Campus Event Calendar
Event Entry
What and Who
Enforcing Stack Safety on a Capability Machine
Aïna Linn Georges
Aarhus University
SWS Colloquium
AG 1, AG 2, AG 3, INET, AG 4, AG 5, D6, SWS, RG1, MMCI
AG Audience
English
Note: We use this to send email in the morning.
Date, Time and Location
Thursday, 24 November 2022
10:00
60 Minutes
E1 5
005
Saarbrücken
Abstract
Memory safety is a major source of vulnerabilities in computer
systems. Capability machines are a type of CPUs that support
fine-grained privilege separation using capabilities, machine words
that include forms of authority. Over the last decade, CHERI, a family
of capability machines, has matured into an extensive design
featuring, among other, a full UNIX-style operating system, CheriBSD.
Building on ideas from CHERI, capability machines are even becoming a
reality in industry; the Arm Morello program is a research program led
by Arm to create a prototype system on chip with capabilities. One of
the promises of capability machines is that they can enforce security
properties that we expect from high-level languages, in particular
stack safety, even when machine code is linked with other untrusted
and possibly adversarial machine code. In this talk, I will discuss
what it takes to realise that promise in practice. Since stack safety
properties can be quite subtle, it is crucial to formally reason about
the enforcement mechanisms enabled by capabilities. This is a complex
task that involves reasoning about the interaction between known code,
and unknown untrusted code. We use Iris to formally reason about the
deep semantic properties of capability machines.
systems. Capability machines are a type of CPUs that support
fine-grained privilege separation using capabilities, machine words
that include forms of authority. Over the last decade, CHERI, a family
of capability machines, has matured into an extensive design
featuring, among other, a full UNIX-style operating system, CheriBSD.
Building on ideas from CHERI, capability machines are even becoming a
reality in industry; the Arm Morello program is a research program led
by Arm to create a prototype system on chip with capabilities. One of
the promises of capability machines is that they can enforce security
properties that we expect from high-level languages, in particular
stack safety, even when machine code is linked with other untrusted
and possibly adversarial machine code. In this talk, I will discuss
what it takes to realise that promise in practice. Since stack safety
properties can be quite subtle, it is crucial to formally reason about
the enforcement mechanisms enabled by capabilities. This is a complex
task that involves reasoning about the interaction between known code,
and unknown untrusted code. We use Iris to formally reason about the
deep semantic properties of capability machines.
Contact
Annika Meiser
+49 681 9303 9105
--email hidden
Video Broadcast
Yes
Kaiserslautern
G26
207
-
passcode not visible
logged in users only
Annika Meiser, 11/21/2022 17:04
Annika Meiser, 11/21/2022 11:26 -- Created document.
Annika Meiser, 11/21/2022 11:26 -- Created document.