CHERIoT: Rethinking security for low-cost embedded systems
- Saar Amar ,
- Tony Chen ,
- David Chisnall ,
- Felix Domke ,
- Nathaniel Filardo ,
- Kunyan Liu ,
- Robert Norton-Wright ,
- Yucong Tao ,
- Robert N. M. Watson ,
- Hongyan Xia
MSR-TR-2023-6 |
Published by Microsoft
Small embedded cores have little area to spare for security features and yet must often run code written in unsafe languages and, increasingly, are exposed to the hostile Internet. CHERIoT (Capability Hardware Extension to RISC-V for Internet of Things) builds on top of CHERI and RISC-V to provide an ISA and software model that lets software depend on object-granularity spatial memory safety, deterministic use-after-free protection, and lightweight compartmentalization exposed directly to the C/C++ language model. This can run existing embedded software components on a clean-slate RTOS that scales up to large numbers of isolated (yet securely communicating) compartments, even on systems with under 256 KiB of SRAM.
This technical report is accompanied by three open source releases:
论文与出版物下载
CherIoT RTOS and software stack
27 1 月, 2023
This repository contains the core RTOS components for the CHERIoT research platform. This is currently a research project that has been open-sourced to enable wider collaboration. It is not yet in a state where it should be used in production: in particular, security issues will currently be fixed in the main branch of the repo with no coordinated disclosure.
CherIoT Sail: formal specification of the ISA
27 1 月, 2023
This repository contains an implementation of the CHERIoT ISA in Sail. It contains an executable description of the CHERIoT instruction set that can be used to build an instruction set emulator and also prove properties of the ISA using Sail's SMT support.
CherIoT-ibex: reference implementation of the ISA
27 1 月, 2023
cheriot-ibex is a RTL implementation of CHERI ISA based on LowRISC's Ibex core. More specifically, cheri-ibex is a 32-bit RISC-V microcontroller which implements the CheriIoT ISA extension in addition to RV32IMCB. Same as the original ibex core, the design can be configured either with a 2-stage or a 3-stage pipeline.