LBP), and (ii) the relationship between changes in movement patterns and subsequent changes in pain and activity limitation. Methods. MEDLINE, Cochrane Central, EMBASE, AMI, CINAHL, Scopus, AMED, ISI Web of Science were searched from inception until January 2012. Randomised controlled trials or controlled clinical trials of people with LBP were eligible for inclusion. The intervention must have been designed to influence (i) muscle activity patterns, (ii) lumbo-pelvic kinematic patterns or (iii) postural patterns, and included measurement of such deficits before and after treatment, to allow determination of the success of the intervention on the lumbo-pelvic movement. Twelve trials (25% of retrieved studies) met the inclusion criteria. Two reviewers independently identified, assessed and extracted data. The PEDro scale was used to assess method quality. Intervention effects were described using standardised differences between group means and 95% confidence intervals. Results: The included trials showed inconsistent, mostly small to moderate intervention effects on targeted movement patterns. There was considerable heterogeneity in trial design, intervention type and outcome measures. A relationship between changes to movement patterns and improvements in pain or activity limitation was observed in one of six studies on muscle activation patterns, one of four studies that examined the flexion relaxation response pattern and in two of three studies that assessed lumbo-pelvic kinematics or postural characteristics. Conclusions: Movement-based interventions were infrequently effec tive for changing observable movement patterns. A relationship between changes in movement patterns and improvement in pain or activity limitation was also infrequently observed. No independent studies confirm any observed relationships. Challenges for future research include defining best methods for measuring (i) movement aberrations, (ii) improvements in movements, and (iii) the relationship between changes in how people move and associated changes in other health indicators such as activity limitation
Transcriptional recapitulation and subversion of embryonic colon development by mouse colon tumor models and human colon cancer
Colon tumors from four independent mouse models and 100 human colorectal cancers all exhibited striking recapitulation of embryonic colon gene expression from embryonic days 13.5-18.5
Untangling knowledge creation and knowledge integration in enterprise wikis
A central challenge organizations face is how to build, store, and maintain knowledge over time. Enterprise wikis are community-based knowledge systems situated in an organizational context. These systems have the potential to play an important role in managing knowledge within organizations, but the motivating factors that drive individuals to contribute their knowledge to these systems is not very well understood. We theorize that enterprise wiki initiatives require two separate and distinct types of knowledge-sharing behaviors to succeed: knowledge creation (KC) and knowledge integration (KI). We examine a Wiki initiative at a major German bank to untangle the motivating factors behind KC and KI. Our results suggest KC and KI are indeed two distinct behaviors, reconcile inconsistent findings from past studies on the role of motivational factors for knowledge sharing to establish shared electronic knowledge resources in organizations, and identify factors that can be leveraged to tilt behaviors in favor of KC or KI
Can social dancing prevent falls in older adults? a protocol of the Dance, Aging, Cognition,Economics (DAnCE) fall prevention randomised controlled trial
Background: Falls are one of the most common health problems among older people and pose a major economic burden on health care systems. Exercise is an accepted stand-alone fall prevention strategy particularly if it is balance training or regular participation in Tai chi. Dance shares the ‘holistic’ approach of practices such as Tai chi. It is a complex sensorimotor rhythmic activity integrating multiple physical, cognitive and social elements. Small-scale randomised controlled trials have indicated that diverse dance styles can improve measures of balance and mobility in older people, but none of these studies has examined the effect of dance on falls or cognition. This study aims to determine whether participation in social dancing: i) reduces the number of falls; and ii) improves cognitive functions associated with fall risk in older people. Methods/design: A single-blind, cluster randomised controlled trial of 12 months duration will be conducted. Approximately 450 participants will be recruited from 24 self-care retirement villages that house at least 60 residents each in Sydney, Australia. Village residents without cognitive impairment and obtain medical clearance will be eligible. After comprehensive baseline measurements including physiological and cognitive tests and self-completed questionnaires, villages will be randomised to intervention sites (ballroom or folk dance) or to a wait-listed control using a computer randomisation method that minimises imbalances between villages based on two baseline fall risk measures. Main outcome measures are falls, prospectively measured, and the Trail Making cognitive function test. Cost-effectiveness and cost-utility analyses will be performed. Discussion: This study offers a novel approach to balance training for older people. As a community-based approach to fall prevention, dance offers older people an opportunity for greater social engagement, thereby making a major contribution to healthy ageing. Providing diversity in exercise programs targeting seniors recognises the heterogeneity of multicultural populations and may further increase the number of taking part in exercise
- …