Exploring Software Compartmentalisation with Hardware Capabilities

Student thesis: Master of Philosophy

Abstract

Compartmentalisation is a form of defensive software design in which an application is broken down into isolated but communicating compartments. Retrofitting compartmentalisation into existing applications is often thought to be expensive from the engineering effort and performance overhead points of view. ARM Morello combines a modern ARM processor with an implementation of Capability Hardware Enhanced RISC Instructions (CHERI) aiming to provide efficient and secure compartmentalisation by using CHERI capabilities to isolate portions code and data. CHERI provides a hybrid mode, where capabilities can be used alongside standard pointers in software. This promises to reduce the engineering burden associated with implementing compartmentalisation in legacy software by eliminating the need to port entire code bases. This thesis explores possible compartmentalisation schemes available to developers in a single address space environment with CHERI in hybrid mode, and then proposes two approaches representing different trade-offs in terms of engineering effort, security, scalability, and performance impact. These approaches are described, implemented and evaluated on a prototype unikernel running bare metal on the Morello chip, compartmentalising two popular applications, SQLite and Libsodium. Unikernels feature no memory isolation between the kernel and application, with both occupying the same address space for performance reasons, which raises security concerns. CHERI compartmentalisation in hybrid mode is, therefore, explored as a way to establish isolation between components within a unikernel, with a potentially low engineering effort while preserving the performance advantages of sharing a single address space. The evaluation shows that CHERI, in hybrid mode can achieve compartmentalisation within a single address space unikernel environment, at a performance overhead which is comparable to that achieved with Intel MPK and outperforms that achieved with Intel EPT. Furthermore, it shows that the isolation achieved, outperforms the user-kernel separation provided by Linux. However, the evaluation demonstrates that the engineering cost of applying CHERI compartmentalisation in hybrid mode using fine-grained capabilities for inter-compartment communication is high, making this approach impractical outside of small-scale scenarios. To tackle this issue an alternate data sharing method is proposed, which trades off scalability and security to reduce the engineering effort.
Date of Award31 Dec 2023
Original languageEnglish
Awarding Institution
  • The University of Manchester
SupervisorPierre Olivier (Supervisor) & Mikel Luján (Supervisor)

Keywords

  • CHERI
  • Compartmentalisation
  • System Security
  • Isolation
  • Performance Evaluation
  • ARM
  • Morello

Cite this

'