Re: Capabilities, Anybody?

Liste des GroupesRevenir à c arch 
Sujet : Re: Capabilities, Anybody?
De : cr88192 (at) *nospam* gmail.com (BGB)
Groupes : comp.arch
Date : 14. Mar 2024, 18:08:12
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <usvb0b$1o6gl$1@dont-email.me>
References : 1 2 3 4 5 6 7
User-Agent : Mozilla Thunderbird
On 3/14/2024 7:37 AM, Theo Markettos wrote:
BGB <cr88192@gmail.com> wrote:
Presumably, in addition to the code, one needs some way for the code to
be able to access its own ".data" and ".bss" sections when called.
 AIUI you derive a capability from PCC (the PC capability) that gives you
access to your local 'captable', which then holds pointers to your other
objects.  The captable can be read-only but the capabilities inside it can
be writable (ie pointers allow you to write to your globals etc).
 
Some options:
    PC-relative:
      Unclear if valid in this case.
    GOT:
      Table of pointers to things, loaded somehow.
      One example here being the ELF FDPIC ABI.
    Reloading a Global Pointer via a lookup table accessed via itself.
      This is what my ABI uses...
>
I couldn't seem to find any technical descriptions of the CHERI/Morello
ABI. I had made a guess that it might work similar to FDPIC, as this
could be implemented without needing to use raw addresses (and seemed
like a "best fit").
 This is a description of the linkage model for CHERI MIPS; I'm not aware of
anything having changed significantly for RISC-V or Morello, although exact
usage of registers etc will be different.
 https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/20190113-cheri-linkage.pdf
 This also describes the OS-facing ABI on CheriBSD:
https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904-asplos-cheriabi.pdf
 
OK, cool.
I think I get it now:
You are using PC-rel within functions to load a capability to gain access to global variables.
This is admittedly a different approach than what I had guessed.
I guess this works (and is secure) so long as only the callee can load capabilities from within the region specified by the function-pointer capability, but the caller can not load capabilities from it.
Though, admittedly, this would be less directly applicable to my own system, where code and data sections are managed separately from each other (one shared copy of the .text section may have multiple task instances each with their own copies of the .data/.bss sections).
So, at least, in my case there would still be a potential weakness in being able to walk the global pointer. Seems I will need to think up a workaround.
Though, I guess one possibility could be to support a special-case instruction for GBR reloads.
In my ISA, with my existing ABI, it looks something like:
   MOV.Q  (GBR, 0), R18
   MOV    #Index, R0   //*
   MOV.Q  (R18, R0), R18
   MOV    R18, GBR
(*: There are more efficient ways to load an index, but this is what I had specified in the ABI. Could eliminate this constant load if the ABI allows using a jumbo-prefix here. )
In the 128-bit secure ABI, possibly something like:
   XMOV.X (R40, 0), R18
   MOV    #Index, R0
   XMOV.X (R18, R0), R40
(Say, with R40 taking over the role of the Global Pointer from GBR).
But, might be better, say, to repurpose GBR itself as the Global Pointer table:
   MOV.X (GBR, Disp33), R40 //*
( *: Here, will assume that any implementation capable of this mode, will also be able to support Jumbo prefixes... )
With (PC, Disp) and (GBR, Disp) loads being allowed, but most other use of the normal MOV.x instructions being disallowed. Similarly, GBR could become a read-only register in this mode.
If the programs can be disallowed from crafting their own machine-code, then it becomes possible to check these instructions at load-time.
Though, the global-pointer weakness would re-appear if the program is allowed to JIT compile stuff.
Though, this risk could be reduced by assigning the indices with random numbers (so, the program has no way of knowing which entry in the table belongs to which library, or which are valid and which are traps).
Well, at least, assuming the caller can't perform loads through function pointers, and then proceed to mine the offset from the function's prolog sequence.
I guess, this isn't perfect, but this would at least avoid needing to invent new mechanisms in the ISA.
...

Theo

Date Sujet#  Auteur
9 Mar 24 * Capabilities, Anybody?78Lawrence D'Oliveiro
9 Mar 24 +* Re: Capabilities, Anybody?74mitchalsup@aol.com (MitchAlsup1)
9 Mar 24 i+- Re: Capabilities, Anybody?1BGB
9 Mar 24 i+* Re: Capabilities, Anybody?71BGB
9 Mar 24 ii+* Re: Capabilities, Anybody?61Robert Finch
9 Mar 24 iii+- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
10 Mar 24 iii`* Re: Capabilities, Anybody?59BGB
10 Mar 24 iii +- Re: Capabilities, Anybody?1Chris M. Thomasson
10 Mar 24 iii `* Re: Capabilities, Anybody?57Theo Markettos
10 Mar 24 iii  +* Re: Capabilities, Anybody?4John Dallman
11 Mar 24 iii  i`* Re: Capabilities, Anybody?3Theo
17 Mar 24 iii  i `* Re: Capabilities, Anybody?2John Dallman
18 Mar 24 iii  i  `- Re: Capabilities, Anybody?1Robert Finch
10 Mar 24 iii  +* Re: Capabilities, Anybody?19MitchAlsup1
11 Mar 24 iii  i`* Re: Capabilities, Anybody?18Theo Markettos
11 Mar 24 iii  i +* Re: Capabilities, Anybody?10MitchAlsup1
11 Mar 24 iii  i i`* Re: Capabilities, Anybody?9Theo Markettos
11 Mar 24 iii  i i +- Re: Capabilities, Anybody?1George Neuner
11 Mar 24 iii  i i `* Re: Capabilities, Anybody?7Michael S
11 Mar 24 iii  i i  +- Re: Capabilities, Anybody?1Michael S
11 Mar 24 iii  i i  `* Re: Capabilities, Anybody?5Michael S
11 Mar 24 iii  i i   `* Broken Date formats4Michael S
11 Mar 24 iii  i i    `* Re: Broken Date formats3Michael S
11 Mar 24 iii  i i     `* Re: Broken Date formats2Michael S
11 Mar 24 iii  i i      `- Re: Broken Date formats1Michael S
11 Mar 24 iii  i `* Re: Capabilities, Anybody?7Chris M. Thomasson
12 Mar 24 iii  i  `* Re: Capabilities, Anybody?6Chris M. Thomasson
13 Mar 24 iii  i   `* Re: Capabilities, Anybody?5BGB
14 Mar 24 iii  i    `* Re: Capabilities, Anybody?4Chris M. Thomasson
14 Mar 24 iii  i     `* Re: Capabilities, Anybody?3BGB
14 Mar 24 iii  i      `* Re: Capabilities, Anybody?2Chris M. Thomasson
16 Mar 24 iii  i       `- Re: Capabilities, Anybody?1BGB
10 Mar 24 iii  `* Re: Capabilities, Anybody?33BGB
11 Mar 24 iii   `* Re: Capabilities, Anybody?32Robert Finch
11 Mar 24 iii    `* Re: Capabilities, Anybody?31BGB
13 Mar 24 iii     `* Re: Capabilities, Anybody?30Robert Finch
13 Mar 24 iii      +* Re: Capabilities, Anybody?24MitchAlsup1
13 Mar 24 iii      i`* Re: Capabilities, Anybody?23Robert Finch
13 Mar 24 iii      i +* Re: Capabilities, Anybody?21MitchAlsup1
14 Mar 24 iii      i i`* Re: Capabilities, Anybody?20Robert Finch
14 Mar 24 iii      i i +- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
14 Mar 24 iii      i i `* Re: Capabilities, Anybody?18MitchAlsup1
14 Mar 24 iii      i i  `* Re: Capabilities, Anybody?17Lawrence D'Oliveiro
14 Mar 24 iii      i i   +* Re: Capabilities, Anybody?10MitchAlsup1
14 Mar 24 iii      i i   i`* Re: Capabilities, Anybody?9Lawrence D'Oliveiro
15 Mar 24 iii      i i   i `* Re: Capabilities, Anybody?8MitchAlsup1
15 Mar 24 iii      i i   i  +* Re: Capabilities, Anybody?2Chris M. Thomasson
15 Mar 24 iii      i i   i  i`- Re: Capabilities, Anybody?1Chris M. Thomasson
15 Mar 24 iii      i i   i  `* Re: Capabilities, Anybody?5Lawrence D'Oliveiro
15 Mar 24 iii      i i   i   `* Re: Capabilities, Anybody?4Chris M. Thomasson
15 Mar 24 iii      i i   i    `* Re: Capabilities, Anybody?3Lawrence D'Oliveiro
15 Mar 24 iii      i i   i     `* Re: Capabilities, Anybody?2Lawrence D'Oliveiro
15 Mar 24 iii      i i   i      `- Re: Capabilities, Anybody?1Chris M. Thomasson
14 Mar 24 iii      i i   +* Re: Capabilities, Anybody?5Lawrence D'Oliveiro
15 Mar 24 iii      i i   i`* Re: Capabilities, Anybody?4MitchAlsup1
15 Mar 24 iii      i i   i +- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
18 Mar 24 iii      i i   i +- Re: Capabilities, Anybody?1Paul A. Clayton
18 Mar 24 iii      i i   i `- Re: Capabilities, Anybody?1MitchAlsup1
15 Mar 24 iii      i i   `- Re: Capabilities, Anybody?1MitchAlsup1
14 Mar 24 iii      i `- Re: Capabilities, Anybody?1Theo Markettos
13 Mar 24 iii      `* Re: Capabilities, Anybody?5BGB
14 Mar 24 iii       `* Re: Capabilities, Anybody?4Robert Finch
14 Mar 24 iii        `* Re: Capabilities, Anybody?3BGB
14 Mar 24 iii         +- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
15 Mar 24 iii         `- Re: Capabilities, Anybody?1MitchAlsup1
10 Mar 24 ii`* Re: Capabilities, Anybody?9Theo Markettos
11 Mar 24 ii `* Re: Capabilities, Anybody?8BGB
11 Mar 24 ii  +* Re: Capabilities, Anybody?2Robert Finch
12 Mar 24 ii  i`- Re: Capabilities, Anybody?1BGB
12 Mar 24 ii  +* Re: Capabilities, Anybody?2BGB
12 Mar 24 ii  i`- Re: Capabilities, Anybody?1MitchAlsup1
14 Mar 24 ii  `* Re: Capabilities, Anybody?3Theo Markettos
14 Mar 24 ii   +- Re: Capabilities, Anybody?1MitchAlsup1
14 Mar 24 ii   `- Re: Capabilities, Anybody?1BGB
9 Mar 24 i`- Re: Capabilities, Anybody?1Lawrence D'Oliveiro
9 Mar 24 `* Re: Capabilities, Anybody?3Robert Finch
9 Mar 24  `* Re: Capabilities, Anybody?2Lawrence D'Oliveiro
9 Mar 24   `- Re: Capabilities, Anybody?1Robert Finch

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal