Re: Capabilities, Anybody?

Liste des GroupesRevenir à c arch 
Sujet : Re: Capabilities, Anybody?
De : theom+news (at) *nospam* chiark.greenend.org.uk (Theo Markettos)
Groupes : comp.arch
Date : 10. Mar 2024, 16:42:11
Autres entêtes
Organisation : University of Cambridge, England
Message-ID : <Rry*0u3Ez@news.chiark.greenend.org.uk>
References : 1 2 3 4
User-Agent : tin/1.8.3-20070201 ("Scotasay") (UNIX) (Linux/5.10.0-22-amd64 (x86_64))
BGB <cr88192@gmail.com> wrote:
There CHERI designs on silicon in existence
 
https://www.morello-project.org/

Member of the CHERI team here...

Main open question is if they can deliver enough on their claims in a
way that justifies the cost of the memory tagging (eg, where one needs
to tag whether or not each memory location holds a valid capability).

Crudely speaking, it's 1/128 of memory so 0.78%.  Through use of
a tag cache you don't need to have a speciifc 129th bit on your DRAM
(although that's an option, like ECC) but can just wall off a piece of
regular DRAM and use it for a tag table that's accessed via the tag cache.
You only pay the cost for DRAM you actually have (eg one tag table per DIMM,
sized for that DIMM).

The tag cache can also be compressed[1] so that if a memory page has no
capabilities you don't need to store tags for it.  This reduces tag cache
bandwidth further.

As I see it, "locking things down" would likely require turning things
like "malloc()/free()", "dlopen()/dlsym()/...", etc, into system calls
(and generally giving the kernel a much more active role in this process).

You don't need memory allocations to be system calls, because capabilities
can be manipulated in userspace (which is a key design goal).  ie if
malloc() possesses a capability to 1MB of memory and a client requests 100
bytes, it can take its 1MB capability, offset the base to point to the start
of the allocation, set the offset to zero, and shrink the top to be
base+100, and then return that 100-byte capability.

In a Unix OS, userspace malloc() does occasionally need to make a syscall -
when it runs out of memory pages on hand it has to ask the kernel to
allocate it some more via mmap().  But this is orthogonal to use of
capabilities (which are virtually addressed in such a system).

For dynamic linking, you need something that holds capabilities that allow
you to turn read-write memory into read-execute memory.  That can be part of
the dynamic linker or part of the OS.  Since you are typically making
syscalls to read the shared library from disc anyway, as well as marking RW
pages as RX pages in the page table, the OS is already involved.

But, say, note that it would not be sufficient, say, for things like
sandboxing hostile code within a shared address space with another
program that needs to be kept protected.
 
 
Granted, the strength could likely be improved (in the face of trying to
prevent hostile code from being able to steal capabilities) through
creative use of ASLR. Along with ABI features, such as "scratch register
scrubbing" (say, loading zeroes into scratch registers on function
return, such as to prevent capabilities from being leaked through via
registers), marking function pointers as "Execute Only" etc.
 
As noted, a capability system would likely still be pretty strong
against things like buffer overflows (but if only being used to mitigate
buffer overflows, is a bit overkill; so the main "interesting" case is
if it can be used to make an "unbreakable sandbox" for potentially
hostile machine code).

Code capabilities prevent a lot of control flow attacks, because you can
only execute code you have capabilities to.  For example you're in a
function - you possess a return address capability (which has bounds based
on your local environment or compartment you're in) so you can manipulate
the address of that return address, but you can't jump to arbitrary code and
you can't forge return addresses.  So no stack smashing, no ROP/JOP attacks,
etc.

Through setting the bounds on a code capability you can sandbox small pieces
of code to a function granularity, which is more efficient than typical MMU
sandboxing.

*: If it is possible to perform a Load or (worse, Capability Load)
through a function pointer, this is likely to be a significant attack
vector. Need to make it so that function pointers can only be used to
call things. Protecting against normal data loads would be needed mostly
to try to prevent code from being able to gain access to a known pointer
and possibly side-step the ASLR (say, if it can figure out that the
address it wants to access is reachable from a capability that the code
has access to).

You can't arbitrarily change data to code capabilities - they are different
types.

It is likely that the capability memory tagging would need to be managed
by the L2 cache. Would need some mechanism for the tag-bits memory (say,
2MB for 256MB at 1b per 16B line). Would also need to somehow work this
flag bit into the ringbus messaging.

AXI has user fields which can be used for sending capabilities across the
interconnect, through third party AXI IPs like muxes, arbiters, etc.

Theo

[1] https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201711-iccd2017-efficient-tags.pdf

Date Sujet#  Auteur
9 Mar 24 * Capabilities, Anybody?78Lawrence D'Oliveiro
9 Mar 24 +* Re: Capabilities, Anybody?74mitchalsup@aol.com (MitchAlsup1)
9 Mar 24 i+- Re: Capabilities, Anybody?1BGB
9 Mar 24 i+* Re: Capabilities, Anybody?71BGB
9 Mar 24 ii+* Re: Capabilities, Anybody?61Robert Finch
9 Mar 24 iii+- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
10 Mar 24 iii`* Re: Capabilities, Anybody?59BGB
10 Mar 24 iii +- Re: Capabilities, Anybody?1Chris M. Thomasson
10 Mar 24 iii `* Re: Capabilities, Anybody?57Theo Markettos
10 Mar 24 iii  +* Re: Capabilities, Anybody?4John Dallman
11 Mar 24 iii  i`* Re: Capabilities, Anybody?3Theo
17 Mar 24 iii  i `* Re: Capabilities, Anybody?2John Dallman
18 Mar 24 iii  i  `- Re: Capabilities, Anybody?1Robert Finch
10 Mar 24 iii  +* Re: Capabilities, Anybody?19MitchAlsup1
11 Mar 24 iii  i`* Re: Capabilities, Anybody?18Theo Markettos
11 Mar 24 iii  i +* Re: Capabilities, Anybody?10MitchAlsup1
11 Mar 24 iii  i i`* Re: Capabilities, Anybody?9Theo Markettos
11 Mar 24 iii  i i +- Re: Capabilities, Anybody?1George Neuner
11 Mar 24 iii  i i `* Re: Capabilities, Anybody?7Michael S
11 Mar 24 iii  i i  +- Re: Capabilities, Anybody?1Michael S
11 Mar 24 iii  i i  `* Re: Capabilities, Anybody?5Michael S
11 Mar 24 iii  i i   `* Broken Date formats4Michael S
11 Mar 24 iii  i i    `* Re: Broken Date formats3Michael S
11 Mar 24 iii  i i     `* Re: Broken Date formats2Michael S
11 Mar 24 iii  i i      `- Re: Broken Date formats1Michael S
11 Mar 24 iii  i `* Re: Capabilities, Anybody?7Chris M. Thomasson
12 Mar 24 iii  i  `* Re: Capabilities, Anybody?6Chris M. Thomasson
13 Mar 24 iii  i   `* Re: Capabilities, Anybody?5BGB
14 Mar 24 iii  i    `* Re: Capabilities, Anybody?4Chris M. Thomasson
14 Mar 24 iii  i     `* Re: Capabilities, Anybody?3BGB
14 Mar 24 iii  i      `* Re: Capabilities, Anybody?2Chris M. Thomasson
16 Mar 24 iii  i       `- Re: Capabilities, Anybody?1BGB
10 Mar 24 iii  `* Re: Capabilities, Anybody?33BGB
11 Mar 24 iii   `* Re: Capabilities, Anybody?32Robert Finch
11 Mar 24 iii    `* Re: Capabilities, Anybody?31BGB
13 Mar 24 iii     `* Re: Capabilities, Anybody?30Robert Finch
13 Mar 24 iii      +* Re: Capabilities, Anybody?24MitchAlsup1
13 Mar 24 iii      i`* Re: Capabilities, Anybody?23Robert Finch
13 Mar 24 iii      i +* Re: Capabilities, Anybody?21MitchAlsup1
14 Mar 24 iii      i i`* Re: Capabilities, Anybody?20Robert Finch
14 Mar 24 iii      i i +- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
14 Mar 24 iii      i i `* Re: Capabilities, Anybody?18MitchAlsup1
14 Mar 24 iii      i i  `* Re: Capabilities, Anybody?17Lawrence D'Oliveiro
14 Mar 24 iii      i i   +* Re: Capabilities, Anybody?10MitchAlsup1
14 Mar 24 iii      i i   i`* Re: Capabilities, Anybody?9Lawrence D'Oliveiro
15 Mar 24 iii      i i   i `* Re: Capabilities, Anybody?8MitchAlsup1
15 Mar 24 iii      i i   i  +* Re: Capabilities, Anybody?2Chris M. Thomasson
15 Mar 24 iii      i i   i  i`- Re: Capabilities, Anybody?1Chris M. Thomasson
15 Mar 24 iii      i i   i  `* Re: Capabilities, Anybody?5Lawrence D'Oliveiro
15 Mar 24 iii      i i   i   `* Re: Capabilities, Anybody?4Chris M. Thomasson
15 Mar 24 iii      i i   i    `* Re: Capabilities, Anybody?3Lawrence D'Oliveiro
15 Mar 24 iii      i i   i     `* Re: Capabilities, Anybody?2Lawrence D'Oliveiro
15 Mar 24 iii      i i   i      `- Re: Capabilities, Anybody?1Chris M. Thomasson
14 Mar 24 iii      i i   +* Re: Capabilities, Anybody?5Lawrence D'Oliveiro
15 Mar 24 iii      i i   i`* Re: Capabilities, Anybody?4MitchAlsup1
15 Mar 24 iii      i i   i +- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
18 Mar 24 iii      i i   i +- Re: Capabilities, Anybody?1Paul A. Clayton
18 Mar 24 iii      i i   i `- Re: Capabilities, Anybody?1MitchAlsup1
15 Mar 24 iii      i i   `- Re: Capabilities, Anybody?1MitchAlsup1
14 Mar 24 iii      i `- Re: Capabilities, Anybody?1Theo Markettos
13 Mar 24 iii      `* Re: Capabilities, Anybody?5BGB
14 Mar 24 iii       `* Re: Capabilities, Anybody?4Robert Finch
14 Mar 24 iii        `* Re: Capabilities, Anybody?3BGB
14 Mar 24 iii         +- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
15 Mar 24 iii         `- Re: Capabilities, Anybody?1MitchAlsup1
10 Mar 24 ii`* Re: Capabilities, Anybody?9Theo Markettos
11 Mar 24 ii `* Re: Capabilities, Anybody?8BGB
11 Mar 24 ii  +* Re: Capabilities, Anybody?2Robert Finch
12 Mar 24 ii  i`- Re: Capabilities, Anybody?1BGB
12 Mar 24 ii  +* Re: Capabilities, Anybody?2BGB
12 Mar 24 ii  i`- Re: Capabilities, Anybody?1MitchAlsup1
14 Mar 24 ii  `* Re: Capabilities, Anybody?3Theo Markettos
14 Mar 24 ii   +- Re: Capabilities, Anybody?1MitchAlsup1
14 Mar 24 ii   `- Re: Capabilities, Anybody?1BGB
9 Mar 24 i`- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
9 Mar 24 `* Re: Capabilities, Anybody?3Robert Finch
9 Mar 24  `* Re: Capabilities, Anybody?2Lawrence D'Oliveiro
9 Mar 24   `- Re: Capabilities, Anybody?1Robert Finch

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal