Existing high-end embedded systems face frequent security attacks. Software compartmentalization is one technique to limit the attacks' effects to the compromised compartment and not the entire system. Unfortunately, the existing state-of-the-art embedded hardware-software solutions do not work well to enforce software compartmentalization for high-end embedded systems. MPUs are not fine-grained and suffer from significant scalability limitations as they can only protect a small and fixed number of memory regions. On the other hand, MMUs suffer from non-determinism and coarse-grained protection. This paper introduces CompartOS as a lightweight linkage-based compartmentalization model for high-end, complex, mainstream embedded systems. CompartOS builds on CHERI, a capability-based hardware architecture, to meet scalability, availability, compatibility, and fine-grained security goals. Microbenchmarks show that CompartOS' protection-domain crossing is 95% faster than MPU-based IPC. We applied the CompartOS model, with low effort, to complex existing systems, including TCP servers and a safety-critical automotive demo. CompartOS not only catches 10 out of 13 FreeRTOS-TCP published vulnerabilities that MPU-based protection (e.g., uVisor) cannot catch but can also recover from them. Further, our TCP throughput evaluations show that our CompartOS prototype is 52% faster than relevant MPU-based compartmentalization models (e.g., ACES), with a 15% overhead compared to an unprotected system. This comes at an FPGA's LUTs overhead of 10.4% to support CHERI for an unprotected baseline RISC-V processor, compared to 7.6% to support MPU, while CHERI only incurs 1.3% of the registers area overhead compared to 2% for MPU.
翻译:现有高端嵌入系统经常面临安全攻击。 软件分割是限制攻击效果的技术之一, 将攻击效果限制在受损的隔板上, 而不是整个系统。 不幸的是, 现有最先进的嵌入硬件软件解决方案无法很好地执行高端嵌入系统的软件分割。 MPU不是精细的磨损, 并且由于它们只能保护少量固定的记忆区域, 并且承受着巨大的可缩放性限制。 另一方面, MMMMU受到非确定性和粗度保护的伤害。 本文将CompartOS 引入为高端、 复杂、 主流嵌入系统的轻重链接包包化模型。 ComparOS 建在 CHIRI 上, 一个基于能力的硬件结构, 以达到可扩缩性、可用性、兼容性和精细度的安全性安全性目标。 微小的标记显示, CompartOS 保护区域比基于 MIPC 的快速度支持快95%。 我们应用了CompartOS 模型, 低努力地引入了复杂的现有系统, 包括TRVS 服务器相关的服务器服务器, 15- AS, 也无法进行安全性控制 。