Jacqueline Henes, Marius Muench, David Oswald, Hany Ragab

Talk: Transient-execution attacks on the CHERI Morello platform

Introduction

Talk: transient-execution attacks on the cheri morello platform. Explore transient-execution attacks like Spectre on the CHERI Morello platform. Learn how CHERI's capability-based architecture, OS & compiler affect microarchitectural exploits and system security.

Abstract

CHERI (Capability Hardware Enhanced RISC Instructions) is a capability-based ISA extension providing spatial memory protection and compartmentalisation. CHERI capabilities show a lot of promise in securing computer systems from common access control and memory safety exploits, but as CHERI implementations continue to mature it is important to consider other attack vectors. One class of attacks that become relevant with the introduction of superscalar and out-of-order CHERI-based processors are transient-execution attacks such as Spectre and Meltdown. Given the ISA overhaul required when porting any given architecture to a CHERI model, these changes will necessarily affect the efficacy of these microarchitectural attacks. This is particularly apparent when looking at design decisions such as how and when capabilities are invalidated in the speculative path, or what triggers an exception as opposed to simply making the capability invalid. Reproducing these attacks is the first step, as new architectural primitives also opens the door for new CHERI-specific microarchitectural exploits that bypass protection model guarantees. Our current work involves exploring what CHERI does to both mitigate and exacerbate transient-execution attacks, focussing on the Arm Morello prototype implementation of the CHERI ISA to ARMv8-A. The talk will cover porting the Spectre-PHT and Spectre-BTB attacks to CheriBSD, an operating system designed to take full advantage of CHERI's protection model. We will discuss current Arm Morello test results about how changes to capability metadata such as bounds, addresses, and permissions behave in the speculative path - in particular, how good practice that makes full use of capabilities protects systems from Spectre-style vulnerabilities. Design considerations unique to not only the CHERI model but to the OS and compiler will also be demonstrated, such as compiling in hybrid vs 'purecap' mode, and compiler options determining how capability bounds are set.

Review

The abstract for "Talk: Transient-execution attacks on the CHERI Morello platform" introduces a highly timely and critical area of research at the intersection of advanced hardware security and microarchitectural vulnerabilities. CHERI (Capability Hardware Enhanced RISC Instructions) represents a significant architectural shift promising robust spatial memory protection and compartmentalization, fundamentally addressing a vast array of memory safety and access control exploits. However, as CHERI implementations, particularly superscalar and out-of-order processors like the Arm Morello, mature, the authors astutely identify the necessity of scrutinizing their resilience against sophisticated transient-execution attacks, such as Spectre and Meltdown. This work directly addresses the crucial question of how CHERI's distinct architectural primitives impact the efficacy of these speculative execution vulnerabilities. The proposed talk outlines a compelling methodology centered on porting well-known transient-execution attacks, specifically Spectre-PHT and Spectre-BTB, to the CheriBSD operating system running on the Arm Morello prototype. A key strength of this approach is its focus on understanding the nuanced behavior of CHERI capability metadata—including bounds, addresses, and permissions—within the speculative execution path. The authors plan to demonstrate how design choices unique to the CHERI model, such as capability invalidation logic and exception triggering mechanisms, influence attack vectors. Furthermore, the work intends to explore practical implications arising from the software stack, including the distinction between hybrid and 'purecap' compilation modes and the impact of compiler options on capability bounds, providing valuable insights into real-world CHERI system security. This research holds significant promise for advancing the understanding and practical deployment of secure CHERI systems. By dissecting the interplay between CHERI's architectural guarantees and microarchitectural attack surfaces, the work aims not only to reproduce existing attacks but also to uncover potentially novel CHERI-specific exploits that might bypass protection model guarantees. Crucially, the talk promises to highlight how 'good practice' utilizing CHERI capabilities can mitigate Spectre-style vulnerabilities, offering actionable guidance for developers and system designers. The insights gained from this investigation are essential for ensuring that the profound security benefits of CHERI are not inadvertently undermined by the complexities of modern processor design, making this a highly relevant and impactful contribution to the field of computer security.

Full Text

Comments

You need to be logged in to post a comment.