Two Paths to Memory Safety: CHERI and OMA(ednutting.com)

28 pointsby yvdriess6 hours ago6 comments

Findecanor28 minutes ago
Doubtless Computing is apparently the blogger's new startup.
He had previously co-founded the CPU startup VyperCore, which had been based around technology in his PhD thesis at the University of Bristol. The startup folded earlier this year.[1]
VyperCore's main selling point was that having garbage collection in hardware could run managed languages faster, and with less energy. Apparently they came as far as running code in FPGA. Except for the object-addressing hardware, it was based on a RISC-V core.
I wonder which assets (patents and other) that the new company has been able to get from the old.
Both companies were/are apparently targeting the data centre first... which I think is a bit bold, TBH. I follow RISC-V, and have seen maybe a dozen announcements of designs for wide-issue cores that on paper could have been competitive with AMD and Intel ... if only they would have got to be manufactured in a competitive process. But that is something that would require significant investment.
1. https://ednutting.substack.com/p/vypercore-failed
alwahi3 minutes ago
" Rather than extending paged memory, OMA implements object-based memory management directly in hardware. Every allocation becomes a first-class hardware object with its own identity, bounds, and metadata maintained by the processor itself."
what is this supposed to mean? like a whole new isa + kernel + userland?
pjmlp4 hours ago
Three paths, SPARC Application Data Integrity (ADI)
https://docs.oracle.com/en/operating-systems/solaris/oracle-...
Although I do conceed, most folks aren't keen into picking up anything related to Oracle or Solaris nowadays.
- EdNutting3 hours ago
  I haven't come across this specific feature before. From reading about it, it seems closely related to Arm (E)MTE ISA extensions - Memory Tagging Extension?
  What's interesting is that approach (software-defined 'random' numbers to associate memory regions and valid pointers) provides only probabilistic memory safety. A malicious actor may find a way to spoof/guess the tag needed to access a particular piece of memory. Given Arm MTE has been breached in the last year, it's hard to argue that it's a good enough security guarantee. EMTE may fix issues (e.g. side-channels) but leaves open the probabilistic pathway (i.e. "guess the tag") which is a hole MTE isn't designed to try to close (so, a software breach on top of a chip with EMTE can't necessarily be argued to be a violation of the hardware's security properties, though it may exploit the architectural security hole).
  In contrast, CHERI and OMA (Object Memory Architecture) are both providing hardware-enforced guarantees of memory safety properties - unbreakable even if the attacker has perfect knowledge - backed up by formal proofs of these claims.
  CHERI offers referential and spatial safety as hardware guarantees, with temporal being achievable in software. OMA offers referential, spatial and temporal safety as hardware guarantees.
  - mlinksvaan hour ago
    There doesn't seem to be much info about OMA available online. Your thesis linked from https://www.bristol.ac.uk/research/groups/trustworthy-system... which is linked from your home page/timeline is a broken link. Perhaps https://dl.acm.org/doi/fullHtml/10.1145/3450147 is the best in depth info available currently? Looking forward to future developments and success!
    EdNuttingan hour ago
    Oh dear, I hadn't realised Bristol Uni had broken the link. That paper has some information, as well as my UG thesis: https://ia600408.us.archive.org/22/items/archive_IHGC/Thesis...
    Yeah the current closed nature of OMA means there's limited information at present. I am working on publishing more over the next year. It is essential the wider community starts to get access to at least the modified RISC-V ISA, to independently validate the security claims.
  - pjmlp3 hours ago
    Kind of, with the difference that it has been in production since 2015 on Solaris SPARC systems, granted they aren't as widespread as they once were.
    Sometimes the perfect is enemy from good, none of the memory tagging solutions has achieved mainstream widespread adoption outside iDevices.
    Google apparently doesn't want to anger Android OEMs demanding it to be required by Android, thus it remains a Pixel only feature.
    CHERI and OMA are going to still take years for mainstream adoption if ever comes to it.
    I had hopes for whatever Microsoft was doing in CHERIoT to eventually come to Windows in some fashion, but best it has happened seems to be the adoption of Pluton in CoPilot+ PC, which anyway serves a different purpose.
  - rubymamis3 hours ago
    Can you please provide sources about Arm EMTE being breached? I couldn’t find any information online.
yvdriess5 hours ago
Related discussions:
- CHERI with a Linux on Top https://news.ycombinator.com/item?id=45487629
- Why not object capability languages? https://news.ycombinator.com/item?id=43956095
- Ask HN: Why isn't capability-based security more common? https://news.ycombinator.com/item?id=45261574
pizlonator3 hours ago
Unlikely that new HW will be the solution.
You can have a memory safe Linux userland today in stock hardware. https://fil-c.org/pizlix
- Findecanor2 hours ago
  Fil-C is basically CHERI in software, with large speed and memory overhead.
  - pizlonator3 minutes ago
    > Fil-C is basically CHERI in software
    It's not, actually.
    Fil-C is more compatible with C/C++ than CHERI, because Fil-C doesn't change `sizeof(void*)`.
    Fil-C is more compatible in the sense that I can get CPython to work in Fil-C and to my knowledge it doesn't work on CHERI.
    Fil-C also has an actual story for use-after-free. CHERI's story is super weak
  - pizlonatoran hour ago
    Fil-C running on any x86 box is faster than any CHERI implementation that has ever existed.
    That's likely to be true in embedded also, just because of the relationship between volume and performance in silicon. Fil-C runs on the high volume stuff, so it'll get better perf.
    CHERI doubles the size of pointers, so it's not like it has a decisive advantage over Fil-C.
    Findecanor18 minutes ago
    > Fil-C running on any x86 box is faster than any CHERI implementation that has ever existed.
    Heh. I don't doubt it. Just like RISC-V in QEmu on a x86 box is faster than any RISC-V core that anyone can get their hands on ... right now.
    checker65921 minutes ago
    Do you even have access to CHERI hardware Phil?
    pizlonator5 minutes ago
    No, and I don't need to in order to know that my claim is accurate.
    Also, the fact that having access to CHERI hardware is a thing you presume I don't have should tell you a lot about how likely CHERI is to ever succeed
  - actionfromafar2 hours ago
    But seemingly on track to move from "large" to "significant" speed and memory overhead. It is already really useful especially for running tests in pipelines.
VyseofArcadia3 hours ago
Could we also consider just not connecting critical systems to the internet at large? No reason, for example, for the Jaguar assembly line to depend on an internet connection.
- yvdriessan hour ago
  Yep air-gapped security is a thing. But servicing, patching and communicating with air-gapped devices still needs to happen, which involves connecting to them somehow. Likely a manufacturing plant has started to connect everything together to streamline the process and created an attack surface that way.
  You can see the appeal for not needing to go through all the issues, complexity and costs that entails.
- wblan hour ago
  How else do you expect to move the information around between sites and use it?
- EdNutting3 hours ago
  I suppose we could all do what Asahi have been forced to do and go back to using pens, paper and fax machines: https://www.bbc.co.uk/news/articles/cly64g5y744o
- like_any_other2 hours ago
  Malware can hop through airgaps on USB keys, so that's not enough: https://en.wikipedia.org/wiki/Stuxnet