CHERIvoke: Characterising pointer revocation using CHERI capabilities for temporal memory safety

A lack of temporal safety in low-level languages has led to an epidemic of use-after-free exploits. These have surpassed in number and severity even the infamous buffer-overflow exploits violating spatial safety. Capability addressing can directly enforce spatial safety for the C language by enforcing bounds on pointers and by rendering pointers unforgeable. Nevertheless, an efficient solution for strong temporal memory safety remains elusive. CHERI is an architectural extension to provide hardware capability addressing that is seeing significant commercial and open- source interest. We show that CHERI capabilities can be used as a foundation to enable low-cost heap temporal safety by facilitating out-of-date pointer revocation, as capabilities enable precise and efficient identification and invalidation of pointers, even when using unsafe languages such as C. We develop CHERIvoke, a technique for deterministic and fast sweeping revocation to enforce temporal safety on CHERI systems. CHERIvoke quarantines freed data before periodically using a small shadow map to revoke all dangling pointers in a single sweep of memory, and provides a tunable trade-off between performance and heap growth. We evaluate the performance of such a system using high-performance x86 processors, and further analytically examine its primary overheads. When configured with a heap-size overhead of 25%, we find that CHERIvoke achieves an average execution-time overhead of under 5%, far below the overheads associated with traditional garbage collection, revocation, or page-table systems.EP/K026399/1, EP/P020011/1, EP/K008528/

CHERI: a research platform deconflating hardware virtualisation and protection

Contemporary CPU architectures conflate virtualization and protection, imposing virtualization-related performance, programmability, and debuggability penalties on software requiring finegrained protection. First observed in micro-kernel research, these problems are increasingly apparent in recent attempts to mitigate software vulnerabilities through application compartmentalisation. Capability Hardware Enhanced RISC Instructions (CHERI) extend RISC ISAs to support greater software compartmentalisation. CHERI’s hybrid capability model provides fine-grained compartmentalisation within address spaces while maintaining software backward compatibility, which will allow the incremental deployment of fine-grained compartmentalisation in both our most trusted and least trustworthy C-language software stacks. We have implemented a 64-bit MIPS research soft core, BERI, as well as a capability coprocessor, and begun adapting commodity software packages (FreeBSD and Chromium) to execute on the platform

Can HRCT be used as a marker of airway remodelling in children with difficult asthma?

BACKGROUND: Whole airway wall thickening on high resolution computed tomography (HRCT) is reported to parallel thickening of the bronchial epithelial reticular basement membrane (RBM) in adult asthmatics. A similar relationship in children with difficult asthma (DA), in whom RBM thickening is a known feature, may allow the use of HRCT as a non-invasive marker of airway remodelling. We evaluated this relationship in children with DA. METHODS: 27 children (median age 10.5 [range 4.1-16.7] years) with DA, underwent endobronchial biopsy from the right lower lobe and HRCT less than 4 months apart. HRCTs were assessed for bronchial wall thickening (BWT) of the right lower lobe using semi-quantitative and quantitative scoring techniques. The semi-quantitative score (grade 0-4) was an overall assessment of BWT of all clearly identifiable airways in HRCT scans. The quantitative score (BWT %; defined as [airway outer diameter - airway lumen diameter]/airway outer diameter x100) was the average score of all airways visible and calculated using electronic endpoint callipers. RBM thickness in endobronchial biopsies was measured using image analysis. 23/27 subjects performed spirometry and the relationships between RBM thickness and BWT with airflow obstruction evaluated. RESULTS: Median RBM thickness in endobronchial biopsies was 6.7(range 4.6-10.0) microm. Median qualitative score for BWT of the right lower lobe was 1(range 0-1.5) and quantitative score was 54.3 (range 48.2-65.6)%. There was no relationship between RBM thickness and BWT in the right lower lobe using either scoring technique. No relationship was found between FEV1 and BWT or RBM thickness. CONCLUSION: Although a relationship between RBM thickness and BWT on HRCT has been found in adults with asthma, this relationship does not appear to hold true in children with D

Higher serum levels of periostin and the risk of exacerbations in moderate asthmatics

BACKGROUND: In asthma, exacerbations and poor disease control are linked to airway allergic inflammation. Serum periostin has been proposed as a systemic biomarker of eosinophilic inflammation. This pilot study aims at evaluating whether in patients with moderate asthma, higher baseline levels of serum periostin are associated with a greater risk of exacerbation. METHODS: Fifteen outpatients with moderate allergic asthma were recruited. Serum concentrations of periostin were assessed (ELISA) at baseline, and the frequency of asthma exacerbations was recorded during a one-year follow-up. RESULTS: Patients (M/F: 10/5, mean age of 47.6\u2009\ub1\u200911.0 years) had mean ACQ score of 5.5\u2009\ub1\u20094.2 and FEV1%pred of 81.9\u2009\ub1\u200921.7 %. Baseline serum levels of periostin did not correlate with lung function parameters, nor with the ACQ score (p 650.05 for all analyses). Five subjects (33 % of the study group) reported one or more exacerbations during the following year. Baseline serum levels of periostin were significantly higher in subjects who experienced one or more exacerbations during the one year period of follow-up, compared with subjects with no exacerbations: median serum periostin level was 4047 ng/ml (range: 2231 to 4889 ng/ml) and 222 ng/ml (range 28.2 to 1631 ng/ml) respectively; p\u2009=\u20090.001. CONCLUSION: The findings of the present pilot study could form the basis for the design of larger studies aiming at developing strategies to identify asthmatic patients at risk for exacerbations

CHERI: A hybrid capability-system architecture for scalable software compartmentalization

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.

Role of PCSK5 Expression in Mouse Ovarian Follicle Development: Identification of the Inhibin α- and β-Subunits as Candidate Substrates

Inhibin and activin are essential dimeric glycoproteins belonging to the transforming growth factor-beta (TGFβ) superfamily. Inhibin is a heterodimer of α- and β-subunits, whereas activin is a homodimer of β-subunits. Production of inhibin is regulated during the reproductive cycle and requires the processing of pro-ligands to produce mature hormone. Furin is a subtilisin-like proprotein convertase (proconvertase) that activates precursor proteins by cleavage at basic sites during their transit through the secretory pathway and/or at the cell surface. We hypothesized that furin-like proconvertases are central regulators of inhibin α- and β-subunit processing within the ovary. We analyzed the expression of the proconvertases furin, PCSK5, PCSK6, and PCSK7 in the developing mouse ovary by real-time quantitative RT-PCR. The data showed that proconvertase enzymes are temporally expressed in ovarian cells. With the transition from two-layer secondary to pre-antral follicle, only PCSK5 mRNA was significantly elevated. Activin A selectively enhanced expression of PCSK5 mRNA and decreased expression of furin and PCSK6 in cultured two-layer secondary follicles. Inhibition of proconvertase enzyme activity by dec-RVKR-chloromethylketone (CMK), a highly specific and potent competitive inhibitor of subtilisin-like proconvertases, significantly impeded both inhibin α- and β-subunit maturation in murine granulosa cells. Overexpression of PC5/6 in furin-deficient cells led to increased inhibin α- and βB-subunit maturation. Our data support the role of proconvertase PCSK5 in the processing of ovarian inhibin subunits during folliculogenesis and suggest that this enzyme may be an important regulator of inhibin and activin bioavailability

CheriRTOS: A Capability Model for Embedded Devices

Embedded systems are deployed ubiquitously among various sectors including automotive, medical, robotics and avionics. As these devices become increasingly connected, the attack surface also increases tremendously; new mechanisms must be deployed to defend against more sophisticated attacks while not violating resource constraints. In this paper we present CheriRTOS on CHERI-64, a hardware-software platform atop Capability Hardware Enhanced RISC Instructions (CHERI) for embedded systems. Our system provides efficient and scalable task isolation, fast and secure inter-task communication, fine-grained memory safety, and real-time guarantees, using hardware capabilities as the sole protection mechanism. We summarize state-of-the-art se- curity and memory safety for embedded systems for comparison with our platform, illustrating the superior substrate provided by CHERI’s capabilities. Finally, our evaluations show that a capability system can be implemented within the constraints of embedded systems