You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: exercises/firmware_auditing/README.md
+7-7Lines changed: 7 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
Copyright lowRISC Contributors.
3
3
SPDX-License-Identifier: Apache-2.0
4
4
-->
5
-
# Firmware Auditing Exercise
5
+
# Firmware auditing exercise
6
6
7
7
First, make sure to go to the [building the exercises][] section to see how the exercises are built.
8
8
@@ -42,10 +42,10 @@ A very simple function `is_sealed_capability` is then defined, which takes the J
42
42
43
43
Next, we use Rego's functionality to create a rule `no_sealed_capabilities_exist`, which should evaluate to `true` only if no sealed capabilities are used in any of the firmware's compartments.
44
44
To do this, we perform a list comprehension, unifying with a wildcard variable to iterate over and filter all imported capabilities of all compartments in the firmware.
45
-
We then use the built-in`count` function to ensure that the resulting array is empty.
45
+
We then use the built-in`count` function to ensure that the resulting array is empty.
46
46
47
47
Skipping to the end of the file, we can then create a simple Boolean `valid` rule which corresponds to whether `no_sealed_capabilities_exist` is defined or not.
48
-
To convert the undefined value to a Boolean, we use the `default` keyword, which lets us provide a `false`asignment as a fall-through if no other rule definitions match.
48
+
To convert the undefined value to a Boolean, we use the `default` keyword, which lets us provide a `false`assignment as a fall-through if no other rule definitions match.
49
49
50
50
We can run this policy on our example firmware using the following command:
Because `sealed_capability.cc` currently doesn't use any sealed capabilities, this policy should evalute to `true`.
59
+
Because `sealed_capability.cc` currently doesn't use any sealed capabilities, this policy should evaluate to `true`.
60
60
61
61
Now, navigate to [`sealed_capability.cc`][] and comment out or remove the line `uint32_t arr[ArrSize];`.
62
62
Then, uncomment or add the line `uint32_t *arr = new uint32_t[ArrSize];`.
@@ -67,7 +67,7 @@ Rebuilding the exercises (using `xmake -P exercises`) and running the same comma
67
67
68
68
However, it may not immediately be clear why the policy failed.
69
69
When designing such a policy, you can see that it may be helpful to have a rule that lets us inspect the details of any sealed capabilities.
70
-
We do this with our final `sealed_capability_info` rule, which constructs ojects storing the contents, key, and compartment of each sealed capability.
70
+
We do this with our final `sealed_capability_info` rule, which constructs objects storing the contents, key, and compartment of each sealed capability.
71
71
72
72
> ℹ️ Note the use of unification here.
73
73
> We iterate over `input.compartments` with the non-defined variable `owner`, and then map the value that is bound this variable to the `owner` field of our new object.
@@ -80,7 +80,7 @@ You should see an output that looks something like this:
80
80
"key":"MallocKey", "owner":"sealed_capability"}]
81
81
```
82
82
83
-
This tells us where the sealed capabilty in our firmware originates - a static sealed object owned by our `sealed_capability` compartment, which is used by the RTOS' allocator for authorising memory allocation.
83
+
This tells us where the sealed capability in our firmware originates - a static sealed object owned by our `sealed_capability` compartment, which is used by the RTOS' allocator for authorising memory allocation.
84
84
Try experimenting by adding more functionality to this toy example!
85
85
For example, try creating your own sealed capabilities and check the result.
86
86
You might also try investigating the values of the different rules that we've made, and filtering or auditing other properties of the capabilities.
@@ -101,7 +101,7 @@ We then start by defining which functions in which compartments are allowed to r
101
101
We do this by using a list, with each item in this list containing the name of the compartment, and a list of the function signatures that can run with interrupts disabled.
102
102
103
103
We allow two specific functions to run without interrupts in the `disable_interrupts` compartment, and allow none to run in the `bad_disable_interrupts` compartment.
104
-
Despite this, if you check the the source files, `not_allowed` is actually running with interrupts disabled.
104
+
Despite this, if you check the source files, `not_allowed` is actually running with interrupts disabled.
105
105
In a practical scenario, `disable_interrupts` might be a trusted library, where `bad_disable_interrupts` is only allowed to call functions from `disable_interrupts`, and not disable interrupts itself.
106
106
107
107
We can then use this list to construct a smaller set containing just the compartments we expect to be present, which will be useful as the first condition that we want to check is that all (and only) the required compartments are present.
0 commit comments