CHERI for Hypervisors and Operating Systems (CHaOS)

用于虚拟机管理程序和操作系统 (CHaOS) 的 CHERI

• 批准号: EP/V000292/1
• 负责人: Robert Watson
• 金额: $ 111.92万
• 依托单位: University of Cambridge
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2020
• 资助国家: 英国
• 起止时间: 2020 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FV000292%2F1
• 关键词: CHERI; Hypervisors; Operating; Systems; CHaOS

Software compartmentalisation is the decomposition of larger software packages - such as web browser or OS kernels - into isolated components. Each is granted limited rights to utilize system services or communicate with other isolated components. Intuitively, vulnerability mitigation from compartmentalisation is grounded in the principle of least privilege, which argues that security is improved by minimising the set of privileges available to those required. Compromised software will yield fewer rights and limit further attack surfaces to a successful attacker.In prior work, we have developed CHERI, a set of architectural extensions to RISC instruction-set architectures to support efficient, fine-grained memory protection and scalable software compartmentalisation. Supported by the UK Industrial Strategy Challenge Fund (ISCF), Arm is creating the Morello CPU, SoC, and board, a high-end, industrial-quality demonstrator of the CHERI principles embodied within a commercial hardware design. This platform has the potential to support far more granular and more easily integrated compartmentalization support than convention hardware designs. However, the current research software stacks for CHERI have been almost entirely focused on memory protection rather than compartmentalisation -- in part because the software operational models associated with CHERI-based compartmentalisation have not yet been established.We propose to design, prototype, and evaluate new CHERI-based compartmentalisation techniques usable to support fine-grained, scalable software compartmentalisation of real-world software on the Morello board, building a deep understanding (as well as practical prototypes) spanning a rich range of use cases and operational models. CHaOS will enable extensive adoption of software compartmentalisation in systems software stacks, offering strong mitigation for many known (and also still-to-be-discovered) vulnerability classes and exploit techniques affecting server, desktop, mobile, and embedded systems.CHaOS will investigate the hypotheses that: (1) CHERI can support multiple effective operational models for compartmentalisation; (2) approaches to CHERI compartmentalisation must cater to substantial differences up and down the systems stack; (3) detailed elaboration of compartmentalisation will turn up critical practical considerations (e.g., as relates to debugging); and (4) further refinement of the CHERI (and Morello) architectures may be required as a result of lessons learned in this work.We will explore these hypotheses across the systems software stack: the hypervisor, general-purpose OS kernel, and user applications. Our existing open-source corpus adapted for CHERI memory safety will be our starting point: the FreeBSD kernel and userspace, the PostgreSQL database, and Apple's WebKit. With our industrial partners on this proposal (Arm, Google, HPI, and Microsoft), we will extend our investigation to include Arm's Morello Android, Google's Hafnium hypervisor, HPI's printer software stack, and Microsoft's Verona language runtime.

软件划分是将较大的软件包（如Web浏览器或操作系统内核）分解为独立的组件。每个组件都被授予有限的权限，以使用系统服务或与其他隔离组件通信。直观地说，来自划分的漏洞缓解基于最小特权原则，该原则认为通过最大限度地减少所需权限来提高安全性。受损的软件将产生更少的权利，并限制进一步的攻击面成功的attacker.In以前的工作中，我们已经开发了CHERI，一组架构扩展RISC的配置集架构，以支持高效，细粒度的内存保护和可扩展的软件划分。在英国工业战略挑战基金（ISCF）的支持下，Arm正在创建Morello CPU，SoC和电路板，这是一个高端，工业质量的CHERI原则演示器，体现在商业硬件设计中。该平台有可能支持比传统硬件设计更细粒度和更容易集成的划分支持。然而，目前的研究软件栈CHERI已经几乎完全集中在内存保护，而不是划分-部分原因是软件操作模型与CHERI为基础的划分尚未建立。我们建议设计，原型，并评估新的基于CHERI的划分技术，可用于支持细粒度，在Morello板上对真实世界的软件进行可扩展的软件划分，建立对丰富用例和操作模型的深刻理解（以及实用原型）。CHaOS将使系统软件栈中的软件划分得到广泛采用，为许多已知的（也是有待发现的）影响服务器、桌面、移动的和嵌入式系统的漏洞类别和利用技术。CHaOS将调查以下假设：（1）CHERI可以支持多种有效的划分操作模型;（2）CHERI划分的方法必须满足系统堆栈上下的实质性差异;（3）划分的详细阐述将引起关键的实际考虑（例如，与调试有关）;以及（4）由于在这项工作中吸取的经验教训，可能需要进一步改进CHERI（和Morello）体系结构。我们将在系统软件栈中探索这些假设：管理程序、通用操作系统内核和用户应用程序。我们现有的适用于CHERI内存安全的开源语料库将是我们的起点：FreeBSD内核和用户空间，PostgreSQL数据库和Apple的WebKit。与我们的工业合作伙伴（Arm，Google，HPI和Microsoft）一起，我们将扩大我们的调查范围，包括Arm的Morello Android，Google的Hafektop hypervisor，HPI的打印机软件堆栈和Microsoft的Verona语言运行时。

项目成果

The Arm Morello Evaluation Platform-Validating CHERI-Based Security in a High-Performance System

Arm Morello 评估平台 - 在高性能系统中验证基于 CHERI 的安全性

• DOI: 10.1109/mm.2023.3264676
• 发表时间: 2023
• 期刊: IEEE Micro
• 影响因子: 3.6
• 作者: Grisenthwaite R