CHERI: The Future of Memory Safety

In the ever-evolving landscape of cybersecurity, memory safety issues like buffer overflows and use-after-free vulnerabilities remain significant challenges. Traditional solutions such as Memory Management Units (MMUs) and Memory Protection Units (MPUs) have been instrumental in segregating applications, but they fall short in addressing finer-grained memory safety issues. Enter CHERI, a revolutionary hardware extension that promises to redefine memory safety. 

While CHERI-enabled processors aren’t yet standard in desktops or smartphones, this revolutionary extension is paving the way for a future where every C/C++ developer can write robust, resilient software.  

Key Takeaways:

• Unprecedented Memory Protection: CHERI introduces capabilities that provide fine-grained access control, drastically reducing memory safety issues. 
• Smooth Transition for Legacy Code: TrustInSoft Analyzer bridges the gap between traditional architectures and the CHERI paradigm. 
• Future-Proof Your Codebase: Integrating robust code review and analysis now ensures your software remains secure as new hardware emerges. 

The Evolution of Memory Protection

Historically, we have seen the evolution of memory protection: 

• Segregation via MMU/MPU: Early approaches that separated applications based on address spaces. 
• Memory Tagging: Introduced on SPARC (SPARC ADI) and ARM (ARM MTE), which improved vulnerability detection by tagging memory segments. 
• Stack Protection: Technologies like Intel’s Control Flow Enforcement Technology (CET) focus on safeguarding the integrity of the call stack. 

CHERI takes these ideas even further by embedding security into the very fabric of the processor. Its capability-based model enables a granularity in memory access control that traditional systems simply can’t match. This fine-grained control means that even if a memory error occurs, the processor can detect an unauthorized operation almost immediately, preventing potential exploitation. 

The Road Ahead

CHERI (Capability Hardware Enhanced RISC Instructions) adoption is still in its early stages, but it holds immense promise for the future of secure computing. As CHERI-enabled processors become more widely available, we can expect to see a significant decrease in memory-related vulnerabilities. However, it's important to acknowledge that CHERI also introduces some challenges especially in the transition stage. 

By embracing CHERI and tools like TrustInSoft Analyzer, developers can pave the way for a more secure future for software applications. 

Where are we?

CHERI is a revolutionary security extension built into processors like Morello and Codasip X730. It offers a significant leap forward in memory protection by employing a concept called capabilities. These capabilities act like secure pointers, granting fine-grained access control to specific memory regions instead of relying solely on page-based Memory Management Units (MMUs). This finer control allows CHERI to detect a wider range of memory errors, especially those that might previously have gone unnoticed and potentially exploited by attackers to gain unauthorized access or cause program crashes. 

Why aren't we all already using Morello processors in our desktop computers and smartphones, to benefit from the additional near-perfect run-time protection against the worst vulnerabilities (memory errors)? 

While the benefits of CHERI are clear, transitioning to CHERI-enabled processors like Morello and Codasip X730 requires some adjustments. One key difference is the use of 128-bit pointers inside which, alongside a 64-bit address, a set of associated capabilities is stored. Most current architectures store only the 64-bit address and, when the address is used by the code, implicitly trust that the address is legitimate. This is how buffer overflows and other memory vulnerabilities happen. In CHERI, in addition to capabilities that indicate what the legitimate uses of the address are, a 129th bit, stored on the side, not accessible through the ordinary load and store instructions, indicates that neither the address nor the capability set have been tampered with, turning any nominal memory vulnerability present in the source code into a detected misuse of the address/capability pair at runtime. While recompiling existing programs for Morello is possible, it's important to note that this process can sometimes reveal subtle memory errors that were previously masked by the limitations of traditional MMUs. These errors can be harmless or represent latent vulnerabilities waiting to be exploited. The good news is that not all code needs immediate conversion. Some architectures can even support both 64-bit and 128-bit pointers simultaneously, allowing for a smoother transition. 

This is where TrustInSoft Analyzer comes in. It can analyze the source code of existing applications, taking into account the new 128-bit pointer size. By doing so, TrustInSoft Analyzer can pinpoint potential issues arising from this change, effectively acting as a debugging tool tailored for the CHERI transition. A crucial advantage is that TrustInSoft Analyzer can perform this analysis on a developer's standard desktop processor, eliminating the need for a CHERI enable system during the initial debugging phase. Additionally, TrustInSoft Analyzer presents detected problems within the context of the source code, allowing developers to investigate the root cause of each issue more efficiently. 

TrustInSoft Analyzer: A Change Assistant to CHERI

Beyond identifying issues caused by the pointer size change, TrustInSoft Analyzer can also uncover those subtle memory errors that were previously harmless but might cause unexpected termination on a CHERI processor. To achieve this, TrustInSoft Analyzer can leverage existing test suites, ensuring comprehensive analysis without generating false positives. It can even analyze less frequently used code paths, ensuring that even obscure memory errors are identified and addressed before porting the code to CHERI. This comprehensive analysis saves developers valuable time by eliminating the need for back-and-forth debugging on a Morello system and complex debug trace interpretation. 

Possible Solution with TrustInSoft

TrustInSoft Analyzer: During the initial migration phase, TrustInSoft Analyzer can significantly accelerate the debugging process for legacy code destined for CHERI enable cores (MCU). Once the transition is complete and CHERI's inherent protection is in place, reliance on TrustInSoft Analyzer will likely diminish.  

By integrating TrustInSoft Analyzer into your development workflow, you’re not just preparing for tomorrow’s hardware—you’re ensuring that your code is secure, efficient, and ready to tackle the challenges of an ever-evolving cybersecurity landscape. Stay ahead of the curve, and contact us.