Memory corruption attacks have been prevalent in software for a long time. Some mitigation strategies against these attacks do exist, but they are not as far-reaching or as efficient as the CHERI architecture. CHERI uses capabilities to restrict pointers to certain regions of memory and with certain access restrictions. These capabilities are also used to implement "compartmentalisation": dividing a binary into smaller components with limited privilege, while adhering to the principle of least privilege. However, while this architecture successfully mitigates memory corruption attacks, the compartmentalisation mechanisms in place are less effective in containing malicious code to a separate compartment. This paper details four ways to bypass compartmentalisation, with a focus on Linux and BSD operating systems ported to this architecture. We find that although compartmentalisation is implemented in these two operating systems, simple bugs and attacks can still allow malicious code to bypass it. We conclude with mitigation measures to prevent these attacks, a proof-of-concept demonstrating their use, and recommendations for further securing Linux and BSD against unknown attacks.

翻译：内存损坏攻击在软件中长期普遍存在。虽然存在一些针对此类攻击的缓解策略，但其影响范围与效率均不及CHERI架构。CHERI通过能力机制将指针限制在特定内存区域并施加访问限制。该机制亦用于实现"隔离化"：将二进制程序划分为权限受限的较小组件，同时遵循最小权限原则。然而，尽管该架构能有效缓解内存损坏攻击，其现有隔离机制在将恶意代码约束于独立隔离域方面效果有限。本文详述了四种绕过隔离机制的方法，重点关注移植至该架构的Linux与BSD操作系统。研究发现，尽管这两种操作系统实现了隔离机制，但简单的程序缺陷与攻击仍可使恶意代码绕过隔离。最后提出了预防此类攻击的缓解措施，展示了概念验证实例，并就如何进一步加强Linux与BSD系统抵御未知攻击提出了建议。