The IoT can become ubiquitous worldwide—if the pursuit of systemic trustworthiness can overcome the potential risks.
We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specifi- cation intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite welldocumented impacts on security and reliability. Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.
Previous research on consistent updates for distributed network configurations has focused on solutions for centralized networkconfiguration controllers. However, such work does not address the complexity of modern switch datapaths. Modern commodity switches expose opaque configuration mechanisms, with minimal guarantees for datapath consistency and with unclear configuration semantics. Furthermore, would-be solutions for distributed consistent updates must take into account the configuration guarantees provided by each individual switch – plus the compositional problems of distributed control and multi-switch configurations that considerably transcend the single-switch problems. In this paper, we focus on the behavior of individual switches, and demonstrate that even simple rule updates result in inconsistent packet switching in multi-table datapaths. We demonstrate that consistent configuration updates require guarantees of strong switch-level atomicity from both hardware and software layers of switches – even in a single switch. In short, the multiple-switch problems cannot be reasonably approached until single-switch consistency can be resolved. We present a hardware design that supports a transactional configuration mechanism, and provides packet-consistent configuration: all packets traversing the datapath will encounter either the old configuration or the new one, and never an inconsistent mix of the two. Unlike previous work, our design does not require modifications to network packets. We precisely specify the hardwaresoftware protocol for switch configuration; this enables us to prove the correctness of the design, and to provide well-specified invariants that the software driver must maintain for correctness. We implement our prototype switch design using the NetFPGA-10G hardware platform, and evaluate our prototype against commercial off-the-shelf switches.
racing the history of computer security and privacy is a mammoth undertaking, somewhat resembling efforts to combine archaeology and ethnology with a compendium of past and foreseen risks— and how different courses of history might have affected those risks in different ways. (For example, the University of Minnesota’s NSF-funded collection of oral histories from infl uential people in this area is a wonderful eff ort to capture some this information; htt ps://wiki. umn.edu/CBI_ComputerSecurity/WebHome.) Tracing the history of the IEEE Symposium on Security and Privacy (SSP), the longest-running computer security research meeting, is considerably easier—and quite relevant to the somewhat shorter history of IEEE Security & Privacy magazine. Indeed, a previous article writt en for the proceedings of the 31st SSP did exactly that,1 so it seems unnecessary to duplicate it here. Instead, we focus more on SSP’s evolution and its vital relevance to the research and development communities along its path from community gathering to premier security research meeting. We highlight some of the technological and engineering paradigms that SSP stimulated or were refl ected in intense discussions that ensued, and also to some extent SSP’s potential impact on the world at large.