| Title | : | FIDES: Fine-grained Compartments in Memory-safe Languages for Resource-Constrained Environments |
| Speaker | : | Sai Venkata Krishnan V (IITM) |
| Details | : | Tue, 3 Oct, 2023 12:00 PM @ MR1 (SSB 233) |
| Abstract: | : | Two major causes for the rapidly increasing threat of cyber-attacks are the use of unsafe languages like C and C++, and a monolithic software architecture. To counter these critical issues, companies are migrating to memory-safe languages like Rust and OCaml, and employing software compartment techniques that reduce the attack surface. Current compartment schemes are designed specifically for C and C++, and cannot efficiently handle memory-safe languages that typically employ functional programming features such as tail-call optimisation and higher-order functions. However, even with the advent of memory-safe languages, there is still a reliance on third-party libraries written in C and C++. This requires re-imagining the compartment schemes to work seamlessly between unsafe and safe languages. We propose FIDES, a novel hardware-enabled compartment scheme designed for memory-safe languages targeting resource-constrained embedded systems. FIDES creates code compartments with custom compiler and hardware extensions. It leverages the language-level safety guarantees of a memory-safe language to simplify data handling across compartments. FIDES' compartment scheme supports essential functional programming features like tail-call optimisation and higher-order functions. It extends to C by using a hardware-assisted fat-pointer scheme for secure interaction between the unsafe and safe language code in the same application. FIDES is realized by extending a RISC-V processor to support compartments in OCaml. We describe an implementation of FIDES to secure MirageOS Unikernel applications and demonstrate a prototype on a Xilinx FPGA. |
