Enabling Security on the Edge: A CHERI Compartmentalized Network Stack

TL;DR

This paper investigates using CHERI hardware security features to compartmentalize the network stack in embedded systems, aiming to improve security without sacrificing performance.

Contribution

It demonstrates the feasibility and benefits of applying CHERI-based compartmentalization to network components in embedded systems on the Arm Morello platform.

Findings

CHERI can effectively isolate network components, reducing attack surface.

Compartmentalization maintains performance levels comparable to non-isolated systems.

Security improvements are achieved with minimal performance overhead.

Abstract

The widespread deployment of embedded systems in critical infrastructures, interconnected edge devices like autonomous drones, and smart industrial systems requires robust security measures. Compromised systems increase the risks of operational failures, data breaches, and -- in safety-critical environments -- potential physical harm to people. Despite these risks, current security measures are often insufficient to fully address the attack surfaces of embedded devices. CHERI provides strong security from the hardware level by enabling fine-grained compartmentalization and memory protection, which can reduce the attack surface and improve the reliability of such devices. In this work, we explore the potential of CHERI to compartmentalize one of the most critical and targeted components of interconnected systems: their network stack. Our case study examines the trade-offs of isolating applications, TCP/IP libraries, and network drivers on a CheriBSD system deployed on the Arm Morello platform. Our results suggest that CHERI has the potential to enhance security while maintaining performance in embedded-like environments.