Cornucopia: Temporal Safety for CHERI Heaps

Filardo, Nathaniel Wesley; Gutstein, Brett F.; Woodruff, Jonathan; Ainsworth, Sam; Paul-Trifu, Lucian; Davis, Brooks; Xia, Hongyan; Napierala, Edward; Richardson, Alexander; Baldwin, John A.; Chisnall, David; Clarke, Jessica; Gudka, Khilan; Joannou, Alexandre; Markettos, A. Theodore; Mazzinghi, Alfredo; Norton, Robert M.; Roe, Michael; Sewell, Peter; Son, Stacey; Jones, Timothy M.; Moore, Simon W.; Neumann, Peter G.; Watson, Robert N. M.

doi:10.1109/sp40000.2020.00098

Cited by 26 publications

(15 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More importantly, due to the limited size of the quarantine memory where the freed objects are residing, this technique can detect UAF attacks only probabilistically. Therefore, to guarantee deterministic detection of UAF attacks with a low overhead, pSweeper [14], CRCount [11], MarkUs [10], CHERIvoke [9], and Cornucopia [8] have added optimization mechanisms to this deferred free scheme. For example, pSweeper runs pointer nullification in a separate thread.…”

Section: Related Workmentioning

confidence: 99%

“…UAFs are prevalent across applications, as demonstrated in the statistical report of the MITRE where it ranks among the top 25 most dangerous software errors [1]. To date, a lot of techniques [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17] have been invented to stymie UAF attacks in question.…”

Section: Introductionmentioning

confidence: 99%

“…To prevent UAF attacks that exploit dangling pointers, locks are invalidated as soon as the corresponding objects are freed, rendering the keys of associated dangling pointers outdated. In contrast, the latter relies on compiler instrumentation [2], [3], [5], [11] or garbage collection like solutions [8], [9], [10], [14]. Compiler based solutions require source code, which hampers its general adoption in practice.…”

Section: Introductionmentioning

confidence: 99%

“…Compiler based solutions require source code, which hampers its general adoption in practice. Some of GC-based techniques necessitate hardware modifications [8], [9] or entail runtime overhead, despite being disguised by concurrency and generous provisioning of compute and memory resources [18].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees

Bang,

Kayondo,

You

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Preventing Use-After-Free (UAF) bugs is crucial to ensure temporal memory safety. Against UAF attacks, much research has adopted a well-known approach, lock-and-key, in which unique, disposable locks and keys are first assigned respectively to objects and pointers, and then on every memory access, checked for a match. Attention has been drawn again to this approach by recent work that capitalizes on a vast abundance of virtual address (VA) space in the lock assignment, thus being able to prevent UAFs in stripped binary. However, as this VA-based lock-and-key scheme tends to rapidly consume virtual space, it is likely to suffer from high performance overhead. In this paper, we propose a new scheme, called the VA tagging, whose goal is to tackle this performance problem with the support of the Memory Tagging Architecture (MTA) introduced in several commodity processors. In our scheme, the original VA-based locks are augmented with tags of MTA. As a VA-based lock can be assigned to multiple objects with different tags, the same VA is reused for many objects without compromising temporal safety. We have observed in our experiments that this tagging scheme lowers the VA consumption rate drastically by one order of magnitude. We implement a light-weight memory allocator, Vatalloc, by modifying existing allocators, dlmalloc and jemalloc, to employ the VA tagging scheme for efficient prevention of UAFs. Our evaluation shows that Vatalloc with allocator modifications only incurs 1.70 % (on dlmalloc) and 3.05 % (on jemalloc) of runtime overhead without considering performance degradation of MTE. As a result of simulating the tagging architecture assuming the worst-case, postulating MTE precise trapping mode incurs performance overhead of 30.9 % based on dlmalloc, and 25.5 % based on jemalloc. If imprecise mode is assumed, the slowdown is measured 16.9 % for dlmalloc and 12.0 % for jemalloc respectively. Vatalloc only incurs 19.0 % and 3.0 % memory overhead for dlmalloc and jemalloc respectively.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees

Bang,

Kayondo,

You

et al. 2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…The CHERI [53] capability architecture, summarized in §2.1, has shown promise as a technology for C and C++ language reference integrity and spatial safety, with overheads acceptable for general-purpose computing [51]. Strategies for C/C++ heap temporal safety atop CHERI have emerged, most notably CHERIvoke [58] and its successor Cornucopia [23], suggesting viability of a sweeping revocation approach ( §2.2).…”

Section: Introductionmentioning

confidence: 99%

Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal Safety

Filardo,

Gutstein,

Woodruff

et al. 2024

Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems,

Self Cite

View full text Add to dashboard Cite

Violations of temporal memory safety ("use after free", "UAF") continue to pose a significant threat to software security. The CHERI capability architecture has shown promise as a technology for C and C++ language reference integrity and spatial memory safety. Building atop CHERI, prior works -CHERIvoke and Cornucopia -have explored adding heap temporal safety. The most pressing limitation of Cornucopia was its impractical "stop-the-world" pause times.We present Cornucopia Reloaded, a re-designed drop-in replacement implementation of CHERI temporal safety, using a novel architectural feature -a per-page capability load barrier, added in Arm's Morello prototype CPU and CHERI-RISC-V -to nearly eliminate application pauses. We analyze the performance of Reloaded as well as Cornucopia and CHERIvoke on Morello, using the CHERI-compatible SPEC CPU2006 INT workloads to assess its impact on batch workloads and using pgbench and gRPC QPS as surrogate interactive workloads. Under Reloaded, applications no longer experience significant revocation-induced stop-the-world periods, without additional wall-or CPU-time cost over Cornucopia and with median 87% of Cornucopia's DRAM traffic overheads across SPEC CPU2006 and < 50% for pgbench.CCS Concepts • Software and its engineering → Software safety; • Security and privacy → Operating systems security; • Hardware → Emerging architectures.

show abstract

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Bauereiss

Campbell

Sewell

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Memory safety bugs continue to be a major source of security vulnerabilities in our critical infrastructure. The CHERI project has proposed extending conventional architectures with hardware-supported capabilities to enable fine-grained memory protection and scalable compartmentalisation, allowing historically memory-unsafe C and C++ to be adapted to deterministically mitigate large classes of vulnerabilities, while requiring only minor changes to existing system software sources. Arm is currently designing and building Morello, a CHERI-enabled prototype architecture, processor, SoC, and board, extending the high-performance Neoverse N1, to enable industrial evaluation of CHERI and pave the way for potential mass-market adoption. However, for such a major new security-oriented architecture feature, it is important to establish high confidence that it does provide the intended protections, and that cannot be done with conventional engineering techniques.In this paper we put the Morello architecture on a solid mathematical footing from the outset. We define the fundamental security property that Morello aims to provide, reachable capability monotonicity, and prove that the architecture definition satisfies it. This proof is mechanised in Isabelle/HOL, and applies to a translation of the official Arm specification of the Morello instruction-set architecture (ISA) into Isabelle. The main challenge is handling the complexity and scale of a production architecture: 62,000 lines of specification, translated to 210,000 lines of Isabelle. We do so by factoring the proof via a narrow abstraction capturing essential properties of arbitrary CHERI ISAs, expressed above a monadic intra-instruction semantics. We also develop a model-based test generator, which generates instruction-sequence tests that give good specification coverage, used in early testing of the Morello implementation and in Morello QEMU development, and we use Arm’s internal test suite to validate our model.This gives us machine-checked mathematical proofs of whole-ISA security properties of a full-scale industry architecture, at design-time. To the best of our knowledge, this is the first demonstration that that is feasible, and it significantly increases confidence in Morello.

show abstract

Cornucopia: Temporal Safety for CHERI Heaps

Cited by 26 publications

References 35 publications

Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees

Enhancing a Lock-and-Key Scheme With MTE to Mitigate Use-After-Frees

Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal Safety

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Contact Info

Product

Resources

About