Class: ‘sandbox class’ is an instance of code that may be sandboxed and invoked, along with statistics/monitoring information, etc. (see lib/libcheri/libcheri_sandbox_internal.h)
Object: ‘sandbox object’, or sandbox instance, is an in-flight combination of code and data. Currently, due the compiler limitations, we must conflate the ‘code’, ‘heap’, and ‘stack’, but eventually would like to allow one VM mapping of code to serve many object instances. This would also ease supporting multithreaded objects. (see lib/libcheri/libcheri_sandbox_internal.h)
A sandbox is composed of a sandbox class and an object:
/*
* A classic 'sandbox' is actually a combination of a sandbox class and a
* sandbox object. We continue to support this model as it is used in some
* CHERI demo and test code.
*/
struct sandbox {
struct sandbox_class *sb_sandbox_classp;
struct sandbox_object *sb_sandbox_objectp;
};A sandbox class contains:
statistics of the class.
// file:
// lib/libcheri/libcheri_sandbox_internal.h
#define SANDBOX_CLASS_METHOD_COUNT 32
struct sandbox_class {
char *sbc_path;
int sbc_fd;
struct stat sbc_stat;
#ifdef SPLIT_CODE_DATA
size_t sbc_codelen;
void *sbc_codemem;
struct sandbox_map *sbc_codemap;
#endif
struct sandbox_map *sbc_datamap;
#ifdef SPLIT_CODE_DATA
/*
* The class's code capabilities, in various incarnations required for
* class creation. These will be used for all objects in the class.
*/
void * __capability sbc_classcap_rtld; /* Ctor/dtor */
void * __capability sbc_classcap_invoke; /* Object invoke */
#endif
/*
* Class CCall methods.
*/
struct sandbox_provided_classes *sbc_provided_classes;
struct sandbox_required_methods *sbc_required_methods;
/*
* Class and invoke() method statistics.
*/
struct sandbox_class_stat *sbc_sandbox_class_statp;
struct sandbox_method_stat *sbc_sandbox_method_nonamep;
struct sandbox_method_stat *sbc_sandbox_methods[
SANDBOX_CLASS_METHOD_COUNT];
};A sandbox object includes:
sbo_cheri_object_system;private data for system objects;
struct
#if _MIPS_SZCAP == 128
__attribute__ ((aligned(4096)))
#endif
sandbox_object {
/*
* IMPORTANT: These fields must be at the top of the sandbox_object,
* and in this specific order, as corresponding offsets to them are
* included in assembly domain-transition code in
* cheri_ccall_trampoline.S.
*
* sbo_idc IDC to install for both rtld and invocation entry.
* The entry vector code will also use this
* capability, with offset set to zero, as the
* installed DDC.
*
* sbo_rtld_pcc PCC to install for rtld operations.
*
* sbo_invoke_pcc PCC to install on invocation.
*
* sbo_vtable VTable pointer used for CHERI system classes;
* unused for loaded (confined) classes.
*
* sbo_ddc DDC to install on invocation.
*
* sbo_csp CSP to install on invocation.
*
* These capabilities are used by libcheri itself when accessing data
* from within the CCall trampoline, so that we don't have to assume
* that the sandbox_object pointer is DDC-relative:
*
* sbo_libcheri_tls Access TLS relative to this register.
*
* XXXRW: It would be nice if the offsets to these fields were in
* shared headers, allowing compile-time asserts to be used to check
* binary compatibility has not been broken.
*/
void * __capability sbo_idc; /* Capability offset 0. */
void * __capability sbo_rtld_pcc; /* Capability offset 1. */
void * __capability sbo_invoke_pcc;/* Capability offset 2. */
void * __capability sbo_vtable; /* Capability offset 3. */
void * __capability sbo_ddc; /* Capability offset 4. */
void * __capability sbo_libcheri_tls; /* Capability offset 5. */
void * __capability sbo_csp; /* Capability offset 6. */
union {
int sbo_busy; /* Capability offset 7. */
void * __capability _sbo_reserved; /* Pad to capability size. */
};
/*
* Further fields are unknown to the assembly domain-transition code.
*/
struct sandbox_class *sbo_sandbox_classp;
struct sandbox_object *sbo_sandbox_system_objectp;
void *sbo_datamem;
void *sbo_stackmem;
register_t sbo_datalen;
register_t sbo_heapbase;
register_t sbo_heaplen;
register_t sbo_stacklen;
uint sbo_flags; /* Sandbox flags. */
/*
* Sealed code and data capabilities suitable to access the object's
* run-time linker methods and also general object-capability
* invocation.
*/
struct cheri_object sbo_cheri_object_rtld;
struct cheri_object sbo_cheri_object_invoke;
/*
* System-object capabilities that can be passed to the object via
* sandbox metadata.
*/
struct cheri_object sbo_cheri_object_system;
/*
* Stack capability that will also be installed in the object during
* domain transition.
*/
void * __capability sbo_stackcap;
/*
* Sandbox statistics.
*/
struct sandbox_object_stat *sbo_sandbox_object_statp;
/*
* Private data for system objects -- e.g., for cheri_fd, a pointer to
* file-descriptor data.
*/
void * __capability sbo_private_data;
};
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?