Is it possible to reach a point where memory safety concerns are definitively reduced? We looked at CHERI ( Capability Hardware Enhanced RISC Instructions ), which offers memory protection features against numerous exploited vulnerabilities, or an architectural solution that breaks exploits, in our effort to reduce memory corruption vulnerabilities. We have considered additional mitigations to implement in order to reach a comprehensive solution and examined how CHERI would break class-specific categories of vulnerabilities. In its current state, when combined with other mitigations, CHERI would have deterministically mitigated at least two thirds of all memory safety vulnerabilities, according to our analysis of its theoretical impact on all of the vulnerabilities we encountered in 2019.
Revision 7 has been reviewed, and a test environment was CheriBSD runningQEMU. We used CheriBSD and qtwebkit to create exploits for various security issues after searching for model flaws in this study. We’ve identified a number of areas that need to be improved, including multiple exploitation primitives that could still be used to take advantage of memory corruption issues, the necessity of using trustworthy and CHERI compliant memory management mechanisms, and vulnerability classes that the architecture does n’t mitigate. While CHERI excels at resolving spatial safety issues, temporal and type safety problems still require more attention.
There is undoubtedly much more to learn and mitigate, so we value your feedback greatly. Your feedback on our paper will be greatly appreciated.
Microsoft Security Response Center ( MSRC ) employees Nicolas Joly, Saif ElSherei, and Saar Amar