Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Watson, Robert N. M.; Norton, Robert M.; Woodruff, Jonathan; Moore, Simon W.; Neumann, Peter G.; Anderson, Jonathan; Chisnall, David; Davis, Brooks; Laurie, Ben; Roe, Michael; Dave, Nirav; Gudka, Khilan; Joannou, Alexandre; Markettos, A. Theodore; Maste, Ed; Murdoch, Steven J.; Rothwell, Colin; Son, Stacey; Vadera, Munraj

doi:10.1109/mm.2016.84

Cited by 34 publications

(26 citation statements)

References 18 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then there is a Bluespec [11] FPGA hardware implementation of the architecture, and a software stack above it, adapting LLVM [12] and FreeBSD [13] to CHERI-MIPS. All this has involved extensive work on the interaction between the capability system and systems aspects of memory management (static and dynamic linking, process creation, context switching, page swapping and signal delivery) [14]; on the overhead of compiling pointers to capabilities [5], [15]; on compartmentalisation of legacy software [16]; and on the performance overhead of tagged memory [17] and protectiondomain switches [18]. The underlying ideas are portable, not MIPS-specific, and work is underway on experimental academic RISC-V and industrial Arm versions -the latter in a major project involving Arm and the UK Government [19], [20] to produce prototype silicon and a development board.…”

Section: A the Cheri Contextmentioning

confidence: 99%

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

Nienhuis

Joannou

Bauereiss

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute. In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice-as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation-and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation. We do this for CHERI, an architecture with hardware capabilities that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway on an Arm industrial prototype to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.

show abstract

Section: A the Cheri Contextmentioning

confidence: 99%

Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process

Nienhuis

Joannou

Bauereiss

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…CHERI capabilities extend integer virtual addresses to control access to virtual memory by adjoining bounds constraining the range of addresses and permissions limiting the use of each capability (e.g., load, store, or instruction fetch). We previously described the initial CHERI architecture [45,50], demonstrated an efficient compartmentalization framework above it [46,48], described a C-language compilation mode where all pointers are capabilities [9], and demonstrated the use of those abilities to implement a safer JNI [8]. The architecture enforces the following properties: Provenance validation ensures that only capabilities derived via valid transformations of valid capabilities using capability instructions can be used.…”

Section: Cheri Backgroundmentioning

confidence: 99%

CheriABI

Davis

Watson

Richardson

et al. 2019

Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Syst

Self Cite

View full text Add to dashboard Cite

The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world

show abstract

“…In contrast to MMU-based approaches, CHERI-based compartmentalization optimizes sharing by allowing cheap delegation and avoiding aliasing problems experienced by TLBs as memory sharing increases [30]. This allows domain crossing to be performed at a low constant cost regardless of the amount of data sharing.…”

Section: Software Compartmentalizationmentioning

confidence: 99%

“…A key goal of our approach was to differentiate virtualization (requiring tablebased lookups, and already implemented by the MMU) from protection (now implemented as a constant-time extension to the pointer primitive), which would avoid table-oriented overheads being imposed on protection. This applies to C-language protection, but also to the implementation of higher-level security constructs such as compartmentalization [31,30].…”

Section: -2015: Fine-grained Compartmentalizationmentioning

confidence: 99%