You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+15Lines changed: 15 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -82,10 +82,25 @@ This gives strong flow isolation properties: Even if an attacker compromises the
82
82
Similarly, the firewall is controlled by the Network API compartment.
83
83
The TCP/IP stack has no access to the control-plane interface for the compartment.
84
84
A compromise that gets arbitrary-code execution in the network stack cannot open new firewall holes (to join a DDoS botnet such as [Mirai](https://en.wikipedia.org/wiki/Mirai_(malware)), for example).
85
+
Note that there are currently some technical limitations to this, see the note below.
85
86
The worst it can do to rest of the system is provide malicious data, but a system using TLS will have HMACs on received messages and so this is no worse than a malicious packet being injected from the network.
86
87
87
88
All of this is on top of the spatial and temporal safety properties that the CHERIoT platform provides at a base level.
88
89
90
+
**Note on the isolation of the firewall control plane.**
91
+
92
+
In the current implementation, the TCP/IP stack still indirectly controls which endpoints the firewall allows/disables because the Network API compartment operates with domain names, and the firewall with IPs, and the TCP/IP stack controls the translation between the two.
93
+
94
+
For instance, if the application tells the Network API that the only endpoint it will ever communicate with is `example.com`, the Network API will need to translate that domain name into an IP to create a firewall entry.
95
+
The TCP/IP compartment is responsible for doing the translation through DNS.
96
+
Thus, a compromised TCP/IP stack can spoof the DNS translation and return whichever IP address it wants to connect to, to create a corresponding firewall entry.
97
+
98
+
This attack scenario comes with the limitation that DNS resolution and firewall updates only happen when establishing a new connection.
99
+
However, in many cases the TCP/IP stack can trigger this arbitrarily by closing the sockets opened by the application to force the application to trigger another socket open (and thus to re-establish the connection and re-translate the domain name).
100
+
101
+
Looking forward, we are planning to address this limitation by moving the DNS lookup to a separate compartment.
102
+
Unfortunately, without DNSSEC, the network stack can still tamper with responses, so this will also require a firewall-layer bypass to send DNS responses to the DNS compartment instead of the network stack.
0 commit comments