Potential security flaw in "secure" model

Our proposed secure switcher implementation [1] has a potential flaw, as observed by @jacobbramley [here](https://github.com/capablevms/cheri-morello-compartmentalisation/pull/1#discussion_r809304593). We are storing some capabilities within a space that the compartment we are switching into has access [2]. It should be possible to retrieve these capabilities from within this compartment.

The solution would be to store these before switching the DDC. Which would mean the switcher itself needs to have a scratch space as well.

[1] https://github.com/capablevms/cheri-examples/tree/master/hybrid/compartment_examples/inter_comp_call/secure
[2]https://github.com/capablevms/cheri-examples/blob/master/hybrid/compartment_examples/inter_comp_call/secure/switch_compartment.s#L35-L40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential security flaw in "secure" model #60

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Potential security flaw in "secure" model #60

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions