Beam Connectivity

Mitigating vulnerabilities in open source with CHERI part 1: cURL

by Rob Potter and Hardeep Chahal

cURL is a completely ubiquitous tool used for making network requests over every protocol you have heard of, including: HTTP, HTTPS, IMAP, DICT, FTP, Kerberos, LDAP, MQTT, POP3, FTPS, Gopher, RTSP, RTMP, SCP, SMTP, SMB, SFTP, Telnet, TFTP, LDAPS, proxies, and more.

Basically a Swiss Army Knife for network comms.

It is used in EVERYTHING you can imagine and more – at least 20 billion devices run cURL, 100 million of which are vehicles🤯

2012 VW Sharan infotainment screen — this car is one of 100 million

Daniel Stenberg, solo author of curl, has disclosed a high severity memory safety issue that was found by a security researcher.

The vulnerability: heap overflow

First, we wanted to provide a high level description of the problem, with a few excerpts from the public disclosure:

SOCKS5 allows the host name field to be up to 255 bytes long, meaning a SOCKS5 proxy cannot resolve a longer host name.

curl builds a protocol frame in a memory buffer, and it copies the destination (host name) to that buffer. Since the code wrongly thinks it should pass on the host name, even though the host name is too long to fit, the memory copy can overflow the allocated target buffer.

Thus it pretty much requires a malicious actor to feed a super-long host name into this equation to trigger this flaw. To use it in an attack. The name needs to be longer than the target buffer to make the memory copy overwrite heap memory.

Yes, this family of flaws would have been impossible if curl had been written in a memory-safe language instead of C, but porting curl to another language is not on the agenda.

This has been registered as CVE-2023–38545 with MITRE, the organisation that identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Mitigating memory safety vulnerabilities: CHERI

At Beam, we are leading research into the application of CHERI into automotive systems — Capability Hardware Enhanced RISC Instructions. CHERI provides hardware-level enforcement of memory access, ensuring that software can only access the areas of memory that have been allocated.

One major benefit of CHERI is that it works without requiring a rewrite. For reference, the KDE desktop environment needed only 0.026% of the 6 million lines of C code modifying to support CHERI runtime.

CHERI doesn’t stop all known classes of memory vulnerabilities, but one it does stop is out-of-bound writes, which is what would be exploited here. Learn more about CHERI protections from Microsoft Security Response Center.

The hardware enforcement is done by using capabilities, which are pointers with additional metadata. Part of this metadata includes the bounds of the memory region that can be written to and any accesses outside of this would raise an “in-address-space” exception. If unexpected and not handled, this would still cause the program to exit, but the attacker can no longer overwrite memory.

So in summary, anyone exploiting this vulnerability on CHERI would crash the program, but not be able to use the exploit for more serious, nefarious purposes (arbitrary code execution, escalation of privilege, etc).

Learn more about CHERI

This is just one example of what is a prevalent challenge to the automotive industry.

If the average L2 ADAS vehicle has 120+ million lines of code, the question isn’t just how can we minimise the number of vulnerabilities, it is how can we minimise the impact on our systems when they are found.

We believe the answer is a combination of high quality software development methodology, low-friction over-the-air software update, and secure hardware foundations, like CHERI.

If CHERI sounds relevant to you, please take a look at our project website: https://autocheri.tech

We would love to talk to anyone interested in discussing this further: hello@autocheri.tech or hello@beamconnectivity.com

We will finish this post with some other pictures of cURL in the wild…

2016 Nissan Qashqai
Infotainment system of 2021 Polestar 2 uses curl
2021 Polestar 2
BMW i3

Mitigating vulnerabilities in open source with CHERI part 1: cURL was originally published in Beam Connectivity on Medium, where people are continuing the conversation by highlighting and responding to this story.