
Morpheus: A Vulnerability-Tolerant Secure Architecture [pdf] - signa11
https://web.eecs.umich.edu/~barisk/public/morpheus.pdf
======
naasking
I wonder how this impacts debugging. It kind of rubs me the wrong way too.
Typically, robust security is about keeping things _simple_ so they can be
audited or verified. Pretty cool results though.

~~~
sanxiyn
I think this depends on what you think of ASLR. If ASLR rubs you the wrong
way, this will too.

~~~
hleach
This looks like it goes way beyond ASLR.

There are a series of different protections they are doing. It's not clear if
they intend them to be uniquely switchable or if they were just separating
them to indicate which attack techniques require which protections.

For example it appears to combat ROP they are additionally encrypting the code
segment of the program and decrypting on an as needed basis. I am absolutely
sure this would make debugging more difficult. It wouldn't be used on a debug
build though so I guess the question is how often would you find yourself
debugging a production executable.

I admit I didn't read it in depth and may have missed something but I wonder
if they are doing something similar for dynamic libraries or if it relies on
the code being available at compile time. If not then I'm sure someone clever
will still get around it with ROP.

~~~
monocasa
The debugger doesn't really rely on the code segment being readable generally.

~~~
hleach
You are conflating the act of debugging with the operation of a "debugger".

Sure you can start at 0 and step forward one instruction at a time, but how
often do you do that without at least looking at the code?

Not being able to look ahead or behind but only within what is actively on the
stack is certainly a limiting factor in debugging.

It is of course a problem that has been solved before. Someone would develop
an unpacker/decrypter for it at some point and make this trivial, but that
would still be an added level of complexity.

~~~
monocasa
You have access to the binary itself, you don't need to read it out of the
debuggee process.

~~~
hleach
I agree. I'm not sure I understand your point though. This isn't contrary to
anything I said. I mention unpacking which would be a pre-debugger process.

I believe you are just being pedantic about my use of the word "debugging" to
include things like unpacking, static analysis, and a variety of tools and
processes used.

~~~
monocasa
The binaries aren't preencrypted here, the dynamic nature is the whole point.
There's nothing to unpack since you just reference the binary, and no added
work for the debugger.

So when you say

> For example it appears to combat ROP they are additionally encrypting the
> code segment of the program and decrypting on an as needed basis. I am
> absolutely sure this would make debugging more difficult.

It's just not true.

~~~
hleach
So yes, you are correct it's being encrypted dynamically at the hardware
level.

You just debug in a system without these protections turned on then.

~~~
monocasa
No, I'm saying you don't have to turn off these protections.

Like, can you give an example of a debugging task you have carried out that
requires reading the code segment of the running process?

~~~
hleach
Required? No, but I didn't say impossible. I said "more difficult".

Made easier by? Most everything ever loaded in a debugger.

~~~
hleach
Just for an example. How about debugging a non trivial issue between a program
and a dynamically loaded library.

You can't just scan the IAT/PLT. You are going to have to find load points or
manually step through, and maybe calculate function offsets in the library.
Not impossible at all.

It is however something you could have just quickly glanced at and found
otherwise.

------
ngneer
The article reads like a brute force approach to secure design, sprinkling
randomization everywhere. Performance results are promising, though.

------
bearer_token
Hmm, like Shape Security did with web elements, this appears to do with
hardware elements.

Seems promising, but not the level of enterprise architecture most at risk.

------
jngreenlee
Wonder if the commercial Morpheus will have a challenge with this naming
([https://www.morpheusdata.com/](https://www.morpheusdata.com/), "Next-gen
multi-cloud management platform for Hybrid IT and DevOps automation")

~~~
qplex
Morpheus is the ancient greek god of sleep and dreams.

The etymology fits better in The Matrix than either of these projects.

------
pfortuny
Impressive. I wonder why RISC-V only?

~~~
DSingularity
Morpheus modified hardware to accelerate the procedures which randomly alter
the system stack parameters that attackers learn by probing the system. They
used risc-v for this prototype.

~~~
sanxiyn
Note that no hardware engineering (say, writing HDL, not to speak of tapeout)
was done. It was implemented only in simulator.

------
blue9057
I would like to hack this CPU..

