Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.

[1]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[2]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[3]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[4]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[5]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[6]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[7]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[8]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[9]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[10]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[11]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[12]  Robert N. M. Watson,et al.  A taste of Capsicum , 2012, Commun. ACM.

[13]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[14]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[15]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[16]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[17]  Muli Ben-Yehuda,et al.  CODOMs: Protecting software with Code-centric memory Domains , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[18]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[19]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.