1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2021
  4. Security Analysis of CHERI ISA

Security Analysis of CHERI ISA

Presented at Black Hat USA 2021, Aug. 4, 2021, 10:20 a.m. (40 minutes)

The CHERI ISA extension provides memory-protection features which allow historically memory-unsafe programming languages such as C and C++ to be adapted to provide robust, compatible, and efficient protections against many currently widely exploited memory safety vulnerabilities.

In this talk, we will present a security analysis of the CHERI ISA and review which security guarantees are provided by the architecture and how compilers and software can use it to enforce a new level of memory safety in legacy code. To get a better and deeper understanding, we will go down the rabbit hole and exploit two vulnerabilities on cheribsd, a FreeBSD prototype built over CHERI in QEMU. We will reveal the strongest parts of CHERI during the exploitation process, alongside the areas that are still interesting for security research and might be a critical Achilles' heel of this new model.

Finally, we will share the takeaways we had from this research and explain different approaches (both in Microsoft Research and in the external community) to mitigate attacks that are still possible with CHERI's current model.


Presenters:

  • Nicolas Joly - Security Engineer, Microsoft
    Nicolas Joly is a Security Engineer at the Microsoft Security Response Center in the UK. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs. Prior to this, he used to hunt bugs for bounties and won pwn2own several times with Vupen Security.
  • Saar Amar - Security Researcher, Microsoft
    Saar Amar is an expert security researcher in MSRC and is proficient in vulnerability research and exploitation. He is highly experienced in reverse engineering, low-level/internals, and cloud security. He found and reliably exploited major vulnerabilities in different operating systems, hypervisors, and browsers. He currently is focusing on mitigations research. He speaks at international cybersecurity conferences around the world, and regularly publishes original research and findings.

Links:

Similar Presentations: