Implement CHERI framework

[hexydec]

Description

Recently at the CYBERUK23 conference, I went to a session about secure computing. A very interesting talk highlighting that 70% of all software vulnerabilities are rooted in buffer overflows.

Rust is a language that was developed with memory management built in to prevent this class of vulnerabilities, but that does not address the huge corpus of C and C++ code out there. Most solutions currently are a bit cumbersome, and either require big code changes or have a detrimental effect on performance.

Over the last 10 years, the University of Cambridge with support from Arm, Microsoft, Google and others have developed Capability Hardware Enhanced RISC Instructions (CHERI), a framework for preventing buffer overflows on C and C++. It requires minimal code changes (In the talk they said around 0.03%), and has a very small performance penalty, as the underlying code is implemented in around 300 instructions all together.

Interestingly whilst there are around 40m+ lines of open source Rust code, there is actually now around 100m+ lines of open source C and C++ code adapted to be compiled with CHERI.

Owing to the popularity of PHP, I thought this might be a useful tool to make it more secure. Read more here:

CHERI Frequently Asked Questions

CHERI Software Stack

[iluuu1994]

I haven't heard of CHERI so I gave it a quick read.

From https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/cheri-faq.html:

CHERI refers to Capability Hardware Enhanced RISC Instructions, an Instruction-Set Architecture (ISA) extension that implements a hybrid capability-system model providing fine-grained memory protection and scalable software compartmentalisation within architectural address spaces (e.g., within user processes or the kernel). CHERI capabilities are a new hardware data type intended to support the robust and secure implementation of pointers.

It sounds like the goal of this research is to have buffer overflow protection at a hardware level in production. To make use of this you need support for the extended instruction set in your CPU. To date, it sounds like nobody implements this instruction set, it's just specified and has a QEMU emulator.

To date, our published research has been based on the 64-bit MIPS ISA; MIPS was the dominant RISC ISA in use in 2010 when the project began. We have a fully elaborated CHERI-MIPS ISA including formal model of the instruction set (which have been used for security proofs), executable QEMU model, and Bluespec SystemVerilog (BSV) implementation targeted at FPGA.

Note that we already use AddressSanitizer, which instruments the compiled code with buffer overflow checks. This has a a performance penalty but is not intended for production usage. From my limited understanding, CHERI + QEMU sounds like a slower way to achieve similar results.

Please correct me if I misunderstood anything, but at this point it doesn't seem like this research is something we can directly profit from.

[hexydec]

I am a PHP developer, and only have limited experience with C and C++. From what I understood, it is a new data type for handling pointers. This seems to be implemented through their own compiler which compiles to the specific architectures they mention, to enable the pointers to be memory safe.

It may not be the right fit at this stage of development, but definitely something to keep an eye on. They have already developed CHERI compiled versions of FreeBSD, WebKit and Nginx, whether these have been deployed into production yet is not clear to me. From the talk I got the impression that there was some momentum behind this to get more code converted, and for the industry to work together to eradicate this class of vulnerabilities, so I am just getting the awareness out there.

Appreciate your time looking into this and hope it will be something that will bear fruit in the future.

[iluuu1994]

From what I understood, it is a new data type for handling pointers. This seems to be implemented through their own compiler which compiles to the specific architectures they mention, to enable the pointers to be memory safe.

Indeed, but the catch is that it's compiled to an extended instruction set of other common instruction sets. The FAQ says that their research "has been based on the 64-bit MIPS ISA". This means, the code that it generates doesn't actually run on normal MIPS processors. The same goes for x86.

We have also developed an "architectural sketch" of a CHERI-x86-64 that extends the 64-bit x86 ISA with CHERI support.

So unfortunately, unless you have CHERI hardware, you can't make use of this safety. If these kinds of processors become popular then this is certainly worth considering.

Thanks for spreading the awareness! I'll keep my eyes open 🙂 Atm there's nothing we can do.