---

News

• 04/2024 We will present a talk (slides here, video here) and a poster at CheriTech’24.
• 04/2024 We are working on supporting multi-process applications in single address space operating systems with CHERI, check out this early demo.
• 11/2023 We will be presenting a poster, entitled “FlexCap: Software Compartmentalisation Trade-Offs with Hardware Capabilities” at DSbD All Hands.
• 10/2023 We have made available the source for FlexOS on Morello and the applications run in our paper Software Compartmentalization Trade-Offs with Hardware Capabilities here.
• 09/2023 Our paper entitled “Software Compartmentalization Trade-Offs with Hardware Capabilities” is accepted in PLOS’23.
• 03/2023 We gave a talk at CheriTech’23 outlining our research into hybrid Morello compartmentalization with FlexOS, the slides can be found here.
• 12/2022 Our paper Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software is accepted at NDSS’23. The artifacts (source code & data set) are open source and available here.
• 11/2022 We have ported a minimal version of Unikraft on the Morello machine, check out the code here, and our blog post on Unikraft’s website here.

---

Table of Contents

• Project Description
• Publications & Documents
• Software & Research Artefacts
• Contact

Project Description

In the FlexCap project, we propose to explore the benefits brought by hardware capabilities to operating systems’ safety, performance and memory consumption. To that aim we propose to port two operating systems, FlexOS and Unikraft, to the ARM Morello platform, and investigate in that context the two main features provided by capabilities: efficient/scalable compartmentalization, and safe version of legacy programming languages through pure/hybrid capabilities.

FlexOS is a safety-oriented library operating system in which the safety/isolation strategy can be easily tailored at build time towards a specific application use case. Many safety options can be configured, including in particular the granularity of kernel/user components isolation and the hardware mechanism enforcing that isolation. We expect that leveraging the efficient compartmentalization features of hardware capabilities in FlexOS will bring significant advantages over the existing mechanisms the OS already supports (Intel Memory Protection Keys and Extended Page Tables). Due to the fine-grained memory protection capabilities offer, safety will be increased by allowing to share only the minimum amount of data for cross-compartment communications. Such communications’ performance should also be enhanced compared to solutions based on data copy. Capabilities will also allow FlexOS to scale to a high number of compartments, something not possible with the currently supported mechanisms, for architectural (MPK) or performance (EPT) reasons.

A first step towards porting FlexOS to Morello will be to port FlexOS’ basis, Unikraft, to the platform. Unikraft is a high-performance/low latency unikernel targeting cloud and edge applications. Unikraft’s performance benefits come from the fact that, following the principle from the unikernel OS model, kernel and application code share a single, completely unprotected, address space. This obviously raises security concerns. Porting Unikraft to Morello gives us the unique opportunity to study bringing back safety into unikernels while maintaining the high degree of performance offered by that OS model. We plan to achieve that using the safety benefits brought by capabilities to legacy programming languages (Unikraft is written in C) through pure and/or hybrid capabilities.

FlexCap is part of the Digital Security by Design programme, and is one of several project aiming at creating a software ecosystem for the DSbD.

Publications & Documents

Papers

• Software Compartmentalization Trade-Offs with Hardware Capabilities.
  J. A. Kressel, H. Lefeuvre, P. Olivier.
  PLOS’23 [ArXiv]
  In this paper we present and evaluate our port of a compartmentalisation-aware operating system, FlexOS, to the DSbD Morello chip.
• Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software.
  H. Lefeuvre, V. Bădoiu, Y. Chien, F. Huici, N. Dautenhahn, P. Olivier.
  NDSS’23 [ArXiv]
  Efficient software compartmentalisation is one of the key features enabled by Morello. In this paper we explore the specific vulnerabilities that emerge at cross-compartment boundaries when retroffiting compartmentalisation into existing monolithic software.
• Towards (Really) Safe and Fast Confidential I/O.
  H. Lefeuvre, D. Chisnall, M. Kogias, P. Olivier.
  HotOS’23 [Pure]
  In this paper we investigate securing the I/O interface of confidential VMs through various techniques including a multi-tier compartmentalisation approach for which the mechanisms enabled by Morello are a great fit.
• CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces.
  Y. Chien, V. Bădoiu, Y. Yang, Y. Huo, K. Kaoudis, H. Lefeuvre, P. Olivier, and N. Dautenhahn.
  KISV’23 [ACM]
  In this paper we explore static analysis to detect interface vulnerabilities emerging in software compartmentalised with various mechanisms such as Morello.

Talks

• FlexCap: Exploring Hardware Capabilities in Unikernels and Flexible Isolation Oses,
  P. Olivier.
  CheriTech’24 [slides]
  In this talk we present the progress on the project so far on the topics of compartmentalisation, safe C/purecap, as well as ongoing work.
• A Study of Fine-Grain Compartment Interface Vulnerabilities: What, Why, and What We Should Do About Them.
  H. Lefeuvre.
  FOSDEM’23 [Video]
  In this talk we present the results obtained as part of his NDSS’23 paper.
• Flexcap: Compartmentalisation on unikernels with hybrid capabilities
  J. A. Kressel.
  CheriTech’23 [Slides]
  In this talk we present our early experience regarding the port of an OS to Morello in hybrid mode.
• Compatibility and Isolation in Specialised Operating Systems
  P. Olivier.
  Talk at Heriot-Watt University’s LAIV Seminar [Video] [Slides]
  In this talk we present various research efforts, including FlexOS, the OS ported to Morello as part of FlexCap.
• Research on Software Compartmentalisation
  P. Olivier.
  Talk at the Crackchester student association Hacker’s Hub event [Slides]
  In this talk we present the concept of software compartmentalisation as well as FlexOS.
• FlexOS - Making OS Isolation Flexible
  H. Lefeuvre.
  Huawei Future Device Technology Summit 2023 [Slides]
  In this talk we present FlexOS in details.
• Software Compartmentalization and the Challenge of Interfaces
  P. Olivier.
  IRISA Software Systems Security Seminar [Video] [Slides]
  In this talk we present the concept of compartmentalisation as well as the interface safety investigation published in the NDSS’23 paper.

Theses

• Exploring Software Compartmentalisation with Hardware Capabilities
  J. A. Kressel, 2023, MPhil Thesis at The University of Manchester [PDF]
  This thesis present our port of FlexOS to the Morello chip.

Software & Research Artefacts

• Our port of Unikraft to Morello (hybrid capabilities mode)
• ConfFuzz, an exploratory fuzzer designed for uncovering interface-related vulnerabilities in compartmentalized software
  • ConfFuzz NDSS’23 paper data set
• FlexCap is in part an extension of FlexOS, an OS in which the isolation strategy is decoupled from the design

Contact

• Pierre Olivier, The University of Manchester pierre dot olivier at manchester dot ac dot uk

---