Case Study: Securing Embedded Linux Using CHERI

arXiv - CS - Operating Systems Pub Date : 2023-10-02 DOI:arxiv-2310.00933

Hesham Almatary

{"title":"Case Study: Securing Embedded Linux Using CHERI","authors":"Hesham Almatary","doi":"arxiv-2310.00933","DOIUrl":null,"url":null,"abstract":"The current embedded Linux variant lacks security as it does not have or use\nMMU support. It does not also use MPUs as they do not fit with its software\nmodel because of the design drawbacks of MPUs (i.e., coarse-grained protection\nwith fixed number of protected regions). We secure the existing embedded Linux\nversion of the RISC-V port using CHERI. CHERI is hardware-software\ncapability-based system that leverages the ISA, toolchain, programming\nlanaguages, operating systems, and applications in order to provide complete\npointer and memory safety. We believe that CHERI could provide significant\nsecurity guarantees for high-end dynamic embedded systems at lower costs,\ncompared to MMUs and MPUs, by: 1) building the entire software stack in\npure-capability CHERI C mode which provides complete spatial memory safety at\nthe kernel and user-level, 2) isolating user programs as separate ELFs, each\nwith its own CHERI-based capability table; this provides spatial memory safety\nsimilar to what the MMU offers (i.e., user programs cannot access each other's\nmemory), 3) isolating user programs from the kernel as the kernel has its own\ncapability table from the users and vice versa, and 4) compartmentalising\nkernel modules using CompartOS' linkage-based compartmentalisation. This offers\na new security front that is not possible using the current MMU-based Linux,\nwhere vulnerable/malicious kernel modules (e.g., device drivers) executing in\nthe kernel space would not compromise or take down the entire system. These are\nthe four main contributions of this paper, presenting novel CHERI-based\nmechanisms to secure embedded Linux.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"25 2","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-10-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2310.00933","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The current embedded Linux variant lacks security as it does not have or use MMU support. It does not also use MPUs as they do not fit with its software model because of the design drawbacks of MPUs (i.e., coarse-grained protection with fixed number of protected regions). We secure the existing embedded Linux version of the RISC-V port using CHERI. CHERI is hardware-software capability-based system that leverages the ISA, toolchain, programming lanaguages, operating systems, and applications in order to provide complete pointer and memory safety. We believe that CHERI could provide significant security guarantees for high-end dynamic embedded systems at lower costs, compared to MMUs and MPUs, by: 1) building the entire software stack in pure-capability CHERI C mode which provides complete spatial memory safety at the kernel and user-level, 2) isolating user programs as separate ELFs, each with its own CHERI-based capability table; this provides spatial memory safety similar to what the MMU offers (i.e., user programs cannot access each other's memory), 3) isolating user programs from the kernel as the kernel has its own capability table from the users and vice versa, and 4) compartmentalising kernel modules using CompartOS' linkage-based compartmentalisation. This offers a new security front that is not possible using the current MMU-based Linux, where vulnerable/malicious kernel modules (e.g., device drivers) executing in the kernel space would not compromise or take down the entire system. These are the four main contributions of this paper, presenting novel CHERI-based mechanisms to secure embedded Linux.

查看原文本刊更多论文

案例研究:使用CHERI保护嵌入式Linux

当前的嵌入式Linux变体缺乏安全性，因为它不支持或不使用emmu支持。它也不使用微处理器，因为它们不适合它的软件模型，因为微处理器的设计缺陷(即，具有固定数量的受保护区域的粗粒度保护)。我们使用CHERI保护现有的嵌入式linux版本的RISC-V端口。CHERI是一种基于硬件和软件可重用性的系统，它利用ISA、工具链、编程语言、操作系统和应用程序来提供完整的指针和内存安全性。我们相信，与mmu和mpu相比，CHERI可以以更低的成本为高端动态嵌入式系统提供重要的安全保障，通过:1)构建整个软件堆栈的全功能CHERI C模式，在内核和用户级提供完整的空间存储安全;2)将用户程序隔离为独立的elf，每个elf都有自己的基于CHERI的能力表;这提供了类似于MMU提供的空间内存安全性(即，用户程序不能访问彼此的内存)，3)将用户程序从内核中隔离出来，因为内核从用户中有自己的能力表，反之亦然，4)使用CompartOS的基于链接的划分将内核模块划分。这提供了使用当前基于mmu的Linux无法实现的新的安全前线，在内核空间中执行的易受攻击/恶意内核模块(例如，设备驱动程序)不会危及或摧毁整个系统。这是本文的四个主要贡献，提出了新的基于cheri的机制来保护嵌入式Linux。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Operating Systems

自引率

0.00%

发文量