The CHERI capability model: Revisiting RISC in an age of risk

Motivated by contemporary security challenges, we reevaluate and refine capability-based addressing for the RISC era. We present CHERI, a hybrid capability model that extends the 64-bit MIPS ISA with byte-granularity memory protection. We demonstrate that CHERI enables language memory model enforcement and fault isolation in hardware rather than software, and that the CHERI mechanisms are easily adopted by existing programs for efficient in-program memory safety. In contrast to past capability models, CHERI complements, rather than replaces, the ubiquitous page-based protection mechanism, providing a migration path towards deconflating data-structure protection and OS memory management. Furthermore. CHERI adheres to a strict RISC philosophy: it maintains a load-store architecture and requires only single-cycle instructions, and supplies protection primitives to the compiler, language runtime, and operating system. We demonstrate a mature FPGA implementation that runs the FreeBSD operating system with a full range of software and an open-source application suite compiled with an extended LLVM to use CHERI memory protection. A limit study compares published memory safety mechanisms in terms of instruction count and memory overheads. The study illustrates that CHERI is performance-competitive even while providing assurance and greater flexibility with simpler hardware.

[1]  John A. Fotheringham,et al.  Dynamic storage allocation in the Atlas computer, including an automatic use of a backing store , 1961, Commun. ACM.

[2]  Tzi-cker Chiueh,et al.  Checking array bound violation using segmentation hardware , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[3]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[4]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[5]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[6]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[7]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[8]  Brian Randell,et al.  Dynamic storage allocation systems , 1968, CACM.

[9]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[10]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[11]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[12]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[13]  Carlo H. Séquin,et al.  RISC I: a reduced instruction set VLSI computer , 1981, ISCA '98.

[14]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[15]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[16]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[17]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[18]  Yan Solihin,et al.  HeapMon: A helper-thread approach to programmable, automatic, and low-overhead memory bug detection , 2006, IBM J. Res. Dev..

[19]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[20]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[21]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  Henry McGilton,et al.  The JavaTM Language Environment , 1998 .

[23]  Peter J. Denning,et al.  Virtual memory , 1970, CSUR.

[24]  Jerome H. Saltzer,et al.  A hardware architecture for implementing protection rings , 1972, CACM.

[25]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[26]  Konrad Lai,et al.  Supporting ada memory management in the iAPX-432 , 1982, ASPLOS I.

[27]  Laurie J. Hendren,et al.  A Comprehensive Approach to Array Bounds Check Elimination for Java , 2002, CC.

[28]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[29]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[30]  Jason Evans April A Scalable Concurrent malloc(3) Implementation for FreeBSD , 2006 .

[31]  Matthew L. Seidl,et al.  An object-aware memory architecture , 2006, Sci. Comput. Program..

[32]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture , 2014 .

[33]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[34]  Anne Rogers,et al.  Supporting dynamic data structures on distributed-memory machines , 1995, TOPL.

[35]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[36]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[37]  Alastair J. W. Mayer The architecture of the Burroughs B5000: 20 years later and still ahead of the times? , 1982, CARN.

[38]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[39]  D.L. House,et al.  A processor family for personal computers , 1984, Proceedings of the IEEE.

[40]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[41]  A. L. Wilkinson,et al.  A penetration analysis of a Burroughs Large System , 1981, OPSR.

[42]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[43]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[44]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[45]  Alan L. Cox,et al.  Practical, transparent operating system support for superpages , 2002, OPSR.

[46]  Mario Wolczko,et al.  An Object-Based Memory Architecture , 1990, POS.