Software Compartmentalization Trade-Offs with Hardware Capabilities
Pages 49 - 57
Abstract
Compartmentalization is a form of defensive software design in which an application is broken down into isolated but communicating components. Retrofitting compartmentalization into existing applications is often thought to be expensive from the engineering effort and performance overhead points of view. Still, recent years have seen proposals of compartmentalization methods with promises of low engineering efforts and reduced performance impact. ARM Morello combines a modern ARM processor with an implementation of Capability Hardware Enhanced RISC Instructions (CHERI) aiming to provide efficient and secure compartmentalization. Past works exploring CHERI-based compartmentalization were restricted to emulated/FPGA prototypes.
In this paper, we explore possible compartmentalization schemes with CHERI on the Morello chip. We propose two approaches representing different trade-offs in terms of engineering effort, security, scalability, and performance impact. We describe and implement these approaches on a prototype OS running bare metal on the Morello chip, compartmentalize two popular applications, and investigate the performance overheads. Furthermore, we show that compartmentalization can be achieved with an engineering cost that can be quite low if one is willing to trade off on scalability and security, and that performance overheads are similar to other intra-address space isolation mechanisms.
References
[1]
Libsodium website, 2023. https://doc.libsodium.org/.
[2]
Sqlite website, 2023. https://www.sqlite.org/index.html.
[3]
Ioannis Agadakos, Manuel Egele, and William K. Robertson. Polytope: Practical memory access control for C++ applications. CoRR, abs/2201.08461, 2022.
[4]
Defence Advanced Research Projects Agency. Broad agency announcement compartmentalization and privilege management (cpm).
[5]
Hesham Almatary, Michael Dodson, Jessica Clarke, Peter Rugg, Ivan Gomes, Michal Podhradsky, Peter G. Neumann, Simon W. Moore, and Robert N. M. Watson. Compartos: CHERI compartmentalization for embedded systems. CoRR, abs/2206.02852, 2022.
[6]
Markus Bauer and Christian Rossow. Cali: Compiler-assisted library isolation. In Jiannong Cao, Man Ho Au, Zhiqiang Lin, and Moti Yung, editors, ASIA CCS '21: ACM Asia Conference on Computer and Communications Security, Virtual Event, Hong Kong, June 7-11, 2021, pages 550--564. ACM, 2021.
[7]
Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. Wedge: Splitting applications into Reduced-Privilege compartments. In 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI 08), San Francisco, CA, April 2008. USENIX Association.
[8]
David Brumley and Dawn Song. Privtrans: Automatically partitioning programs for privilege separation. In 13th USENIX Security Symposium (USENIX Security 04), San Diego, CA, August 2004. USENIX Association.
[9]
Scott A. Carr and Mathias Payer. Datashield: Configurable data confidentiality and integrity. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS' 17, page 193--204, New York, NY, USA, 2017. Association for Computing Machinery.
[10]
Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, and Long Lu. Shreds: Fine-grained execution units with private memory. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016, pages 56--71. IEEE Computer Society, 2016.
[11]
David Chisnall, Brooks Davis, Khilan Gudka, David Brazdil, Alexandre Joannou, Jonathan Woodruff, A. Theodore Markettos, J. Edward Maste, Robert M. Norton, Stacey D. Son, Michael Roe, Simon W. Moore, Peter G. Neumann, Ben Laurie, and Robert N. M. Watson. CHERI JNI: sinking the java security model into the C. In Yunji Chen, Olivier Temam, and John Carter, editors, Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi'an, China, April 8-12, 2017, pages 569--583. ACM, 2017.
[12]
Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve. Nested kernel: An operating system architecture for intra-kernel privilege separation. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, pages 191--206, 2015.
[13]
Lawrence G. Esswood. CheriOS: designing an untrusted single-address-space capability operating system utilising capability hardware and a minimal hypervisor. Technical Report UCAM-CL-TR-961, University of Cambridge, Computer Laboratory, September 2021.
[14]
Khilan Gudka, Robert N. M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, and Alex Richardson. Clean application compartmentalization with SOAAP. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, pages 1016--1031. ACM, 2015.
[15]
Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L. Scott, Kai Shen, and Mike Marty. Hodor: Intra-process isolation for high-throughput data plane libraries. In Proceedings of the 2019 USENIX Annual Technical Conference, ATC'19. USENIX Association, 2019.
[16]
Yongzhe Huang, Vikram Narayanan, David Detweiler, Kaiming Huang, Gang Tan, Trent Jaeger, and Anton Burtsev. KSplit: Automating device driver isolation. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pages 613--631, Carlsbad, CA, July 2022. USENIX Association.
[17]
Paul A. Karger. Limiting the damage potential of discretionary trojan horses. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, Oakland, California, USA, April 27-29, 1987, pages 32--37. IEEE Computer Society, 1987.
[18]
Douglas Kilpatrick. Privman: A library for partitioning applications. In 2003 USENIX Annual Technical Conference (USENIX ATC 03), San Antonio, TX, June 2003. USENIX Association.
[19]
Simon Kuenzer, Vlad-Andrei Bădoiu, Hugo Lefeuvre, Sharan Santhanam, Alexander Jung, Gaulthier Gain, Cyril Soldani, Costin Lupu, Ştefan Teodorescu, Costi Răducanu, Cristian Banu, Laurent Mathy, Răzvan Deaconescu, Costin Raiciu, and Felipe Huici. Unikraft: Fast, specialized unikernels the easy way. In Proceedings of the Sixteenth European Conference on Computer Systems, EuroSys '21, page 376--394, New York, NY, USA, 2021. Association for Computing Machinery.
[20]
Albert Kwon, Udit Dhawan, Jonathan M. Smith, Thomas F. Knight, and Andre DeHon. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. CCS '13, page 721--732, New York, NY, USA, 2013. Association for Computing Machinery.
[21]
Hugo Lefeuvre, Vlad-Andrei Badoiu, Yi Chen, Felipe Huici, Nathan Dautenhahn, and Pierre Olivier. Assessing the impact of interface vulnerabilities in compartmentalized software. In 30th Annual Network and Distributed System Security Symposium, NDSS 2023, San Diego, California, USA, February 27-March 3, 2023. The Internet Society, 2023.
[22]
Hugo Lefeuvre, Vlad-Andrei Badoiu, Alexander Jung, Stefan Lucian Teodorescu, Sebastian Rauch, Felipe Huici, Costin Raiciu, and Pierre Olivier. Flexos: towards flexible OS isolation. In Babak Falsafi, Michael Ferdman, Shan Lu, and Thomas F. Wenisch, editors, ASPLOS '22:27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Lausanne, Switzerland, 28 February 2022-4 March 2022, pages 467--482. ACM, 2022.
[23]
Hugo Lefeuvre, Vlad-Andrei Badoiu, Stefan Teodorescu, Pierre Olivier, Tiberiu Mosnoi, Razvan Deaconescu, Felipe Huici, and Costin Raiciu. Flexos: making OS isolation flexible. In Sebastian Angel, Baris Kasikci, and Eddie Kohler, editors, HotOS '21: Workshop on Hot Topics in Operating Systems, Ann Arbor, Michigan, USA, June, 1-3, 2021, pages 79--87. ACM, 2021.
[24]
ARM Limited. Arm Morello System Development Platform (SDP) Technical Reference Manual, 2022.
[25]
Shen Liu, Gang Tan, and Trent Jaeger. Ptrsplit: Supporting general pointers in automatic program partitioning. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security, CCS'17. Association for Computing Machinery, 2017.
[26]
Arm Ltd. Arm® architecture reference manual supplement morello for a-profile architecture. Technical report, 2022.
[27]
Derrick Paul McKee, Yianni Giannaris, Carolina Ortega, Howard E. Shrobe, Mathias Payer, Hamed Okhravi, and Nathan Burow. Preventing kernel hacks with hakcs. In 29th Annual Network and Distributed System Security Symposium, NDSS 2022, San Diego, California, USA, April 24-28, 2022. The Internet Society, 2022.
[28]
Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, and Deian Stefan. Retrofitting fine grain isolation in the firefox renderer. In Proceedings of the 29th USENIX Security Symposium, USENIX Security'20. USENIX Association, 2020.
[29]
Robert M Norton. Hardware support for compartmentalisation. Technical report, Cambridge, UK, 2016.
[30]
Niels Provos, Markus Friedl, and Peter Honeyman. Preventing privilege escalation. In 12th USENIX Security Symposium (USENIX Security 03), Washington, D.C., August 2003. USENIX Association.
[31]
J.H. "Saltzer and M.D." Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.
[32]
Vasily A. Sartakov, Lluís Vilanova, David Eyers, Takahiro Shinagawa, and Peter Pietzuch. CAP-VMs: Capability-Based isolation and sharing in the cloud. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pages 597--612, Carlsbad, CA, July 2022. USENIX Association.
[33]
Vasily A. Sartakov, Lluís Vilanova, and Peter R. Pietzuch. Cubicleos: a library OS with software componentisation for practical isolation. In Tim Sherwood, Emery D. Berger, and Christos Kozyrakis, editors, ASPLOS '21:26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Virtual Event, USA, April 19-23, 2021, pages 546--558. ACM, 2021.
[34]
David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. Donky: Domain keys -- efficient in-process isolation for RISC-V and x86. In Proceedings of the 29th USENIX Security Symposium, USENIX Security'20. USENIX Association, 2020.
[35]
Livio Soares and Michael Stumm. Flexsc: Flexible system call scheduling with exception-less system calls. In Osdi, volume 10, pages 33--46, 2010.
[36]
Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravindran. Intra-unikernel isolation with intel memory protection keys. In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE '20, page 143--156, New York, NY, USA, 2020. Association for Computing Machinery.
[37]
Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. ERIM: Secure, efficient in-process isolation with protection keys (MPK). In Proceedings of the 28th USENIX Security Symposium, USENIX Security'19. USENIX Association, 2019.
[38]
Nicholas C. Wanninger, Joshua J. Bowden, Kirtankumar Shetty, Ayush Garg, and Kyle C. Hale. Isolating functions at the hardware limit with virtines. In Proceedings of the Seventeenth European Conference on Computer Systems, EuroSys '22, page 644--662, New York, NY, USA, 2022. Association for Computing Machinery.
[39]
Robert Watson. The arm morello board, 2022. https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/cheri-morello.html.
[40]
Robert N. M. Watson, Robert M. Norton, Jonathan Woodruff, Simon W. Moore, Peter G. Neumann, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Michael Roe, Nirav H. Dave, Khilan Gudka, Alexandre Joannou, A. Theodore Markettos, Ed Maste, Steven J. Murdoch, Colin Rothwell, Stacey D. Son, and Munraj Vadera. Fast protection-domain crossing in the CHERI capability-system architecture. IEEE Micro, 36(5):38--49, 2016.
[41]
Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav H. Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert M. Norton, Michael Roe, Stacey D. Son, and Munraj Vadera. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, pages 20--37. IEEE Computer Society, 2015.
[42]
Robert NM Watson, Alexander Richardson, Brooks Davis, John Baldwin, David Chisnall, Jessica Clarke, Nathaniel Filardo, Simon W Moore, Edward Napierala, Peter Sewell, et al. Cheri c/c++ programming guide. Technical report, Cambridge, UK, 2020.
[43]
Jonathan Woodruff, Robert NM Watson, David Chisnall, Simon W Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G Neumann, Robert Norton, and Michael Roe. The cheri capability model: Revisiting risc in an age of risk. ACM SIGARCH Computer Architecture News, 42(3):457--468, 2014.
[44]
Yongzheng Wu, Sai Sathyanarayan, Roland H. C. Yap, and Zhenkai Liang. Codejail: Application-transparent isolation of libraries with tight program interactions. In Sara Foresti, Moti Yung, and Fabio Martinelli, editors, Proceedings of the 17th European Symposium on Research in Computer Security, pages 859--876. Springer Berlin Heidelberg, 2012.
[45]
Hongyan Xia, Jonathan Woodruff, Hadrien Barral, Lawrence Esswood, Alexandre Joannou, Robert Kovacsics, David Chisnall, Michael Roe, Brooks Davis, Edward Napierala, et al. Cherirtos: A capability model for embedded devices. In 2018 IEEE 36th International Conference on Computer Design (ICCD), pages 92--99. IEEE, 2018.
Index Terms
- Software Compartmentalization Trade-Offs with Hardware Capabilities
Recommendations
Spatiotemporal model of tripartite synapse with perinodal astrocytic process
AbstractInformation transfer may not be limited only to synapses. Therefore, the processes and dynamics of biological neuron-astrocyte coupling and intercellular interaction within this domain are worth investigating. Existing models of tripartite synapse ...
μBPF: Using eBPF for Microcontroller Compartmentalization
eBPF '24: Proceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel ExtensionsAlthough eBPF (Extended Berkeley Packet Filter) started as a virtualization technology used in the Linux kernel to allow for executing user code inside the kernel in a safe way, it is a general purpose software fault isolation technology. The ...
Selective hardware/software memory virtualization
VEE '11As virtualization becomes a key technique for supporting cloud computing, much effort has been made to reduce virtualization overhead, so a virtualized system can match its native performance. One major overhead is due to memory or page table ...
Comments
Information & Contributors
Information
Published In
October 2023
96 pages
ISBN:9798400704048
DOI:10.1145/3623759
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 October 2023
Check for updates
Author Tags
Qualifiers
- Short-paper
- Research
- Refereed limited
Funding Sources
Conference
SOSP '23
Sponsor:
Acceptance Rates
Overall Acceptance Rate 17 of 32 submissions, 53%
Upcoming Conference
SOSP '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 335Total Downloads
- Downloads (Last 12 months)246
- Downloads (Last 6 weeks)29
Reflects downloads up to 14 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in