Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposed relaxing of cjalr sealing #86

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Proposed relaxing of cjalr sealing #86

wants to merge 1 commit into from

Conversation

nwf
Copy link
Member

@nwf nwf commented Nov 13, 2024

Attempt at capturing #85

rmn30
rmn30 requested changes Nov 13, 2024
View reviewed changes
Copy link
Collaborator

@rmn30 rmn30 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to make a similar change in CJAL.

src/cheri_insts.sail Outdated Show resolved Hide resolved
@nwf nwf requested a review from rmn30 November 13, 2024 14:17
rmn30
rmn30 reviewed Nov 13, 2024
View reviewed changes
Copy link
Collaborator

@rmn30 rmn30 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine except for comments. I may slightly prefer inverting the if so that the common cd==ra case is handled first but it does not matter.

src/cheri_insts.sail Outdated Show resolved Hide resolved
src/cheri_insts.sail Outdated Show resolved Hide resolved
@vmurali
Copy link
Contributor

vmurali commented Nov 13, 2024

Lgtm. As Robert pointed out, can you fix the commentary in the JAL case

@nwf @ronorton
Proposed relaxing of cjalr sealing
0dd27c1 
Attempt at capturing #85

Co-authored-by: Robert Norton <robert.norton@microsoft.com>
@nwf
Copy link
Member Author

nwf commented Nov 14, 2024

Copy-paste errors fixed, conditions flipped, and archdoc prose updated to explain the changes.

@vmurali
Copy link
Contributor

vmurali commented Nov 14, 2024
edited
Loading

Is there a security issue if cjal links an unsealed cap even for link register of cra? That means cjr cra should be relaxed to allow unsealed caps in cra. I don't see a problem with that though - if it's sealed, it has to be a backwards sentry, and if it's unsealed, I can jump anywhere with it.

@rmn30
Copy link
Collaborator

rmn30 commented Nov 15, 2024

Is there a security issue if cjal links an unsealed cap even for link register of cra? That means cjr cra should be relaxed to allow unsealed caps in cra. I don't see a problem with that though - if it's sealed, it has to be a backwards sentry, and if it's unsealed, I can jump anywhere with it.

I think it would be fine in that the interrupt disabling DoS attack that pushed us to add return sentries would still be mitigated (because you have to use cra as link when jumping to an interrupt disabling sentry), but it is a weakening of the "psuedo-CFI" we have now and isn't necessary to support non-standard link register as desired.

Specifically, most code will use cret to return and relaxing this to accept unsealed caps would allow an attacker more scope to substitute other capabilities in ROP attacks. This may not be a great risk given we have bounds checking and unforgeable capabilities but if we don't need to then why do it?

@vmurali
Copy link
Contributor

vmurali commented Nov 15, 2024

Specifically, most code will use cret to return and relaxing this to accept unsealed caps would allow an attacker more scope to substitute other capabilities in ROP attack. This may not be a great risk given we have bounds checking and unforgeable capabilities

My rationale is that when cra is linked with cjal instead of cjalr, you are within your own code that you could have done the ROP anyway, hence not increasing the attack surface.

but if we don't need to then why do it?

Slight hardware simplification and in line with the design principle that if you want protection of the caller, use cjalr cra

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmn30 rmn30 rmn30 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
ISA Version 1.0 release
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nwf @vmurali @rmn30