Enabling Security on the Edge: A CHERI Compartmentalized Network Stack

• URL: http://arxiv.org/abs/2507.04818v1
• Date: Mon, 07 Jul 2025 09:37:59 GMT
• Title: Enabling Security on the Edge: A CHERI Compartmentalized Network Stack
• Authors: Donato Ferraro, Andrea Bastoni, Alexander Zuepke, Andrea Marongiu,
• Abstract summary: CHERI provides strong security from the hardware level by enabling fine-grained compartmentalization and memory protection.<n>Our case study examines the trade-offs of isolating applications, TCP/IP libraries, and network drivers on a CheriBSD system deployed on the Arm Morello platform.
• Score: 42.78181795494584
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: The widespread deployment of embedded systems in critical infrastructures, interconnected edge devices like autonomous drones, and smart industrial systems requires robust security measures. Compromised systems increase the risks of operational failures, data breaches, and -- in safety-critical environments -- potential physical harm to people. Despite these risks, current security measures are often insufficient to fully address the attack surfaces of embedded devices. CHERI provides strong security from the hardware level by enabling fine-grained compartmentalization and memory protection, which can reduce the attack surface and improve the reliability of such devices. In this work, we explore the potential of CHERI to compartmentalize one of the most critical and targeted components of interconnected systems: their network stack. Our case study examines the trade-offs of isolating applications, TCP/IP libraries, and network drivers on a CheriBSD system deployed on the Arm Morello platform. Our results suggest that CHERI has the potential to enhance security while maintaining performance in embedded-like environments.

Related papers

• CyFence: Securing Cyber-Physical Controllers via Trusted Execution Environment [45.86654759872101]
  Cyber-physical systems (CPSs) have experienced a significant technological evolution and increased connectivity, at the cost of greater exposure to cyber-attacks.<n>We propose CyFence, a novel architecture that improves the resilience of closed-loop control systems against cyber-attacks by adding a semantic check.<n>We evaluate CyFence considering a real-world application, consisting of an active braking digital controller, demonstrating that it can mitigate different types of attacks with a negligible overhead.
  arXiv  Detail & Related papers  (2025-06-12T12:22:45Z)
• Towards provable probabilistic safety for scalable embodied AI systems [79.31011047593492]
  Embodied AI systems are increasingly prevalent across various applications.<n> Ensuring their safety in complex operating environments remains a major challenge.<n>This Perspective offers a pathway toward safer, large-scale adoption of embodied AI systems in safety-critical applications.
  arXiv  Detail & Related papers  (2025-06-05T15:46:25Z)
• Safety and Security Risk Mitigation in Satellite Missions via Attack-Fault-Defense Trees [2.252059459291148]
  This work presents a case study from Ascentio Technologies, a mission-critical system company in Argentina specializing in aerospace.<n>The main focus will be on the Ground Segment for the satellite project currently developed by the company.<n>This paper showcases the application of the Attack-Fault-Defense Tree framework, which integrates attack trees, fault trees, and defense mechanisms into a unified model.
  arXiv  Detail & Related papers  (2025-04-01T17:24:43Z)
• A Comprehensive Framework for Building Highly Secure, Network-Connected Devices: Chip to App [1.4732811715354452]
  This paper proposes a holistic approach to securing network-connected devices.<n>At the hardware level, we focus on secure key management, reliable random number generation, and protecting critical assets.<n>For secure communication, we emphasize TLS 1.3 and optimized cipher suites tailored for both standard and resource-constrained devices.
  arXiv  Detail & Related papers  (2025-01-23T14:44:34Z)
• ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior.<n>These shortcomings have prompted new regulations that emphasize the pressing need to strengthen cybersecurity.<n>We introduce ACRIC, a message authentication solution to secure legacy industrial communications.
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• How Memory-Safe is IoT? Assessing the Impact of Memory-Protection Solutions for Securing Wireless Gateways [0.0]
  Memory-based vulnerabilities are among the most serious threats in software, with no universal solution yet available. This paper explores the impact of memory safety on the IoT domain through an empirical large-scale analysis of memory-related vulnerabilities in modern wireless gateways.
  arXiv  Detail & Related papers  (2024-11-02T23:00:37Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• Leveraging Traceability to Integrate Safety Analysis Artifacts into the Software Development Process [51.42800587382228]
  Safety assurance cases (SACs) can be challenging to maintain during system evolution. We propose a solution that leverages software traceability to connect relevant system artifacts to safety analysis models. We elicit design rationales for system changes to help safety stakeholders analyze the impact of system changes on safety.
  arXiv  Detail & Related papers  (2023-07-14T16:03:27Z)
• GRAVITAS: Graphical Reticulated Attack Vectors for Internet-of-Things Aggregate Security [5.918387680589584]
  Internet-of-Things (IoT) and cyber-physical systems (CPSs) may consist of thousands of devices connected in a complex network topology. We describe a comprehensive risk management system, called GRAVITAS, for IoT/CPS that can identify undiscovered attack vectors.
  arXiv  Detail & Related papers  (2021-05-31T19:35:23Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.