-
Notifications
You must be signed in to change notification settings - Fork 0
/
charter.txt
51 lines (39 loc) · 2.53 KB
/
charter.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Hardware Assisted Fault Isolation (HFI) on the RISC-V platforms
Chairs: Tal Garfinkel (UC San Diego), Shravan Narayan (Individual)
This TG will define the threat model and ISA for RISC-V processors to enable
efficient, fine-grain isolation within a common virtual address space such that
software can be restricted via hardware isolation for data accesses and code
execution. This functionality is termed as Hardware-assisted Fault Isolation
(HFI)[1]. The terms sandboxing, compartmentalization, and in-process isolation
are also used for this type of capability.
The TG will consider the following use-cases in the scope for the ISA:
1. Unmodified existing/legacy (legacy C/C++ "native" code) or new native
binaries (such as serverless scenarios).
2. Runtime-supported frameworks (workloads where there is a "sandboxing
compiler") such as WebAssembly, v8's UberCage, or other custom software-based
isolation schemes built in the future.
These are currently software-based isolation systems that are extremely
multi-tenant and have significant performance, assurance, security (e.g.
ensuring Spectre attacks don't compromise isolation), and scalability
limitations that current hardware cannot support.
The TG aims to deliver:
- A minimal ISA spec with primitives required to implement HFI. These primitives
allow isolation by enforcing least-privilege access to data within the address
space and efficient controlled-sharing between sandboxes. The ISA will enable
HFI for same-mode execution (no mode transitions), with dependencies on other
ISA (e.g. Sv, CFI) specified.
- A non-ISA specification (ABI) between the runtime (TCB) and (sandboxed)
non-TCB components, to manage sandbox interactions.
- A non-normative security analysis document for implementers of this capability
that provides hardware and software recommendations (e.g. dependencies on other
ISA security mechanisms if any, design patterns for software use etc.).
Development of these specifications will happen in collaboration with Security
HC, Runtime Integrity SIG and other related RVI and external open source work
groups (e.g. WASM, v8). As part of the ratification, the TG will create at least
one open-source implementation of an HFI-enabled runtime and compiler toolchain,
with supporting tests to validate the functional correctness of the
implementation. Any ISA proposed made will be modeled via tools such as
QEMU/Spike to support the POC.
Bibliography: [1] Going beyond the Limits of SFI: Flexible and Secure
Hardware-Assisted In-Process Isolation with HFI. Shravan Narayan et al. ASPLOS
2023.