CHERI: a research platform deconflating hardware virtualisation and protection

Contemporary CPU architectures conflate virtualization and protection, imposing virtualization-related performance, programmability, and debuggability penalties on software requiring finegrained protection. First observed in micro-kernel research, these problems are increasingly apparent in recent attempts to mitigate software vulnerabilities through application compartmentalisation. Capability Hardware Enhanced RISC Instructions (CHERI) extend RISC ISAs to support greater software compartmentalisation. CHERI’s hybrid capability model provides fine-grained compartmentalisation within address spaces while maintaining software backward compatibility, which will allow the incremental deployment of fine-grained compartmentalisation in both our most trusted and least trustworthy C-language software stacks. We have implemented a 64-bit MIPS research soft core, BERI, as well as a capability coprocessor, and begun adapting commodity software packages (FreeBSD and Chromium) to execute on the platform.

[1]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[2]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[3]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[4]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[5]  Xi Wang,et al.  Software fault isolation with API integrity and multi-principal modules , 2011, SOSP.

[6]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[7]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[8]  Jonathan M. Smith,et al.  Preliminary design of the SAFE platform , 2011, PLOS '11.

[9]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[10]  Howard Shrobe,et al.  TIARA: Trust Management, Intrusion-tolerance, Accountability, and Reconstitution Architecture , 2007 .

[11]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[12]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[13]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[14]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[15]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[16]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[17]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[18]  R. Watson,et al.  Capabilities Revisited : A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems , 2010 .

[19]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[20]  Periklis Akritidis,et al.  Cling: A Memory Allocator to Mitigate Dangling Pointers , 2010, USENIX Security Symposium.

[21]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[22]  Gernot Heiser,et al.  Legba: Fast Hardware Support for Fine-Grained Protection , 2003, Asia-Pacific Computer Systems Architecture Conference.

[23]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[24]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[25]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[26]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.