diff --git a/.github/workflows/build-jekyll.yml b/.github/workflows/build-jekyll.yml new file mode 100644 index 0000000..83887f1 --- /dev/null +++ b/.github/workflows/build-jekyll.yml @@ -0,0 +1,33 @@ +name: build and deploy jekyll + +on: + push: + branches: + - master + +jobs: + build_and_deploy: + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v3 + + - name: rubygems cache + uses: actions/cache@v3 + with: + path: vendor/bundle + key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} + restore-keys: | + ${{ runner.os }}-gems- + + - name: jekyll deploy + uses: "jeffreytse/jekyll-deploy-action@v0.4.0" + with: + provider: "github" + token: ${{ secrets.GITHUB_TOKEN }} + branch: "gh-pages" + jekyll_src: "./" + jekyll_cfg: "_config.yml" + cname: "jackbondpreston.me" + actor: "jackbondpreston" + pre_build_commands: "pacman -S --noconfirm libvips lcms2 openjpeg2 libpng libwebp libheif imagemagick openslide libjxl poppler-glib" diff --git a/.gitignore b/.gitignore index ebda902..b4dfc49 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .jekyll-cache +_site/ diff --git a/_site/2022/11/14/sensor-watch.html b/_site/2022/11/14/sensor-watch.html deleted file mode 100644 index f031a72..0000000 --- a/_site/2022/11/14/sensor-watch.html +++ /dev/null @@ -1,308 +0,0 @@ - - - - - - -
- - -some time back I was browsing Crowd Supply when I came across the Sensor Watch project by Joey Castillo. I had wanted some kind of “hackable” watch for a while, and had looked at things like Watchy, but this project hit the sweet spot for me. I love my existing F91-W, and this project was a good combination of open source with community software support. one key feature that was important to me is battery life - the Sensor Watch battery life in an average usage scenario is so long that Joey’s is still going strong!
- -I was excited to pick one up and start messing around with it, but the first issue I came across was availability - the delivery date for Crowd Supply orders was summer 2023 (I think they ended upbeing delivered sooner than this, not sure). on top of this, shipping and import fees made it pretty prohibitively expensive. I’ve always found this to be an issue with Crowd Supply as someone based in the UK, even some things designed in the UK are very expensive from Crowd Supply as they are assembled in/shipped from the US. so I decided to build one myself! of course, this is more expensive than just buying it, but this was a learning experience and knowledge is power!
- -the first challenge was acquiring all the necessary parts to actually build one. I downloaded the PCB files and generated a BOM to figure out exactly what I needed to acquire. I’m sure in ordinary times this would be easy enough, but the current state of some electronics/silicon supply chains had other things to say. some parts are of course still easy to come across, e.g. 10pF 0402 caps and 10k 0603 resistors; most of the components of the Sensor Watch are this kind of commonplace part. what quickly became clear from some scouring of the internet was that my main problem was going to be two parts: the ATSAML22J18A-MUT(the processor driving the Sensor Watch), and the FH19C-9S-0.5SH(10) (the connector used to attach the extra sensor boards).
- -the former of these was a fairly well discussed shortage that had been ongoing for a while. it was -the driving force of the Sensor Watch Crowd Supply delay. I spent quite a lot of time searching around the internet, looking at various sites on the English-speaking and Chinese-speaking web. sadly this part was clearly in very short supply, and prices could get pretty insane from vendors that did have some stock. I received quotes for unit prices that include the following (USD/GBP): $79.35, $6.56, $13.61, $6.83 (MOQ 4000), £6.45. I guess some people are desperate enough to pay $79.35 :(. I spent so long looking for them that they ended up randomly coming back in stock on MicrochipDirect. as of the time of writing this article, they are again out of stock. the unit price I bought them for was £3.92, shipping and handling was ~£12.
- -this part was out of stock everywhere I initially looked (the usual contenders for parts). I searched around in a similar manner as the ATSAML22J18A-MUT, and found some similarly wild pricing. I ended up purchasing a small quantity at a unit price of £0.44 from a website called -dacikeys. yes, the site is actually called this. yes, the unit price is cheaper than digikey and mouser. yes, I actually received all of my order, consisting of working parts. I was definitely shocked that this happened, but sometimes bravery pays off I guess. I still can’t endorse this shop.
- -for the PCB I opted to go with JLCPCB. I simply uploaded the relevant gerbers, and adjusted the necessary settings. notably, the thickness should be 0.6mm - this does narrow the choice of manufacturer (for example, OSH Park doesn’t go this thin). I haven’t yet ordered any sensor board PCBs, but PCBWay seems to be the option there. The PCB turned out great, although the silkscreen is a little hard to read at this size due to lack of sharpness:
- - -I decided to assemble myself. partially because the logistics of paying for assembly when I had to source parts from many different providers seemed like a headache, partially because I thought it would be a fun challenge and learning experience!
- -a few things were necessary to solder the components to this PCB. I’m sure someone talented could hand solder this with an iron, but I can name a lot of things I’d rather do than try to do that -(especially the QFN SAML) - and that list includes unpleasant things. I opted to go with -hotplate soldering, which is a cheaper way to access the ease of reflow soldering. for a PCB like the Sensor Watch, where almost all the components are on one side, it’s ideal. the hotplate I have is the ever-popular -MHP30, which I run IronOS on. I highly recommend it, it’s great! my soldering iron is the iconic -Pinecil (not the fancy new V2 though :[) which also runs IronOS. nice!
- -the assembly process is as follows:
-one area I found particularly difficult was the area with the oscillator crystal and the two 0402 capacitors, C7 and C8. things are a bit cramped here, so extra care was needed:
- - -at this point the watch was assembled with all components in place. did it work? at this stage, no idea. hopefully yes, and I could progress to the more familiar world of embedded software.
- -the next necessary step is to flash the bootloader, so that we can put the firmware in place. unfortunately this requires a little more real-world action. we need to access the SWD points on the board to write the bootloader. ideally you could do this with some kind of -pogo pin jig - and if you were doing any number exceeding about 5 I’m sure this would be worth the time. however, I decided to just solder some jump wires (stripped on one end, solid tip female on the other) to the points on the board. they’re all close, but it’s easy enough to do (albeit ugly). then I connected these to my -Adafruit Trinket M0 (PyRuler would also work).the pin mapping is as follows: SWD=0, SWC=1, RST=3, V+=3V, GND=GND.
- -I used the -flasher from the sensor watch repo to flash the bootloader. note that you could build the bootloader yourself first and put the generated binary into bootloader.h - the source is located -here. personally, I just used the prebuilt version from the repo. I had to change part of the Adafruit DAP library and add the SAM L22 DID to get this to work, -I provided the diff of this change in a Sensor Watch GitHub issue (I just now am remembering I promised to upstream this, oops!). mercifully, I got the red blinky LED, and all was good! I unsoldered the wires from the board, and tried to clean up most of the solder blob to keep the board fairly flat.
- -now the bootloader is in place, the main firmware can be installed! -the community firmware, Movementis great, so this is what I installed. there are a bunch of different useful faces available, and more functionality is always being added. -flashing firmware was easy: I plugged the PCB into the end of a USB Micro B cable (plugged on the other end into my computer) and double tapped the reset button (I find this has to be done quite quickly, using my fingernail was the trick to doing this reliably on such a small button). done successfully, the LED on the board pulses and a new drive labelled “WATCHBOOT” appears on the computer. now a built UF2 firmware file can just be dragged onto the device to flash, thanks to the bootloader flashed earlier. for the initial test, I just used a -prebuilt image to check everything was working. I flashed this, and the LED pulsed and turned off, signalling success.
- -from here I just assembled the watch with the Sensor Watch PCB, and it worked! I verified LED and buzzer function by playing around with various functionality. success!
- -one face I found particularly cool was the TOTP face. I use TOTP -2FA on various accounts, so having access to the codes on my wrist at all times was really appealing. at the time, the TOTP face only supported one key - so I decided to improve it.
- -thankfully, Sensor Watch has an emulator for development. without this, development would be pretty tiresome with the flashing and reassembling of the watch getting tiring if you needed to iterate on some code and test it on the watch. the emulator runs inside the browser and uses -Emscripten. -some minimal instructions on how to build this is available on the README. this allowed me to extend the TOTP face easily and allow for multiple keys. -my PR was merged, and the functionality is now available for anyone to use. the keys are added at compile time, so they are baked into the firmware on flashing. for my purposes this is fine, as I never really change them. however, with the recent addition of a -LittleFS filesystem, the community have added a version of the face which stores the keys on the filesystem. awesome!
- -some more details on using Sensor Watch for TOTP is available -on this blog post -(HN discussion, if you dare). it’s even running my code :)!
- -some summary thoughts:
-email me to have a conversation
-CHERI is an acronym for Capability Hardware Enhanced RISC Instructions. it is a security-focussed project aimed at improving memory protection at the hardware level. the project is complex and it has many potential applications.
- -in this article I will go into some basics to give an understanding behind some changes that CHERI makes to how programs execute and are written. this will be focussed almost entirely in C, as this is where my experience lies - it is also where some of the effects of CHERI are most easily felt.this article is going to be a very simplistic introduction to CHERI, and I’m going to attempt to explain the basics behind everything I cover. a basic understanding of C will be beneficial.
- -note: the Morello platform is an evaluation board produced by Arm to provide a physical implementation of CHERI extending the Arm AArch64 ISA. I previously worked on this platform at Arm, porting the musl C library to Morello. implementations for CHERI that are worth looking into from a more open perspective are the MIPS (chapter 4) and RISC-V (chapter 5) ones. Morello is the only implementation that exists in a true hard core format, afaik - but this is obviously hard to obtain so you’ll just be playing around with emulators/models anyway.
- -to first understand how CHERI tries to fix some simple issues, let’s first look at some simplified examples of issues that arise when we aren’t using a CHERI-based architecture.
- -let’s take a look at this C code:
- -1
-2
-3
-4
-5
-6
-7
-8
-9
-10
-11
-12
-13
-
#include <stdio.h>
-
-int main() {
- char my_perfect_string[] = "what a beautiful string"; // so beautiful, I sure hope no-one touches it
- char user_name[32];
-
- printf("enter your name: ");
- fgets(user_name, 1000, stdin); // get user's name from stdin
- printf("hello %s", user_name);
- printf("my_perfect_string: %s\n", my_perfect_string);
-
- return 0;
-}
-
now let’s try using our new program:
- - - -works on my machine boss! code review +1, and merged… until our good friend Hubert Blaine Wolfeschlegelsteinhausenbergerdorff Sr. comes along. he emails me a strangeerror he’s seen:
- - - -that’s not supposed to happen! his name has spilled over into our my_perfect_string[]
array! turns out our issue is that when we use fgets()
, we’ve set the second parameter, size
, to 1000
- but our user_name[32]
array c1593an only fit 32 characters (and the last of these should be a null terminator, so 31 usable characters).
fgets
fills up user_name
, but it hasn’t finished with the name yet! it doesn’t care (or know) that user_name
is full, it’s just going to keep going until it finishes our user input, or reads 999 characters from standard input. and thus it keeps mindlessly writing, overwriting the memory we’ve used to store our precious perfect string (which happens to be immediately after user_name
). let’s take a look at the stack in GDB to see why this happens:
we can see our two character arrays are right next to each other on the stack (user_name
contains some gibberish as it is not zero-initialised).
note: this code was compiled with -fno-stack-protector
to reproduce this behaviour. compilers have certain techniques like this which can help protect against such attacks, but there are often ways around these by using less primitive attacks.
okay, it’s a pretty easy fix, we just need to change the fgets(char *s, int size, FILE *stream)
parameter size
to 32
.
note: you may initially think “why not 31? don’t we need to save a character for the null byte at the end?”. thankfully, fgets
does this for us. excerpt from man fgets
:
-- -“fgets() reads in at most one less than size characters from stream and stores them into the buffer pointed to by s […] A terminating null byte (‘\0’) is stored after the last character in the buffer”.
-
this is a good question to be asking though, being careful is key when it comes to these kinds of things.
- -okay, so that’s an easy fix. why are we talking about doing anything in hardware here? just write the code correctly! the issue is code gets very complex, and this is a very simplistic situation. some memory safety bugs can be incredibly complicated and go unnoticed for decades. the C language especially gives the programmer many, many opportunities to make mistakes - and it only takes one to be a problem. a lot of the software we are using these days is based on stacks upon stacks of software written in different languages, and there are going to be bugs in there. CHERI should give us some protection “for free” (it’s not this simple, in actuality).
- -some languages (e.g. Rust) are going to offer you strong memory safety guarantees at compile-time, but that’s not the topic of this article. the differences between doing this kind of protection in software or hardware (or both) is more complex than the scope of this article. in addition, CHERI’s benefits are more wide in breadth than just protecting against this kind of issue.
- -let’s quickly recap a basic idea of what a pointer is. we’re going to ignore things like virtual memory for brevity. we can think of a pointer in a normal 64-bit architecture (e.g. AArch64) simply as a 64-bit unsigned value that holds the memory address of something we care about. this is a simplification (as are most things), but it can help us reason about the general idea:
- - - - - -and on these normal architectures, this pointer generally is just a number. we can do weird things with it, treating it as a number…
- -1
-2
-3
-4
-5
-6
-7
-8
-9
-10
-11
-12
-13
-14
-15
-16
-17
-18
-19
-20
-21
-
#include <stdio.h>
-
-int main() {
- int magic = 9999;
- (void)magic;
- int arr[] = { 1234, 5678 };
-
- int *x = &(arr[0]); // x is a pointer to first element of arr
- printf("*x=%d\n", *x);
-
- unsigned long x_addr = (size_t) x; // we're going to assume size_t = unsigned long here
- x_addr += 4; // sizeof(int) == 4
- x = (int *) x_addr;
- printf("*x=%d\n", *x);
-
- x_addr += 4;
- x = (int *) x_addr;
- printf("*x=%d\n", *x);
-
- return 0;
-}
-
…and this code will often still work:
- - - -yikes! now, when you start messing with pointers like this, you’re bound to run into a bunch of undefined behaviour. but C programmers write undefined behaviour all the time, and my computer executes this program fine without complaining at all. doesn’t it feel a bit weird that we can take a pointer to arr[0]
and modify it to load secret
? they’re not even part of the same array…
CHERI introduces capabilities, which can be thought of as an extension to pointers. they still store an address of something we care about, but they have extra information too! in a 64-bit system, a pointer would typically be a 64-bit value (as dicussed previously). the corresponding capability in a CHERI platform is 128 bits (or 129 bits if you look at it a certain way, more about that later…).
- -as you might have guessed, this “extra information” takes up 64 bits of the capability. bits are assigned to three key pieces of metadata: bounds, permissions, and object type. there is also an additional 1-bit tag which is stored out-of-band: it is not a 129-bit value - instead each 128-bit capability can be thought of as being associated with a 1-bit validity tag. the architecture manages this. the diagram below is provided as a rough overview of this. note that it is not to scale.
- - - -I am mostly going to focus on bounds in this article, as it is not too difficult to grasp, and the impact is fairly easy to demonstrate for some simple examples. the bounds represent an upper and lower bound on the memory region (address space) that this capability is allowed to access. if we try to use the capability to access some address outside of this range, the hardware will throw a fault - it simply won’t let us do this!
- -note: it is important to note that I am going to oversimplify the way the bounds are stored in this article. this especially includes the diagram above. in reality, there is a complex compression method, necessitated by the range and sizes required by bounds. this depends on the address value, alignment, etc. for now, we shouldn’t need to think about this much, just know it will be managed for us. the key take-away from this is that bounds can’t always be 100% precise for all addresses and ranges.
- -can you imagine how we can use bounds to prevent our previous memory safety bug from occurring? the key is that we can set the bounds on the capability pointing to user_name
which we pass to fgets
, such that the capability may only access the contents of the array. this means that when fgets
tries to write past the end of the user_name
array, the processor will throw a capability fault, and execution of our program will cease.
the idea behind CHERI is that we don’t have to set up these bounds ourselves. this is something the compiler can generate code for. the compiler knows that the user_name
array has a length of 32
, and can set the bounds accordingly on capabilities created that point to it. let’s try it…
unless you’re lucky enough to have access to a physical Morello board, there is the issue of actually using a CHERI implementation. for this article I will be making use of the QEMU emulator to emulate a RISC-V CHERI environment. running CheriBSD on this emulator will allow us to have a nice FreeBSD-based capability-enabled environment to play around with. I’ll use cheribuild to easily get set up (the cheribuild.py
step will take a very long time the first time):
now we have our shell inside our CheriBSD emulated platform, we can start to try things out. let’s compile our membug
program again, this time with the toolchain targetting CheriBSD RISC-V - this will have been built as part of the dependencies already. once it’s built, we can scp
it over to the CheriBSD filesystem, as we set up the SSH forwarding port to
-1111
.
and now we can see what happens when we explore our bug with CHERI:
- - - -it’s working! we are getting a capability fault as we exceed the bounds of the
-user_name
capability bounds. we can use gdb to verify this is caused by the bounds fault:
1
-2
-3
-4
-5
-6
-7
-8
-9
-
(gdb) run
-Starting program: /root/membug-cheribsd
-enter your name: Hubert Blaine Wolfeschlegelsteinhausenbergerdorff Sr.
-
-Program received signal SIGPROT, CHERI protection violation.
-Capability bounds fault caused by register ca6.
-0x0000000040314ce8 in memcpy (dst0=0x3fffdfff44, src0=<optimized out>, length=54) at /home/jack/cheri/cheribsd/lib/libc/string/bcopy.c:143
-(gdb) p $ca6
-$1 = () 0x3fffdfff78 [rwRW,0x3fffdfff44-0x3fffdfff64]
-
as we can see, the bounds for our user_name
capability (which is stored in capability register ca6
) are 0x3fffdfff44-0x3fffdfff64
, but the address is 0x3fffdfff78
. this is out of the bounds allowed by the capability, so the architecture throws a fault. if we look at the assembly generated by the compiler, we can see it set our capability bounds to a size of 32 to enforce this behaviour:
1
-2
-3
-4
-5
-6
-7
-8
-9
-10
-11
-12
-13
-14
-15
-16
-17
-
0000000000001ce8 <main>:
-; int main() {
- cincoffset csp, csp, -160
- csc cra, 144 (csp)
- csc cs0, 128 (csp)
- cincoffset cs0, csp, 160
- cincoffset ca0, cs0, -36
- csetbounds ca2, ca0, 4
- cincoffset ca0, cs0, -60
- csetbounds ca0, ca0, 24
- csc ca0, -128 (cs0)
- cincoffset ca1, cs0, -92
- csetbounds ca1, ca1, 32
- csc ca1, -144 (cs0)
- mv a1, zero
- csd a1, -104 (cs0)
- csw a1, 0 (ca2)
-
at this point you may be thinking “okay, that’s great, but if we can just set the bounds of a capability with an instruction then what’s the point? surely I can just set global bounds on some random pointer and access whatever I want?”
- -fundamental to the idea of capabilities is their provenance and monotonicity. simply put, the first says we can only construct a capability using specific instructions, from an existing capability. we can’t just create a capability from some random number. let’s see what happens when we try to run our ptrs_as_numbers
program on CheriBSD:
we can see we get a fault - the tag isn’t set. any capability with a tag not set to 1 cannot be dereferenced - it is invalid. in fact, this capability has no capability metadata - when we copied it into our unsigned long
, we just copied the 64-bit address.
monotonicity is what stops us taking an existing capability, and creating a capability with more permissions and/or access than the original. it stipulates that when we create a capability from another capability (which we have to do - provenance), the permissions and bounds of the new capability must be equal to or less than the original. so our bounds can only get narrower as we create new capabilites from an existing capability. this means that capabilities trace back in a chain - they are all created from other capabilities, and narrowed as necessary. in this case, (simplified) when the kernel loads our program it will give us capabilities that are wide enough to do everything we need to do, and the compiler will try and make sure all the capabilities that we make and use from these are as tightly bound and unpermissive as possible.
- -you’ll notice we got a lot of these benefits “for free”. we only had to recompile our code, and we got this extra security. of course, CHERI does require changes to programs. naturally, the compiler had to be changed a lot to implement this behaviour. it also especially requires changes to things like the C library and kernel in order to take advantage of the features fully. sufficiently large userspace programs do need changes too. one common issue is that a lot of existing C code assumes that sizeof (*void) == sizeof(size_t)
. with CHERI, our pointers are now twice as big. however, size_t
hasn’t changed size, as the address space size hasn’t changed - for example, if we index into an array with size_t
, the index should still be the same size; the extra data in our void *
capability is the metadata, not extra address data. any program that tries to convert from some unsigned long
or size_t
to a capability will fault - this violates provenance. so, sometimes code changes have to be made to ensure we are keeping the capability metadata around.
I appreciate this has been a fragmented and surface level introduction to CHERI. hopefully it has provided some education in some basic aims of CHERI regardless. potential benefits and uses for CHERI go much deeper than anything I’ve touched on here, so please, read more about everything - and get your hands dirty trying out messing about with qemu and CheriBSD!
- -here are some links to check out:
- -email me to have a conversation
-you can contact me via email or on linkedin
- -my cv is available for viewing here.
- -i have personal accounts on github and gitlab
- -some of my work at arm on morello is available on the -d morello musl gitlab
- -my onload commits at amd can be found on the github repo
- -