Tradeoff

CheriABI1 – Chapter 4.1 Implementation Tradeoffs

Choices:

  • Method of handling system call capability arguments;
  • Kernel capability programming model (inline assembly, hybrid C, or pure-capability C);
  • Making CheriABI the default ABI vs a compatibility ABI.

declaration annotation model: rejected. for compatibility.

system-call stub/proxy model: rejected.

  • Used in CHERI JNI. Can enforce capability restrictions only if the caller is inside a sandbox and unable to make system calls directly.
  • Requires expensive copying semantics to prevent concurrency vulnerabilities[^2007watson].

verification based approach: rejected. Is where generated code checked the capabilities passed to system calls had appropriate bounds and permissions. Has serious drawbacks with advantages:

  • time-of-check to time-of-use vulnerability.
  • “less efforts to get basic pure-capability binaries up and running. Aided by the fact that FreeBSD generates many aspects of system-call tables using a script, so additional code generation could be slotted in with relative ease.”

Capability as first class citizen: Final choice, where “capabilities are carried down the call stack and are first class citizens in the kernel”. “In doing so, we converted the kernel to a hybrid program, eliminating the use of inline assembly macros in favor of annotated capabilities and compiler provided __builtin_* functions. However, hybrid kernel was fairly invasive.

  • each system call need to be handled manually.
  • all code that handles user pointers need to be modified to accept capabilities.
  • code that handles objects containing capabilities needed to be modified to use annotated versions of the objects.
  • To keep legacy binaries working, need to perform transformations to unify the type of storage used between legacy and CheriABI. In practice, this meant converting legacy virtual-address-based pointers into capabilities.
  • Sentinels in place of pointers: SIG_DFL, SIG_IGN, or a signal handler function pointer __sighandler_t * ==> create any such sentinel cap with offset from NULL instead of from thread’s DDC.

[^2007watson] Exploiting concurrency vulnerabilities in system call wrappers. WOOT workshop, USENIX Security, 2007.

2019.

  1. CheriABI, UCAM-CL-TR-932. ↩
Created Aug 24, 2019 // Last Updated Aug 24, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?