|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "CHERIoT at the Digital Security by Design All Hands meeting" |
| 4 | +date: 2024-09-19 |
| 5 | +categories: conference |
| 6 | +author: "David Chisnall" |
| 7 | +--- |
| 8 | + |
| 9 | +Several companies presented CHERIoT-related things at the [Digital Security by Design](https://www.dsbd.tech) all-hands meeting yesterday! |
| 10 | + |
| 11 | +[lowRISC](https://lowrisc.org), whose [Sonata](https://cheriot.org/fpga/ibex/2024/06/10/sonata-quick-start.html) board was used by all of the demos, presented a demonstration of an automotive system where a bug in the volume control would overwrite the speed controller value (on a non-CHERI system). |
| 12 | +The source for this [is in the Sonata software repo](https://github.com/lowRISC/sonata-software/tree/main/examples/automotive), as is the [snake example](https://github.com/lowRISC/sonata-software/tree/main/examples/snake) that lowRISC also showed. |
| 13 | + |
| 14 | +<img alt="lowRISC presented an automotive demonstrator" width="50%" style="margin-left:auto;margin-right:auto;display:block" src="/images/2024-09-19-lowRISC-demo.jpeg"> |
| 15 | + |
| 16 | +[ConfiguredThings](https://www.configuredthings.com) presented an extended version of the [configuration management demonstration](https://cheriot.org/security/philosophy/2024/07/30/configuration-management.html) that they've previously contributed to the project. |
| 17 | +The updated version integrated the CHERIoT network stack to talk to their back-end secure configuration management system. |
| 18 | +The code for [the original version of their demo](https://github.com/CHERIoT-Platform/cheriot-demos/tree/main/configuration_broker) is open and the network-connected version should appear in the same place soon. |
| 19 | + |
| 20 | +<img alt="ConfiguredThings presented CHERIoT talking to their back-end system" width="50%" style="margin-left:auto;margin-right:auto;display:block" src="/images/2024-09-19-configuredthings-demo.jpeg"> |
| 21 | + |
| 22 | +This showed how a CHERIoT system can provide additional defence in depth. |
| 23 | +Each configuration block from the server was parsed in a separate compartment, so bugs in the JSON parsing are not exploitable. |
| 24 | +The worst that can happen is that an invalid configuration update is ignored. |
| 25 | +CrowdStrike provided a good demonstration of how bad this can be without CHERI. |
| 26 | + |
| 27 | +Finally, we at [SCI Semiconductor](https://www.scisemi.com) presented a demonstration of the network-stack restart work that we released over the summer. |
| 28 | +This ran on Sonata, but (as with the other demonstrators) will be trivial to port to our [ICENI CHERIoT chips, which are expected early next year](https://www.scisemi.com/press-release-cheriot-ibex/). |
| 29 | +This showed a simple multi-colour light that was connected to the Internet via MQTT. |
| 30 | +The CHERIoT network stack runs the FreeRTOS TCP/IP stack ('[FreeRTOS+TCP](https://github.com/FreeRTOS/FreeRTOS-Plus-TCP)') in a compartment. |
| 31 | +We introduced a memory-safety bug into this code, which forms a key part of the attack surface (it's the thing that has to process packets that come from the Internet, where all of the bad people live). |
| 32 | +When this is triggered, we see a CHERI exception on Sonata's CHERI fault LEDs and the network connection is dropped. |
| 33 | +The TCP/IP compartment is then restarted automatically and the application code resumes: |
| 34 | + |
| 35 | +<video controls width="75%" style="margin-left: auto ; margin-right: auto; display: block"> |
| 36 | + <source src="/images/Hugh the Lightbulb.mp4" type="video/mp4" /> |
| 37 | + <p>Video showing Hugh the Lightbulb, an Internet-connected multicolour light. |
| 38 | + The video shows an Android app controlling the CHERIoT code and demonstrates that a memory-safety bug in the TCP/IP stack does not crash the system, but is caught and the TCP/IP stack gracefully recovers. |
| 39 | + </p> |
| 40 | +</video> |
| 41 | + |
| 42 | +The [code for this demo](https://github.com/CHERIoT-Platform/cheriot-demos/tree/main/HughTheLightbulb) is available. |
| 43 | +Note that there's *nothing* in the application-specific part of the code related to the TCP/IP stack crashing. |
| 44 | +From the perspective of a consumer of the TCP/IP APIs, sockets just return a disconnection error. |
| 45 | +The normal reconnection paths then succeed once the TCP/IP stack has been restarted. |
| 46 | + |
0 commit comments