Visible to the public CHERI Macaroons: Efficient, host-based access control for cyber-physical systems

TitleCHERI Macaroons: Efficient, host-based access control for cyber-physical systems
Publication TypeConference Paper
Year of Publication2020
AuthorsDodson, Michael, Beresford, Alastair R., Richardson, Alexander, Clarke, Jessica, Watson, Robert N. M.
Conference Name2020 IEEE European Symposium on Security and Privacy Workshops (EuroS PW)
Date Publishedsep
KeywordsAccess Control, CHERI, cps privacy, cyber-physical, Hardware, human factors, industrial control, integrated circuits, Kernel, Macaroons, privacy, pubcrawl, Robot sensing systems, Robotics, security, Sensors, Task Analysis
AbstractCyber-Physical Systems (CPS) often rely on network boundary defence as a primary means of access control; therefore, the compromise of one device threatens the security of all devices within the boundary. Resource and real-time constraints, tight hardware/software coupling, and decades-long service lifetimes complicate efforts for more robust, host-based access control mechanisms. Distributed capability systems provide opportunities for restoring access control to resource-owning devices; however, such a protection model requires a capability-based architecture for CPS devices as well as task compartmentalisation to be effective.This paper demonstrates hardware enforcement of network bearer tokens using an efficient translation between CHERI (Capability Hardware Enhanced RISC Instructions) architectural capabilities and Macaroon network tokens. While this method appears to generalise to any network-based access control problem, we specifically consider CPS, as our method is well-suited for controlling resources in the physical domain. We demonstrate the method in a distributed robotics application and in a hierarchical industrial control application, and discuss our plans to evaluate and extend the method.
Citation Keydodson_cheri_2020