CHERI Concentrate: Practical Compressed Capabilities

Woodruff, Jonathan; Joannou, Alexandre; Xia, Hongyan; Fox, Anthony; Norton, Robert M.; Chisnall, David; Davis, Brooks; Gudka, Khilan; Filardo, Nathaniel Wesley; Markettos, A. Theodore; Roe, Michael; Neumann, Peter G.; Watson, Robert N. M.; Moore, Simon W.

doi:10.1109/tc.2019.2914037

Cited by 43 publications

(27 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…CHERI Concentrate [15] is an elegant capability compression scheme that reduces the footprint of a capability value to 128 bits. However this shrinkage comes at the cost of some loss of precision in terms of representable base addresses 1 if (cheri_gettag(limit) == 0) { 2 limit -= ALIGNMENT; 3 } else { // ...…”

Section: Bounds Precisionmentioning

confidence: 99%

Capability Boehm: challenges and opportunities for garbage collection with capability hardware

Jacob

Singer

2022

Proceedings of the 18th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

View full text Add to dashboard Cite

The Boehm-Demers-Weiser Garbage Collector (BDWGC) is a widely used, production-quality memory management framework for C and C++ applications. In this work, we describe our experiences in adapting BDWGC for modern capability hardware, in particular the CHERI system, which provides guarantees about memory safety due to runtime enforcement of fine-grained pointer bounds and permissions. Although many libraries and applications have been ported to CHERI already, to the best of our knowledge this is the first analysis of the complexities of transferring a garbage collector to CHERI. We describe various challenges presented by the CHERI micro-architectural constraints, along with some significant opportunities for runtime optimization. Since we do not yet have access to capability hardware, we present a limited study of software event counts on emulated microbenchmarks. This experience report should be helpful to other systems implementors as they attempt to support the ongoing CHERI initiative.CCS Concepts: • Software and its engineering → Runtime environments; Garbage collection.

show abstract

Section: Bounds Precisionmentioning

confidence: 99%

Capability Boehm: challenges and opportunities for garbage collection with capability hardware

Jacob

Singer

2022

Proceedings of the 18th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

View full text Add to dashboard Cite

show abstract

“…When the object's size is large enough, this approach may have false positives or excessive performance overheads. Many efforts [11,29,44,45] embed metadata into pointers and implement different forms of fat pointers by extending registers or language implementations. However, the approach needs to change the processor hardware and increases runtime overheads.…”

Section: Metadata Managementmentioning

confidence: 99%

PACSan: Enforcing Memory Safety Based on ARM PA

Li¹,

Tan²,

Lv³

et al. 2022

Preprint

View full text Add to dashboard Cite

Memory safety is a key security property that stops memory corruption vulnerabilities. Existing sanitizers enforce checks and catch such bugs during development and testing. However, they either provide partial memory safety or have overwhelmingly high performance overheads.Our novel sanitizer PACSan enforces spatial and temporal memory safety with no false positives at low performance overheads. PACSan removes the majority of the overheads involved in pointer tracking by sealing metadata in pointers through ARM PA (Pointer Authentication), and performing the memory safety checks when pointers are dereferenced.We have developed a prototype of PACSan and systematically evaluated its security and performance on the Magma, Juliet, Nginx, and SPEC CPU2017 test suites, respectively. In our evaluation, PACSan shows no false positives together with negligible false negatives, while introducing stronger security guarantees and lower performance overheads than state-of-the-art sanitizers, including HWASan, ASan, Soft-Bound+CETS, Memcheck, LowFat, and PTAuth. Specifically, PACSan has 0.84× runtime overhead and 1.92× memory overhead on average. Compared to the widely deployed ASan, PACSan has no false positives and much fewer false negatives, and reduces 7.172% runtime overheads and 89.063% memory overheads.

show abstract

“…Then there is a Bluespec [11] FPGA hardware implementation of the architecture, and a software stack above it, adapting LLVM [12] and FreeBSD [13] to CHERI-MIPS. All this has involved extensive work on the interaction between the capability system and systems aspects of memory management (static and dynamic linking, process creation, context switching, page swapping and signal delivery) [14]; on the overhead of compiling pointers to capabilities [5], [15]; on compartmentalisation of legacy software [16]; and on the performance overhead of tagged memory [17] and protectiondomain switches [18]. The underlying ideas are portable, not MIPS-specific, and work is underway on experimental academic RISC-V and industrial Arm versions -the latter in a major project involving Arm and the UK Government [19], [20] to produce prototype silicon and a development board.…”

Section: A the Cheri Contextmentioning

confidence: 99%

“…The 256-bit format includes a 64-bit virtual address, base, and length; permission bits, to execute, load, and store data, to load, store, seal, and unseal capabilities, to invoke sealed capabilities, and to store local capabilities; an is-sealed bit; and a 24-bit object type, used in sealing, unsealing, and invoking. The 128-bit format [15] compresses this, exploiting the redundancy from allocation alignment (the proofs later in this paper are about the 256bit version). In this example, the base and length, identifying the memory region that the capability is allowed to access, are those of the original x allocation.…”

Section: A Fine-grained Memory Protectionmentioning

confidence: 99%

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

Nienhuis

Joannou

Bauereiss

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute. In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice-as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation-and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation. We do this for CHERI, an architecture with hardware capabilities that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.

show abstract

CHERI Concentrate: Practical Compressed Capabilities

Cited by 43 publications

References 30 publications

Capability Boehm: challenges and opportunities for garbage collection with capability hardware

Capability Boehm: challenges and opportunities for garbage collection with capability hardware

PACSan: Enforcing Memory Safety Based on ARM PA

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

Contact Info

Product

Resources

About