zlacker

[parent] [thread] 5 comments
1. phkahl+(OP)[view] [source] 2022-01-20 14:34:46
How does this compare to testing with address sanitizers?
replies(3): >>andsan+l3 >>trasz+y7 >>fulafe+PI2
2. andsan+l3[view] [source] 2022-01-20 14:53:11
>>phkahl+(OP)
Simple, testing won't prevent you from all the bugs bun only the ones you run over when testing (either fuzzing or unit testing). While enforcing some safety semantics like they do here through capabilities, does. This means, at least for using CHERI you have to go through a custom compilation stack, the CHERI team has already been working on this tooling for long.
3. trasz+y7[view] [source] 2022-01-20 15:12:36
>>phkahl+(OP)
Apart from some more interesting scenarios enabled by CHERI: you probably don’t want to run all your production software with address sanitizers, because it would be unacceptably slow. Here the performance overhead is negligible.
replies(1): >>phkahl+a71
◧◩
4. phkahl+a71[view] [source] [discussion] 2022-01-20 19:39:41
>>trasz+y7
But maybe we can run sanitizers during testing and catch most of the issues CHERI will find without building it into hardware. OTOH that doesn't do anything to protect against malicious code, but that should be properly sandboxed anyway.
replies(1): >>jrtc27+w91
◧◩◪
5. jrtc27+w91[view] [source] [discussion] 2022-01-20 19:51:40
>>phkahl+a71
You should indeed run sanitisers during testing and catch most of the issues; we encourage this! What CHERI provides is twofold:

1. Memory safety issues not found in testing do not lurk as exploitable vulnerabilities; testing is never perfect, often far from it when it comes to edge/unexpected cases where vulnerabilities lurk (though fuzzing can help somewhat)

2. Sandboxing still needs some kind of isolation primitive, which CHERI can provide in place of the heavyweight MMU-based techniques that exist today

Plus let's not kid ourselves that all software is being tested with sanitisers. The vast majority of software running on your system probably is not.

6. fulafe+PI2[view] [source] 2022-01-21 06:17:31
>>phkahl+(OP)
Testing for security bugs means mostly fuzzing these days. AddressSanitizer is added instrumentation, flagging illegal program states even when the test case wouldn't trigger a crash normally.

Fuzzing helps but it's a probabilistic method with fallible search mechanisms, there's going to be cases left that an intelligent adversary can find by reasoning, a different/better fuzzer, better instrumentation, or alt techniques like symbolic execution etc.

[go to top]