|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "CHERIoT at CyberUK" |
| 4 | +date: 2024-05-13 |
| 5 | +categories: conference |
| 6 | +author: "David Chisnall" |
| 7 | +--- |
| 8 | + |
| 9 | + |
| 10 | + |
| 11 | +This week, we'll be doing some CHERIoT demos at CyberUK in Birmingham. |
| 12 | +If you're going to be at CyberUK, come and see us, we'll be at stand C2 in Hall 3 on level 4! |
| 13 | + |
| 14 | +We're doing two demos. |
| 15 | +One is the world's most over-engineered light switch. |
| 16 | +This is using a pair of Arty A7 FPGAs to run the CHERIoT Ibex and our prototype [compartmentalised network stack](https://github.com/CHERIoT-Platform/network-stack). |
| 17 | +This small example has ten compartments: |
| 18 | + |
| 19 | + - The RTOS scheduler |
| 20 | + - The RTOS shared heap allocator |
| 21 | + - The FreeRTOS+TCP TCP/IP stack |
| 22 | + - The BearSSL TLS 1.2 stack |
| 23 | + - The FreeRTOS SNTP library |
| 24 | + - The on-device firewall |
| 25 | + - The network control plane |
| 26 | + - The FreeRTOS coreMQTT library |
| 27 | + - The demo control loop, which fetches JavaScript bytecode from MQTT and manages watchdogs |
| 28 | + - The JavaScript runner |
| 29 | + |
| 30 | +All of this (including the JavaScript VM) runs in a total of 256 KiB of RAM (for code and data), with complete spatial and temporal memory safety. |
| 31 | +Every network packet is in a separate heap allocation and so inherits the same use-after-free protection. |
| 32 | + |
| 33 | +The JavaScript uses one of the switches on the dev board to determine the mode. |
| 34 | +In one mode, it will publish the positions of two switches to the MQTT server, in the other it will subscribe to those MQTT nodes and |
| 35 | + |
| 36 | +This shows an end-to-end CHERI client-server system. |
| 37 | +The tiny embedded devices are CHERIoT, the server side is [CheriBSD](https://www.cheribsd.org) on [Morello](https://www.morello-project.org). |
| 38 | +It's running the [Mosquitto](https://mosquitto.org) MQTT server, which is built as a CHERI pure-capability process and so also has complete spatial and temporal memory safety, though no compartmentalisation (yet!), on the server. |
| 39 | +This demonstrates a complete end-to-end CHERI deployment. |
| 40 | + |
| 41 | + |
| 42 | + |
| 43 | +We're also showing off the [CHERIoT auditing tooling](https://github.com/CHERIoT-Platform/cheriot-audit) tooling for this demo. |
| 44 | +You can inspect the demo and see which compartments may allocate memory (and how much), which compartments may connect to network servers (and which addresses and ports), and so on. |
| 45 | + |
| 46 | + |
| 47 | +Our second demo is on the new [Sonata prototyping board from lowRISC](https://www.sunburst-project.org/tech-details/#sonata-low-cost-development-board). |
| 48 | +Unlike the Arty A7, this is specifically designed for prototyping CHERIoT systems. |
| 49 | +It's newer and so we don't have as much support for it in the RTOS, but it's designed with a rich set of peripherals that should make it a more interesting platform in the longer term. |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +On this system, we're showing a compartmentalisation demo, based on the [compartmentalisation exercise](https://github.com/microsoft/cheriot-rtos/tree/main/exercises/01.compartmentalisation). |
| 54 | +This is intended to simulate an attacker who has managed to launch a code reuse attack and is trying to impact either confidentiality or availability. |
| 55 | +Code reuse attacks on a CHERIoT system are incredibly hard and so we cheat: we provide a JavaScript interpreter with a set of FFI functions that allow you to load and manipulate pointers from the JavaScript that you load over the UART. |
| 56 | + |
| 57 | +There's also an native function exposed to JavaScript to report whether you've managed to correctly guess a secret. |
| 58 | +The memory address of the secret is printed at the start (assume that it's leaked via some other exploit). |
| 59 | + |
| 60 | +We've built this example in two versions. |
| 61 | +The first is close to the starting point for the exercise: everything is in one compartment. |
| 62 | +In this version, you can start from the compartment's global pointer and load the secret. |
| 63 | +You can also simply do a null-pointer dereference to crash the compartment. |
| 64 | +The demo then needs restarting. |
| 65 | + |
| 66 | +In the other mode, we believe it should be impossible to leak the secret (come and try!). |
| 67 | +If you make the compartment running the JavaScript interpreter crash then it will recover. |
| 68 | + |
| 69 | +Folks from SCI Semiconductor will be there, so if you're interested in buying CHERIoT microcontrollers (not FPGA simulations) then drop buy the stand! |
0 commit comments