Projects per year
Abstract
This paper studies the integration of two successful hardware-supported security mechanisms: capabilities and enclaved execution. Capabilities are a powerful and flexible security mechanism for implementing fine-grained memory access control and compartmentalizing untrusted or buggy software components. Capabilities have a long history but have gained significant momentum recently, as evidenced by ARM’s experimental Morello processor that supports the Capability Hardware Enhanced RISC Instructions (CHERI). Enclaved execution is a popular mechanism for dynamically creating Trusted Execution Environments (TEEs), called enclaves. Enclaves are isolated execution contexts that protect the integrity and confidentiality of software in the enclave (even against compromised system software) and that support attestation.Integrating capabilities and enclaved execution in a single processor is challenging because they overlap partially in their security objectives, and a clean integration should unify the way in which these overlapping objectives are achieved. In addition, it is not obvious how attestation should interact with capabilities. In this paper, we propose CHERI-TrEE: a novel design for a processor that cleanly integrates support for both capabilities and enclaved execution. CHERI-TrEE targets low-end embedded systems without virtual memory. We show that CHERI-TrEE is greater than the sum of its parts by showing how it naturally supports useful features that have traditionally been hard to support in enclaved execution, like dynamically growing and shrinking enclaves, non-contiguous and nested enclaves, sharing of memory between enclaves etc. We implement our proposal both in hardware on a RISC-V processor, as well as in a small software hypervisor on top of ARM Morello, and evaluate impact on performance and hardware resources.
Original language | English |
---|---|
Title of host publication | EuroS&P - 8th IEEE European Symposium on Security and Privacy |
Publisher | IEEE |
Pages | 1143-1159 |
Number of pages | 17 |
ISBN (Electronic) | 978-1-6654-6512-0 |
ISBN (Print) | 978-1-6654-6513-7 |
DOIs | |
Publication status | Published - 3 Jul 2023 |
Event | 8th IEEE European Symposium on Security and Privacy - Delft, Netherlands Duration: 3 Jul 2023 → 7 Jul 2023 https://eurosp2023.ieee-security.org/ |
Publication series
Name | IEEE European Symposium on Security and Privacy |
---|---|
Publisher | IEEE |
ISSN (Print) | 2768-0649 |
ISSN (Electronic) | 2768-0657 |
Conference
Conference | 8th IEEE European Symposium on Security and Privacy |
---|---|
Abbreviated title | EuroS&P 2023 |
Country/Territory | Netherlands |
City | Delft |
Period | 3/07/23 → 7/07/23 |
Internet address |
Fingerprint
Dive into the research topics of 'CHERI-TrEE: Flexible enclaves on capability machines'. Together they form a unique fingerprint.-
CAP-TEE: Capability Architectures in Trusted Execution
Ryan, M., Thomas, R., Ordean, M., Garcia, F., Oswald, D., Muench, M. & Sinha Roy, S.
Engineering & Physical Science Research Council
12/08/20 → 28/02/25
Project: Research Councils
-
SIPP - Secure IoT Processor Platform with Remote Attestation
Engineering & Physical Science Research Council
1/12/19 → 30/11/23
Project: Research Councils