The CHERI capability model: Revisiting RISC in an age of risk

Woodruff, Jonathan; Watson, Robert N. M.; Chisnall, David; Moore, Simon W.; Anderson, Jonathan; Davis, Brooks; Laurie, Ben; Neumann, Peter G.; Norton, Robert M.; Roe, Michael

doi:10.1109/isca.2014.6853201

Cited by 176 publications

(175 citation statements)

References 35 publications

Supporting

Mentioning

175

Contrasting

Order By: Relevance

“…CHERI [24], [85], [86] is an alternative hardware-based security model. It uses capabilities, instead of rich per-word tags, to enforce memory safety [86]; nevertheless, like the PUMP, its core capability-based model can be extended to implement other security policies.…”

Section: Memory Safety Micro-policymentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

Section: Memory Safety Micro-policymentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Version 2 of the CHERI ISA [35] was created based on initial experiences attempting to build a capability system that was a usable compiler target for C. For example, this change propagated tag bits into capability tag bits, rather than preventing memory without tag bits from being loaded into capability registers. This was motivated by the need for memcpy() (which is called explicitly by the user and implicitly by the compiler) to be able to copy data without being aware of whether it contained pointers.…”

Section: Refining the Cheri Modelmentioning

confidence: 99%

“…The Olden benchmarks were run with the parameters in the CHERI ISCA paper [35]. The Olden results are shown in Figure 1.…”

Section: Whole Program Testingmentioning

confidence: 99%

“…Refinements to language implementations (such as memory protection) therefore offer opportunities to mitigate vulnerabilities as well as make debugging easier [26]. The potential benefits of bounds checking and other integrity techniques have been well documented by work such as Cyclone [17], CCured [23], SoftBound [22], HardBound [12], and CHERI [35]. Deployment of these techniques is hampered not just by performance concerns but also by whether current software relies on specific implementation choices.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Beyond the PDP-11

Chisnall

Rothwell

Watson

et al. 2015

Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

Self Cite

View full text Add to dashboard Cite

We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite welldocumented impacts on security and reliability.Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.

show abstract

“…However, given that this compartment is likely to be several orders of magnitude smaller than the parser compartment, the probability that such an exploitable vulnerability can be found is limited. Such constructs are a well-known advantage of capability systems [21][22][23].…”

Section: Introductionmentioning

confidence: 99%

Salus: Kernel Support for Secure Process Compartments

Strackx¹,

Agten²,

Avonds³

et al. 2015

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can be accessed only through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacker who is able to gain inapplication level access may be able to abuse services from protected modules. We propose Salus, a Linux kernel modification that provides a novel approach for partitioning processes into isolated compartments sharing the same address space. Salus significantly reduces the impact of insecure interfaces and vulnerable compartments by enabling compartments (1) to restrict the system calls they are allowed to perform, (2) to authenticate their callers and callees and (3) to enforce that they can only be accessed via unforgeable references. We describe the design of Salus, report on a prototype implementation and evaluate it in terms of security and performance. We show that Salus provides a significant security improvement with a low performance overhead, without relying on any non-standard hardware support.

show abstract

The CHERI capability model: Revisiting RISC in an age of risk

Cited by 176 publications

References 35 publications

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Beyond the PDP-11

Salus: Kernel Support for Secure Process Compartments

Contact Info

Product

Resources

About