CHERI-based memory protection and compartmentalisation for web services on Morello
In this project, funded by the UK Defence Science and Technology Laboratory (DSTL), our goal was to transform web-service security by introducing robust memory protection and compartmentalisation using the CHERI architectural protection model and the Arm Morello prototype. The project focused on addressing challenges in multi-tenant server environments, enhancing the security of open-source web service stacks without rewriting in a memory-safe or type-safe programming language.
Integration of CHERI C/C++:
This project has ported a total of about 1.7 million lines of server-side software to the CheriBSD ecosystem, including the nginx web server, gRPC framework, PostgreSQL database server and supporting libraries such as Google’s Protobuf and Abseil. These components provide a foundation for a more secure and resilient client server architecture on which many applications can be developed. Through a quantitative and qualitative study, we demonstrate that porting these components to CHERI C/C++ is mostly straightforward, affecting approximately 1% of the total lines of code.
Experimental Features:
The project used experimental CHERI protection features, including library-based isolation within CheriBSD, which leverages dynamic libraries to determine a natural isolation boundary with little to no source code modification. We demonstrate that library compartmentalisation provides a good trade-off between ease of adoption, flexibility of bounds enforcement, performance and security guarantees. Significant improvements in observability, performance and security policy have been delivered by engaging in a codesign of the compartmentalisation model. For example, introducing compartmentalisation policies resulted in a 78% reduction in domain transitions in our demonstrator significantly improving performance with minimal impact on security.
Vulnerability Study:
An analytical study of past vulnerabilities for the main components in our software stack showed that CHERI memory safety protections provide high levels of mitigation for many components; with nginx exhibiting a mitigation rate of around 46% and Redis between 38% to 52% (which is broadly consistent with previous estimates of mitigation rates for CHERI memory safety). We estimate an overall mitigation rate of up to 61% for our prototype nginx with library compartmentalisation, assuming CHERI’s coercion of remote code execution and data disclosure vulnerabilities to a deterministic crash provides a partial mitigation.
Significance:
This project shows that the security challenges posed by multi-tenant server environments using widely adopted open-source web service stacks can be significantly improved by CHERI without compromising performance.
Outcomes:
We have released all work from this project as open source. We have published an open report on the work, which includes the detailed security and performance evaluation and links to the ported software in the CHERI GitHub organisation.
Please visit our Published Work page for a link to the report.
This work was supported by Defence Science and Technology Laboratory (DSTL) through the Defence and Security Accelerator (DASA) funded project ACC6036483.
Capabilities Limited was awarded the DSbD Beacon Award 2024 for the work completed on this project.