Compartmentalization is one of the seven layers in the cybersecurity stack. It works by separating data and software on a processor into different compartments to effectively limit the scope of damage of potential cyberattacks only to the compromised compartment and not the entire system.
Techniques like virtual memory, virtual machines, and Trusted Execution Environments (TEEs) all support the separation of critical pieces of software, like the OS, from less critical (and more untrustworthy) pieces of software, like user applications—often referred to as “trusted” vs. “untrusted.”
Compartmentalization is important for defense-in-depth
Today’s popular compartmentalization solutions like Arm TrustZone and Intel SGX provide coarse-grained compartmentalization. To that end, they separate one set of software from another at runtime—typically dividing into two or four compartments. If one compartment is successfully attacked and compromised, the damage will be limited to that compartment only—they cannot leverage the initial exploit to gain access to another compartment.
At the most basic level, compartmentalization solutions support the Principle of Least Privilege (PoLP). Also known as the principle of minimal privilege or least authority, it determines the exact amount of privileges, or access to information that is necessary for an application, user, or program to function, and gives that application, user, or program access to only that information. However, since today’s solutions place all software into such a small number of compartments, the level of privilege allowed is still quite high within each compartment.
In the end, compartmentalization is an important defense mechanism for embedded systems—limiting the scope of damage to only one compartment in the event of a cyberattack. However, as with all cybersecurity solutions, it is not a silver bullet and should not be the only defense mechanism you employ.
Traditional compartmentalization solutions are insufficient and vulnerable to attack
That’s because compartmentalization can’t stop an attack from happening and it doesn’t make your system any less vulnerable to attack. We’ve said it before and we’ll say it again, all software is vulnerable because all software inherently contains bugs. Even software in the “trusted” compartment contains bugs and can be exploited, giving the attacker full control with high-privilege access. A 2018 study published by the IEEE IoT Journal notes that, although an absolute necessity for protecting SCADA systems, compartmentalization is limited in that “compromised access to the central hub will leave all data vulnerable.”
In addition, since compartmentalization is applied through software, it’s vulnerable to attack itself, just like any other piece of complex software. Thus requiring your compartmentalization software to be continually upgraded and patched as new vulnerabilities are discovered in its code. For instance, in a 2017 study, the Arm TrustZone installed on Android smartphones did not feature version rollback protection, ultimately allowing a research team to downgrade TrustZone to an older version of the software. This older version contained known vulnerabilities which could then be exploited to execute any number of attacks on the device itself.
Another downside is their coarse-grained nature—only two or four compartments. The reason traditional compartmentalization solutions only have a limited number of compartments is due to context switch overhead. A context switch means storing the current state of a process so it can resume at a later time and pick up exactly where it left off. Context switch overhead is the performance hit that a system takes as a result of maintaining each state across compartments. To minimize that impact, traditional solutions significantly constrain the number of compartments, ensuring better performance of the system while compromising on security.
Attempts to achieve fine-grained compartmentalization have been made before, most notably with Software Fault Isolation (SFI), first proposed by Wahbe et al back in 1993. This approach avoided context switch overhead and supported fine-grained compartments; however, it was still implemented in software and thus still had significant performance overhead, making it an unviable, real-world approach.
Achieving performant, fine-grained compartmentalization is possible
It wasn’t until Dover’s CoreGuard technology was developed that functional, fine-grained compartmentalization with zero context-switch overhead was made possible.
CoreGuard’s Compartmentalization micropolicy works similarly to SFI, but it’s done with hardware acceleration to remove the performance overhead. This finally enables a performant way of following PoLP to its fullest extent.
CoreGuard maintains metadata for each word in memory, including both instructions and data. This means each instruction or data word could serve as different, individual compartments. While per-word compartments may not be a reasonable, real-world configuration, CoreGuard’s Compartmentalization micropolicy can group instructions and data together at arbitrary granularity.
On top of that, CoreGuard offers an entire suite of micropolicies aimed at preventing the exploitation of software vulnerabilities that can be layered together for defense-in-depth. CoreGuard’s base set of micropolicies immunize systems against buffer overflow, code injection, and ROP attacks. By combining the base set with CoreGuard’s Compartmentalization micropolicy, systems would be armed with fine-grained compartmentalization, as well as universal protection against the most common and severe types of cyberattacks.
Of course, if a system already has a compartmentalization solution that developers are happy with, CoreGuard can be used to reinforce and further harden that solution by protecting the software and applications stored within each compartment. It could also be used to extend the compatibility of the compartmentalization solution, adding compartments within compartments.
Solidify your cybersecurity strategy with Dover’s CoreGuard Solution
Cyberattackers today aren’t slowing down. In fact, they’re only increasing the sophistication and the number of attacks executed each year. The compartmentalization solutions on the market today have simply not kept up with today’s cyberattackers, nor are they able to immunize systems against cyberattacks that exploit vulnerabilities in software.
With Dover’s CoreGuard technology protecting an embedded system, a real-world, performant way of following the PoLP can be achieved. CoreGuard’s compartmentalization micropolicy applies the methods of SFI in the hardware accelerator—removing the performance overhead that makes the software implementation an unviable option—making a next-level, fine-grained compartmentalization solution a reality.
Request a demo today to learn more about CoreGuard and to see this compartmentalization micropolicy solution in action.