Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Secure Rewind and Discard on ARM Morello

Sacha Ruchlejmer

TL;DR

This work addresses resilience against memory-safety attacks by porting Secure Domain Rewind and Discard (SDRaD) to the CHERI Arm Morello platform. It leverages CHERI's fine-grained memory protection to implement a lightweight, in-process domain mechanism with per-domain heaps, a trampoline-based context save/restore workflow, and a CHERI-aware protection violation handler. The key contributions include the CHERI-SDRaD library (≈1.2k lines of code), a Domain Manager with domain nesting, a TLSF-backed per-domain allocator adapted for capabilities, and a Nginx case study showing only about 2.2% throughput degradation. The results demonstrate improved resilience with modest performance impact and remove MPK-specific limitations, making this approach practical for service-oriented applications on CHERI-enabled hardware.

Abstract

Memory-unsafe programming languages such as C and C++ are the preferred languages for systems programming, embedded systems, and performance-critical applications. The widespread use of these languages makes the risk of memory-related attacks very high. There are well-known detection mechanisms, but they do not address software resilience. An earlier approach proposes the Secure Domain Rewind and Discard (SDRaD) of isolated domains as a method to enhance the resilience of software targeted by runtime attacks on x86 architecture, based on hardware-enforced Memory Protection Key (MPK). In this work, SDRaD has been adapted to work with the Capability Hardware Enhanced RISC Instructions (CHERI) architecture to be more lightweight and performant. The results obtained in this thesis show that CHERI-SDRaD, the prototype adaption that leverages the memory-safety properties inherent to the CHERI architecture, results in a solution with less performance degradation (2.2% in Nginx benchmarks) compared to earlier results obtained with the original SDRaD prototype on an Intel-based architecture. The adaption to CHERI additionally allowed limitations inherent to the MPK-based approach to be resolved.

Secure Rewind and Discard on ARM Morello

TL;DR

This work addresses resilience against memory-safety attacks by porting Secure Domain Rewind and Discard (SDRaD) to the CHERI Arm Morello platform. It leverages CHERI's fine-grained memory protection to implement a lightweight, in-process domain mechanism with per-domain heaps, a trampoline-based context save/restore workflow, and a CHERI-aware protection violation handler. The key contributions include the CHERI-SDRaD library (≈1.2k lines of code), a Domain Manager with domain nesting, a TLSF-backed per-domain allocator adapted for capabilities, and a Nginx case study showing only about 2.2% throughput degradation. The results demonstrate improved resilience with modest performance impact and remove MPK-specific limitations, making this approach practical for service-oriented applications on CHERI-enabled hardware.

Abstract

Memory-unsafe programming languages such as C and C++ are the preferred languages for systems programming, embedded systems, and performance-critical applications. The widespread use of these languages makes the risk of memory-related attacks very high. There are well-known detection mechanisms, but they do not address software resilience. An earlier approach proposes the Secure Domain Rewind and Discard (SDRaD) of isolated domains as a method to enhance the resilience of software targeted by runtime attacks on x86 architecture, based on hardware-enforced Memory Protection Key (MPK). In this work, SDRaD has been adapted to work with the Capability Hardware Enhanced RISC Instructions (CHERI) architecture to be more lightweight and performant. The results obtained in this thesis show that CHERI-SDRaD, the prototype adaption that leverages the memory-safety properties inherent to the CHERI architecture, results in a solution with less performance degradation (2.2% in Nginx benchmarks) compared to earlier results obtained with the original SDRaD prototype on an Intel-based architecture. The adaption to CHERI additionally allowed limitations inherent to the MPK-based approach to be resolved.
Paper Structure (33 sections, 10 figures, 1 table)

This paper contains 33 sections, 10 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Memory safety
  4. Memory violations
  5. Runtime attacks
  6. Control-flow attacks
  7. Buffer overflows
  8. Data-oriented attacks
  9. Capability Hardware Enhanced RISC Instructions
  10. Capability-Based addressing
  11. CHERI capability layout
  12. Arm Morello Board
  13. Secure Domain Rewind and Discard
  14. Problem Statement: Limitation with CHERI and other defenses
  15. Secure Domain Rewind and Discard on Arm Morello Board
  16. ...and 18 more sections

Figures (10)

  • Figure 1: Capability representation.
  • Figure 2: CHERI capability layout, adapted from intro_cheri.
  • Figure 3: Handling buffer overflows with canaries.
  • Figure 4: Handling buffer overflows with CHERI.
  • Figure 5: High-level idea of SDRaD for CHERI, adapted from gulmez2023.
  • ...and 5 more figures