## **CAPSTONE:** An Architecture Design for Expressive Security

Jason Zhijingcheng Yu<sup>†</sup>, Prateek Saxena School of Computing, National University of Singapore <sup>†</sup> final-year PhD student on the job market

<u>5136</u>

<u>3961</u>

<u>3186</u>

<u>3103</u>

<u>3054</u>

3042

2941 2677

#### **Motivation: Patchwork of Security Extensions**

#### **Security Challenges**





Memory Safety

Fine-grained Isolation

Confidential Computing

#### **Patchwork of Security Extensions**

| Spatial Memory Safety    | [Intel <u>MPK</u> , x86/64 <u>DEP/I</u> |
|--------------------------|-----------------------------------------|
| Temporal Memory Safety   | [ARM MTE]                               |
| Concurrent Thread Safety | [Intel <u>TSX]</u> [ARM TME]            |
| Intra-process Sandboxing | [Intel <u>SGX]</u> [Intel MPK]          |
| Process Sandboxing       | [x86/64 Privilege Rings]                |

[Intel MPK, x86/64 DEP/NX] [Intel MPX, RISC-V/ARM CHERI] [ARM MTE] [Intel <u>TSX</u>] [ARM TME]

# **Base Capability-based Model Is Insufficient**

**Example: P1 (Exclusive Access) cannot be achieved** 



#### Capabilities could do more (Watson et al., 2024)

- "Continuing to refine our understanding of memory safety"
- "Pushing beyond memory safety to ... software compartmentalization... for malicious programmers"
- "Exploring potential opportunities to compose ... memory- and type-safe ... languages, such as Rust"

#### **Capability-based Model in CAPSTONE**



[x86/64 Privilege Rings] [AMD <u>SEV</u>] [Intel <u>VT-x</u>] [Intel <u>TDX</u>] [ARM <u>CCA</u>] [ARM <u>TZ</u>] [Intel <u>TXT</u>] [Intel VT-x] [Intel SGX]

#### **Problem: Compose Security Extensions?**

+ Exception handling (Cui et al., 2021)



Arbitrary code execution Affecting 9 SGX runtimes CVE-2021-0186, CVE-2021-33767 + Memory sharing (Yu et al., 2022)

2 Android 3 Fedora 4 Ubuntu Linu

5 Linux Kerne

6 Mac Os X

Windows 1

8 Windows Se

9 Iphone Os

10 Chrome





2-3 orders of magnitude overhead

#### **Capability Types**



#### Examples

- Linear capability: Non-duplicable
- Revocation capability: A capability "snapshot", usable only for revocation



#### **Nestable Two-Way Domain Isolation**



• Isolated software components in **domains** 

#### Goal

Can one design a unified foundation for multiple security goals? (Yu et al., 2023)

#### Our answer:

#### CAPSTONE

an ISA (instruction set architecture) based on RISC-V (RV64IZicsr)



P4: Secure Domain Switching

CAPSTONE

Capstone (USENIX '23)



Domain A



#### **Expressive Program Safety**

- **Spatial memory safety** enforced through bounds checking
- **Temporal memory safety** enforced through the revocation mechanism
- CAPSTONE model is similar to **Rust's ownership**, borrowing, and AXM principles, and detects their violations in mixed Rust code







- Domains share memory exclusively through capabilities
- A domain can be *pure-cap*, i.e., it uses capabilities explicitly for all memory accesses
- Alternatively, a domain can have an *internal* structure with a compatible capabilityoblivious software stack in S-mode and Umode. Memory accesses in such software ultimately translate to accesses with capabilities the domain holds



### **Starting Point: Hardware Capabilities**

- A Hardware Capability is a (pointer, metadata) tuple
- Created or modified only by querying the hardware
- Sufficient and necessary to access the corresponding memory
- Has the associated permissions embedded in it and is enforced by hardware
- Capability machines existed in '80s, but had challenges scaling securely



sd

#### **Publications**

13

14

- [1] J. Cui, J. Z. Yu, S. Shinde, P. Saxena, and Z. Cai, "SmashEx: Smashing SGX Enclaves Using Exceptions," in *Proceedings of the 2021 ACM SIGSAC* Conference on Computer and Communications Security, Virtual Event Republic of Korea: ACM, Nov. 2021, pp. 779–793. doi: 10.1145/3460120.3484821.
- [2] J. Z. Yu, S. Shinde, T. E. Carlson, and P. Saxena, "Elasticlave: An Efficient Memory Model for Enclaves," in 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas, Eds., USENIX Association, 2022, pp. 4111–4128. [Online]. Available: https://www.usenix.org/conference/usenixsecurity22/presentation/yu-jason
- [3] J. Z. Yu, C. Watt, A. Badole, T. E. Carlson, and P. Saxena, "CAPSTONE: A Capability-based Foundation for Trustless Secure Memory Access," in 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA: USENIX Association, Aug. 2023, pp. 787–804. [Online]. Available: https://www. usenix.org/conference/usenixsecurity23/presentation/yu-jason



CAPSTONE



**Documentation** 



Jason

