A Security Analysis of CheriBSD and Morello Linux

TL;DR

This paper evaluates the effectiveness of compartmentalisation in CHERI-enabled Linux and BSD systems, revealing vulnerabilities that allow malicious code to bypass security measures despite the architecture's protections.

Contribution

It identifies four methods to bypass compartmentalisation in CHERI-based Linux and BSD, highlighting existing weaknesses and proposing mitigation strategies.

Findings

Compartmentalisation can be bypassed with simple bugs and attacks.

Four specific bypass methods are demonstrated.

Mitigation measures and proof-of-concept attacks are provided.

Abstract

Memory corruption attacks have been prevalent in software for a long time. Some mitigation strategies against these attacks do exist, but they are not as far-reaching or as efficient as the CHERI architecture. CHERI uses capabilities to restrict pointers to certain regions of memory and with certain access restrictions. These capabilities are also used to implement "compartmentalisation": dividing a binary into smaller components with limited privilege, while adhering to the principle of least privilege. However, while this architecture successfully mitigates memory corruption attacks, the compartmentalisation mechanisms in place are less effective in containing malicious code to a separate compartment. This paper details four ways to bypass compartmentalisation, with a focus on Linux and BSD operating systems ported to this architecture. We find that although compartmentalisation is implemented in these two operating systems, simple bugs and attacks can still allow malicious code to bypass it. We conclude with mitigation measures to prevent these attacks, a proof-of-concept demonstrating their use, and recommendations for further securing Linux and BSD against unknown attacks.