The CHERI capability model

Woodruff, Jonathan; Watson, Robert N. M.; Chisnall, David; Moore, Simon W.; Anderson, Jonathan; Davis, Brooks; Laurie, Ben; Neumann, Peter G.; Norton, Robert M.; Roe, Michael

doi:10.1145/2678373.2665740

Cited by 85 publications

(10 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Tagged architectures. Recent research has revisited tagged architectures [46,56], in which the hardware associates a "tag" with each byte in memory that encodes a security policy. Tags can be used to, for example, grant call instructions exclusive rights for writing to certain memory regions, preventing return addresses from being overwritten [46].…”

Section: Related Workmentioning

confidence: 99%

SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation

Wang

Xie

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Memory-corruption attacks such as code-reuse attacks and data-only attacks have been a key threat to systems security. To counter these threats, researchers have proposed a variety of defenses, including control-flow integrity (CFI), codepointer integrity (CPI), and code (re-)randomization. All of them, to be effective, require a security primitive-intra-process protection of confidentiality and/or integrity for sensitive data (such as CFI's shadow stack and CPI's safe region).In this paper, we propose SEIMI, a highly efficient intraprocess memory isolation technique for memory-corruption defenses to protect their sensitive data. The core of SEIMI is to use the efficient Supervisor-mode Access Prevention (SMAP), a hardware feature that is originally used for preventing the kernel from accessing the user space, to achieve intra-process memory isolation. To leverage SMAP, SEIMI creatively executes the user code in the privileged mode. In addition to enabling the new design of the SMAP-based memory isolation, we further develop multiple new techniques to ensure secure escalation of user code, e.g., using the descriptor caches to capture the potential segment operations and configuring the Virtual Machine Control Structure (VMCS) to invalidate the execution result of the control registers related operations. Extensive experimental results show that SEIMI outperforms existing isolation mechanisms, including both the Memory Protection Keys (MPK) based scheme and the Memory Protection Extensions (MPX) based scheme, while providing secure memory isolation.

show abstract

Section: Related Workmentioning

confidence: 99%

SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation

Wang

Xie

et al. 2020

2020 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…It has also pointed out ambiguities in the specification of interrupt delegation, and cases of missing reservation yields in Spike. CHERI-MIPS [Watson et al 2018Woodruff et al 2014] is an experimental research architecture that extends 64-bit MIPS with support for fine-grained memory protection and secure compartmentalisation. It provides hardware capabilities, compressed 128-bit values including a base virtual address, an offset, a bound, and permissions; and object capabilities that link code and data pointers.…”

Section: Fig 3 Risc-v Load Instruction In Sailmentioning

confidence: 99%

ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

Armstrong

Bauereiss

Campbell

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Architecture specifications notionally define the fundamental interface between hardware and software: the envelope of allowed behaviour for processor implementations, and the basic assumptions for software development and verification. But in practice, they are typically prose and pseudocode documents, not rigorous or executable artifacts, leaving software and verification on shaky ground. In this paper, we present rigorous semantic models for the sequential behaviour of large parts of the mainstream ARMv8-A, RISC-V, and MIPS architectures, and the research CHERI-MIPS architecture, that are complete enough to boot operating systems, variously Linux, FreeBSD, or seL4. Our ARMv8-A models are automatically translated from authoritative ARM-internal definitions, and (in one variant) tested against the ARM Architecture Validation Suite. We do this using a custom language for ISA semantics, Sail, with a lightweight dependent type system, that supports automatic generation of emulator code in C and OCaml, and automatic generation of proof-assistant definitions for Isabelle, HOL4, and (currently only for MIPS) Coq. We use the former for validation, and to assess specification coverage. To demonstrate the usability of the latter, we prove (in Isabelle) correctness of a purely functional characterisation of ARMv8-A address translation. We moreover integrate the RISC-V model into the RMEM tool for (user-mode) relaxed-memory concurrency exploration. We prove (on paper) the soundness of the core Sail type system. We thereby take a big step towards making the architectural abstraction actually well-defined, establishing foundations for verification and reasoning. CCS Concepts: • General and reference → Verification; • Theory of computation → Semantics and reasoning; • Computer systems organization → Architectures; • Software and its engineering → Assembly languages;

show abstract

“…FreeBSD CHERI port annotation data CHERI Watson et al 2018Woodruff et al 2014] is an experimental architecture providing hardware support for fine-grained pointer-based memory protection and secure encapsulation. It has been developed as an extension of 64-bit MIPS, but similar features could be added elsewhere.…”

Section: Experimental Validationmentioning

confidence: 99%

“…Cerberus now also identifies many of the clauses of the ISO C standard text captured by its definitions of type-checking and elaboration, displaying these in the GUI. The project page includes data for various compilers and other tools for these tests: GCC 8.1, Clang 6.0, ICC 19, UBSAN, ASAN, MSAN, CompCert [Leroy 2009;Leroy et al 2018], RV-Match [Guth et al 2016], CH2O [Krebbers 2015], and CHERI Watson et al 2018Woodruff et al 2014]. We include extensive validation of the combination of Cerberus and our provenance semantics on various existing test suites (ğ9): the GCC torture tests [FSF 2018a], the ITC Toyota benchmark [Shiraishi et al 2015], the KCC example test suite [Hathhorn et al 2015;KCC 2018], and a family of Csmith tests [Regehr et al 2012].…”

Section: Introductionmentioning

confidence: 99%

“…We do so in three ways. For the first two, we exploit data from the CHERI project Watson et al 2018Woodruff et al 2014], which has designed experimental architectures with hardware support for fine-grained memory protection and secure encapsulation, using capabilities, and ported software including the FreeBSD kernel and userspace to this. The CHERI-adapted FreeBSD userspace includes hundreds of libraries, daemons, and command-line tools, such as zlib, OpenSSL, and OpenSSH; other ported applications include Postgres, nginx, and WebKit, representing a broad range of code functionality, style, and vintage.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Exploring C semantics and pointer provenance

Memarian

Gomes

Davis

et al. 2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

The semantics of pointers and memory objects in C has been a vexed question for many years. C values cannot be treated as either purely abstract or purely concrete entities: the language exposes their representations, but compiler optimisations rely on analyses that reason about provenance and initialisation status, not just runtime representations. The ISO WG14 standard leaves much of this unclear, and in some respects differs with de facto standard usage Ð which itself is difficult to investigate.In this paper we explore the possible source-language semantics for memory objects and pointers, in ISO C and in C as it is used and implemented in practice, focussing especially on pointer provenance. We aim to, as far as possible, reconcile the ISO C standard, mainstream compiler behaviour, and the semantics relied on by the corpus of existing C code. We present two coherent proposals, tracking provenance via integers and not; both address many design questions. We highlight some pros and cons and open questions, and illustrate the discussion with a library of test cases. We make our semantics executable as a test oracle, integrating it with the Cerberus semantics for much of the rest of C, which we have made substantially more complete and robust, and equipped with a web-interface GUI. This allows us to experimentally assess our proposals on those test cases. To assess their viability with respect to larger bodies of C code, we analyse the changes required and the resulting behaviour for a port of FreeBSD to CHERI, a research architecture supporting hardware capabilities, which (roughly speaking) traps on the memory safety violations which our proposals deem undefined behaviour. We also develop a new runtime instrumentation tool to detect possible provenance violations in normal C code, and apply it to some of the SPEC benchmarks. We compare our proposal with a source-language variant of the twin-allocation LLVM semantics proposal of Lee et al. Finally, we describe ongoing interactions with WG14, exploring how our proposals could be incorporated into the ISO standard.

show abstract

The CHERI capability model

Cited by 85 publications

References 29 publications

SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation

SEIMI: Efficient and Secure SMAP-Enabled Intra-process Memory Isolation

ISA semantics for ARMv8-a, RISC-v, and CHERI-MIPS

Exploring C semantics and pointer provenance

Contact Info

Product

Resources

About