CHERIoT and the supply chain
Late last week we learned that much of the world narrowly avoided a backdoor in SSH, introduced via the dependency on liblzma via libsystemd. A malicious actor introduced a backdoor into liblzma, which could exploit SSH via this dependency chain (introduced by Linux distributions, not in the upstream OpenSSH). This specific attack is not relevant to CHERIoT because it targets programs that have much bigger system requirements than the kinds of devices that we support, but the underlying concept is directly relevant. This is one of the categories of attack that CHERIoT was designed to protect against.
CHERIoT provides tools at various layers to reduce the risk of this kind of attack. Enabling fearless code reuse is one of our principle goals. This doesn’t just mean mitigating accidental bugs from memory safety errors in C/C++, it means ensuring that even an active attacker in the supply chain can do only a limited amount of damage. In this post we’ll discuss the various layers that build up to providing these guarantees and how we got to this point.
As a compression library, the interface of something like liblzma is quite simple. You provide it with buffers for compressed and uncompressed data, it reads from one and writes to the other. Ideally, the library would be completely isolated and so it would be able to read the input data, write the output, and nothing else.
