CHERIoT: Complete Memory Safety for Embedded Devices
S Amar, D Chisnall, T Chen, NW Filardo… - Proceedings of the 56th …, 2023 - dl.acm.org
Proceedings of the 56th Annual IEEE/ACM International Symposium on …, 2023•dl.acm.org
The ubiquity of embedded devices is apparent. The desire for increased functionality and
connectivity drives ever larger software stacks, with components from multiple vendors and
entities. These stacks should be replete with isolation and memory safety technologies, but
existing solutions impinge upon development, unit cost, power, scalability, and/or real-time
constraints, limiting their adoption and production-grade deployments. As memory safety
vulnerabilities mount, the situation is clearly not tenable and a new approach is needed. To …
connectivity drives ever larger software stacks, with components from multiple vendors and
entities. These stacks should be replete with isolation and memory safety technologies, but
existing solutions impinge upon development, unit cost, power, scalability, and/or real-time
constraints, limiting their adoption and production-grade deployments. As memory safety
vulnerabilities mount, the situation is clearly not tenable and a new approach is needed. To …
The ubiquity of embedded devices is apparent. The desire for increased functionality and connectivity drives ever larger software stacks, with components from multiple vendors and entities. These stacks should be replete with isolation and memory safety technologies, but existing solutions impinge upon development, unit cost, power, scalability, and/or real-time constraints, limiting their adoption and production-grade deployments. As memory safety vulnerabilities mount, the situation is clearly not tenable and a new approach is needed.
To slake this need, we present a novel adaptation of the CHERI capability architecture, co-designed with a green-field, security-centric RTOS. It is scaled for embedded systems, is capable of fine-grained software compartmentalization, and provides affordances for full inter-compartment memory safety. We highlight central design decisions and offloads and summarize how our prototype RTOS uses these to enable memory-safe, compartmentalized applications. Unlike many state-of-the-art schemes, our solution deterministically (not probabilistically) eliminates memory safety vulnerabilities while maintaining source-level compatibility. We characterize the power, performance, and area microarchitectural impacts, run microbenchmarks of key facilities, and exhibit the practicality of an end-to-end IoT application. The implementation shows that full memory safety for compartmentalized embedded systems is achievable without violating resource constraints or real-time guarantees, and that hardware assists need not be expensive, intrusive, or power-hungry.
ACM Digital Library