BlueHat IL 2023 - David Chisnall - CherIoT скачать в хорошем качестве

BlueHat IL 2023 - David Chisnall - CherIoT

CherIoT: Lightweight memory safety and compartmentalisation for C/C++ on cheap IoT devices The CherIoT (Capability Hardware Extension to RISC-V for IoT) project has built a platform for secure IoT devices. This includes an extension to RISC-V, an open-source implementation based on the lowRISC Ibex core, and an RTOS with lightweight compartmentalization abstractions. The platform provides complete spatial memory safety, cross-compartment stack safety, and a heap that can be shared between mutually distrusting parties with temporal safety. All violations of these memory safety guarantee deterministically trap. The platform uses non-bypassable memory safety as a building block for compartmentalization. Compartments can expose functions as entry points and enjoy strong isolation and object-granularity sharing. The component that enforces these isolation guarantees is only around 300 RISC-V instructions. No component in the system is fully privileged; even the scheduler is merely another compartment and cannot see the state of the threads that it interrupts. This is the first IoT system to provide fine-grained memory safety. It provides far more scalable isolation than existing techniques based on a memory protection unit (MPU): our implementation has comparable area to an MPU that supports 16 regions, yet allows a number of compartments bounded only by available memory, with each compartment requiring only a few words of memory as overhead. This makes it possible to have many isolated compartments providing a rich set of features, such as JavaScript interpreters, even on low-cost devices with 256 KiB of RAM or less. This talk will discuss how these security guarantees are built and how audience members can build things on top of the platform.