A Security Analysis of CheriBSD and Morello Linux
Dariy Guzairov, Alex Potanin, Stephen Kell, Alwen Tiu
TL;DR
The paper investigates CHERI-based compartmentalisation in Morello Linux and CheriBSD, revealing practical bypasses that can escape isolated compartments. It introduces Recursive Capability Scanning to reveal the transitive reachability of capabilities from an initial pointer. Four attack surfaces—stack walking, a dlopen infoleak, heap scavenging, and heap storing—are demonstrated, with Morello Linux more susceptible due to weaker mitigations and CheriBSD showing improvements via c18n and heap revocation. A PoC demonstrates exfiltration of a private key from the main binary, emphasizing the need for robust sealing and dynamic-linker hardening. Overall, the work highlights that while CHERI enhances memory-safety and isolation, real-world compartmentalisation remains vulnerable to information leaks and linker-related flaws, motivating stronger mitigations and secure key-handling practices.
Abstract
Memory corruption attacks have been prevalent in software for a long time. Some mitigation strategies against these attacks do exist, but they are not as far-reaching or as efficient as the CHERI architecture. CHERI uses capabilities to restrict pointers to certain regions of memory and with certain access restrictions. These capabilities are also used to implement "compartmentalisation": dividing a binary into smaller components with limited privilege, while adhering to the principle of least privilege. However, while this architecture successfully mitigates memory corruption attacks, the compartmentalisation mechanisms in place are less effective in containing malicious code to a separate compartment. This paper details four ways to bypass compartmentalisation, with a focus on Linux and BSD operating systems ported to this architecture. We find that although compartmentalisation is implemented in these two operating systems, simple bugs and attacks can still allow malicious code to bypass it. We conclude with mitigation measures to prevent these attacks, a proof-of-concept demonstrating their use, and recommendations for further securing Linux and BSD against unknown attacks.
