logo

Security Analysis of CHERI ISA

Conference:  BlackHat USA 2021

2021-08-04

Summary

The presentation discusses the effectiveness of Cherry in mitigating special safety issues and explores the possibility of exploiting temporal safety issues in JSC on Cherry BSD.
  • Cherry provides non-foldable references to virtual memory and bounce and permission check at the architectural level, which can achieve deterministic mitigation for special safety variants.
  • Cherry-aware compiler and runtime can mitigate a wide range of backlashes.
  • Cornucopia and JIT are examples of software solutions for temporal safety issues.
  • The presentation introduces a bug in the array buffer to test Cherry's ability to mitigate temporal safety issues.
  • Cherry can prevent reading from invalid capabilities and can read capabilities in the stack with re-entrancy applied on the length argument.
  • The presentation illustrates how to copy a capability from one place to another without losing the tag bit.
  • The presentation demonstrates how to trigger the issue twice to overwrite the source array.
The presentation introduces a bug in the array buffer to test Cherry's ability to mitigate temporal safety issues. By introducing a stack user factor free stack UAF, the presentation demonstrates how to copy a capability from one place to another without losing the tag bit. The presentation also shows how to trigger the issue twice to overwrite the source array.

Abstract

The CHERI ISA extension provides memory-protection features which allow historically memory-unsafe programming languages such as C and C++ to be adapted to provide robust, compatible, and efficient protections against many currently widely exploited memory safety vulnerabilities.In this talk, we will present a security analysis of the CHERI ISA and review which security guarantees are provided by the architecture and how compilers and software can use it to enforce a new level of memory safety in legacy code. To get a better and deeper understanding, we will go down the rabbit hole and exploit two vulnerabilities on cheribsd, a FreeBSD prototype built over CHERI in QEMU. We will reveal the strongest parts of CHERI during the exploitation process, alongside the areas that are still interesting for security research and might be a critical Achilles' heel of this new model.Finally, we will share the takeaways we had from this research and explain different approaches (both in Microsoft Research and in the external community) to mitigate attacks that are still possible with CHERI's current model.

Materials:

Tags: