Re: CheriBSD

Somebody claiming to be Kevin Chadwick wrote:
> Any thoughts on the security and performance of CHERI. The claim
> is making existing C codebases memory safe with insignificant
> modifications to the code being required.

I've seen a few of their conference talks, and the summary of things
I've taken away from that is:
- Their thesis is that
(1) if you follow the rules, C with hardware-assisted checking
can give you memory safety at negligible cost
(2) the hardware side of this can be done effectively with today's
technology
and they have a working system that backs it up
- The hardware is prototype-grade but seems to work well
- Most of the software that causes problems is the sort of code
you'd look at and say "WTF?" anyways

Performance doesn't take much of a hit, which is one of the nice
things about doing the heavy lifting in hardware - transistors are
cheap enough at the margin nowadays to do all sorts of interesting
things.
(That of course doesn't carry over to running it under emulation,
where the check needs to be done on every emulated memory access.)

The memory safety it offers would turn a lot of security-relevant
bugs that OpenBSD works hard to mitigate into immediate hardware
traps, but not all of them.


The work they did in FreeBSD to get it working and keep compatibility
with unsafe code relies heavily on multi-ABI support. FreeBSD
already had that for things like mixed 32/64-bit support and Linux
compatibility, which an observant reader will note OpenBSD supports
none of.
So even if you could get CHERI hardware to run it on, bringing up
a CHERI-aware OpenBSD would mean upgrading the entire base system
(likely no harder than for FreeBSD but still a major undertaking)
to support it and limiting yourself to ports that work or can be
fixed to work with the additional constraints.


Bottom line, as far as I'm concerned, is that I want one for my dev
machine to find my memory bugs sooner (but I'd be surprised to see
it available in consumer-grade systems before I retire and no longer
care), but the expected future value of getting security upgrades
out of it isn't high enough to spend time thinking about it now.


dave

--
Dave Vandervies
dj3vande@terse.ca

Plan your future! Make God laugh!