Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture

This document describes the rapidly maturing design for the Capability Hardware Enhanced RISC Instructions (CHERI) Instruction-Set Architecture (ISA), which is being developed by SRI International and the University of Cambridge. The document is intended to capture our evolving architecture, as it is being refined, tested, and formally analyzed. We have now reached 70% of the time for our research and development cycle. CHERI is a hybrid capability-system architecture that combines new processor primitives with the commodity 64-bit RISC ISA enabling software to efficiently implement fine-grained memory protection and a hardware-software object-capability security model. These extensions support incrementally adoptable, high-performance, formally based, programmer-friendly underpinnings for fine-grained software decomposition and compartmentalization, motivated by and capable of enforcing the principle of least privilege. The CHERI system architecture purposefully addresses known performance and robustness gaps in commodity ISAs that hinder the adoption of more secure programming models centered around the principle of least privilege. To this end, CHERI blends traditional paged virtual memory with a per-address-space capability model that includes capability registers, capability instructions, and tagged memory that have been added to the 64-bit MIPS ISA via a new capability coprocessor. CHERI’s hybrid approach, inspired by the Capsicum security model, allows incremental adoption of capability-oriented software design: software implementations that are more robust and resilient can be deployed where they are most needed, while leaving less critical software largely unmodified, but nevertheless suitably constrained to be incapable of having adverse effects. For example, are focusing conversion efforts on low-level TCB components of the system: separation kernels, hypervisors, operating system kernels, language runtimes, and userspace TCBs such as web browsers. Likewise, we see early-use scenarios (such as data compression, image processing, and video processing) that relate to particularly high-risk software libraries, which are concentrations of both complex and historically vulnerability-prone code combined with untrustworthy data sources, while leaving containing applications unchanged. This report describes the CHERI architecture and design, and provides reference documentation for the CHERI instruction-set architecture (ISA) and potential memory models, along with their requirements. It also documents our current thinking on integration of programming languages and operating systems. Our ongoing research includes two prototype processors employing the CHERI ISA, each implemented as an FPGA soft core specified in the Bluespec hardware description language (HDL), for which we have integrated the application of formal methods to the Bluespec specifications and the hardware-software implementation.

[1]  George V. Neville-Neil,et al.  The Design and Implementation of the FreeBSD ® Operating System Second Edition , 2014 .

[2]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[3]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[4]  F. J. Corbató,et al.  Introduction and overview of the multics system , 1965, AFIPS '65 (Fall, part I).

[5]  Robert S. Fabry The case for capability based computers (Extended Abstract) , 1973, SOSP '73.

[6]  Fan Long,et al.  Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity , 2015, CCS.

[7]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[8]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[9]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[10]  R. Watson,et al.  Capabilities Revisited : A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems , 2010 .

[11]  David Flanagan,et al.  The Ruby Programming Language , 2007 .

[12]  Robert N. M. Watson,et al.  A decade of OS access-control extensibility , 2013, CACM.

[13]  Brian Campbell,et al.  Randomised testing of a microprocessor model using SMT-solver state generation , 2014, Sci. Comput. Program..

[14]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[15]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[16]  P. A. Karger,et al.  Multics security evaluation: vulnerability analysis , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[17]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  Anthony C. J. Fox Improved Tool Support for Machine-Code Decompilation in HOL4 , 2015, ITP.

[19]  Robert N. M. Watson,et al.  Into the depths of C: elaborating the de facto standards , 2016, PLDI.

[20]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[21]  P. G. Neumann,et al.  A general-purpose file system for secondary storage , 1965, Published in AFIPS '65 (Fall, part I).

[22]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[23]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[24]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[25]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[26]  Jonathan Woodruff,et al.  CHERI: a RISC capability machine for practical memory safety , 2014 .

[27]  George G. Robertson,et al.  Accent: A communication oriented network operating system kernel , 1981, SOSP.

[28]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[29]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[30]  Krste Asanovic,et al.  The RISC-V Instruction Set Manual Volume 2: Privileged Architecture Version 1.7 , 2015 .

[31]  Butler W. Lampson,et al.  Redundancy and Robustness in Memory Protection , 1974, IFIP Congress.

[32]  Joseph Heinrich MIPS R4000 user's manual , 1993 .

[33]  Carlo H. Séquin,et al.  RISC I: a reduced instruction set VLSI computer , 1981, ISCA '98.

[34]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[36]  Gregory R. Andrews Partitions and principles for secure operating systems , 1975, ACM '75.

[37]  Peter G. Neumann,et al.  Clean application compartmentalization with SOAAP (extended version) , 2015 .

[38]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[39]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[40]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[41]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[42]  E. J. McCauley,et al.  KSOS - The design of a secure operating system , 1899 .

[43]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[44]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[45]  Julián Armando González Taxi : defeating code reuse attacks with tagged memory , 2015 .

[46]  B. A. Creech Architecture of the B-6500 , 1970 .

[47]  David B. Skillicorn Parallel Implementation of Tree Skeletons , 1996, J. Parallel Distributed Comput..

[48]  Peter J. Denning,et al.  Fault Tolerant Operating Systems , 1976, CSUR.

[49]  Robert Nicholas Maxwell Watson,et al.  New approaches to operating system security extensibility , 2011 .

[50]  M. Branstad,et al.  Assurance for the Trusted Mach operating system , 1989, Proceedings of the Fourth Annual Conference on Computer Assurance, 'Systems Integrity, Software Safety and Process Security.

[51]  William A. Wulf,et al.  Towards the design of secure systems , 1975, Softw. Pract. Exp..

[52]  Jonathan M. Smith,et al.  PUMP: a programmable unit for metadata processing , 2014, HASP@ISCA.

[53]  Paul A. Karger Using registers to optimize cross-domain call performance , 1989, ASPLOS III.

[54]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[55]  Gerald J. Popek,et al.  UCLA Secure UNIX , 1899 .

[56]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[57]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[58]  Michael D. Schroeder Engineering a security kernel for Multics , 1975, SOSP.

[59]  Didier Rémy,et al.  Objective ML: a simple object-oriented extension of ML , 1997, POPL '97.

[60]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[61]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[62]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[63]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[64]  William B. Ackerman,et al.  An implementation of a multiprocessing computer system , 1967, SOSP 1967.

[65]  James H. Morris Protection in programming languages , 1973, CACM.

[66]  Robert Norton,et al.  Hardware support for compartmentalisation , 2016 .

[67]  Nancy G. Leveson,et al.  Inside Risks An Integrated Approach to Safety and Security Based on Systems Theory , 2013 .

[68]  P. Neumann Holistic Systems , 2006 .

[69]  Peter G. Neumann,et al.  Fast Protection-Domain Crossing in the CHERI Capability-System Architecture , 2016, IEEE Micro.

[70]  Richard Henry Gumpertz,et al.  Error Detection with Memory Tags , 1981 .

[71]  Dan Boneh,et al.  Cryptographically Enforced Control Flow Integrity , 2014, ArXiv.

[72]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[73]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[74]  Michael Hamburg,et al.  Meltdown , 2018, meltdownattack.com.

[75]  David A. Wagner,et al.  Class properties for security review in an object-capability subset of Java: (short paper) , 2010, PLAS '10.

[76]  Robert C. Daley,et al.  An experimental time-sharing system , 1962, AIEE-IRE '62 (Spring).

[77]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[78]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[79]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[80]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[81]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI User’s guide , 2014 .

[82]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[83]  Bernard A. Galler,et al.  Discussion: The Burroughs B 5000 in Retrospect , 1987, Annals of the History of Computing.

[84]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[85]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[86]  A. Retrospective,et al.  The UNIX Time-sharing System , 1977 .

[87]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[88]  Peter G. Neumann,et al.  CHERI: a research platform deconflating hardware virtualisation and protection , 2012 .

[89]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[90]  Peter G. Neumann,et al.  Bluespec Extensible RISC Implementation: BERI Hardware reference , 2014 .

[91]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[92]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[93]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[94]  Peter G. Neumann,et al.  Security kernels , 1974, AFIPS '74.

[95]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[96]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[97]  William A. Wulf,et al.  HYDRA/C.Mmp, An Experimental Computer System , 1981 .

[98]  Benjamin C. Pierce,et al.  SAFE: A clean-slate architecture for secure systems , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[99]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[100]  Jules J. Berman,et al.  Ruby: The Programming Language , 2008 .

[101]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[102]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[103]  Peter G. Neumann,et al.  Capability Hardware Enhanced RISC Instructions: CHERI Programmer’s Guide , 2015 .

[104]  Michael Scott Doerrie Confidence in Confinement: An Axiom-free, Mechanized Verification of Confinement in Capability-based Systems , 2015 .

[105]  Dan Boneh,et al.  CCFI: Cryptographically Enforced Control Flow Integrity , 2015, CCS.

[106]  Peter G. Neumann,et al.  Clean Application Compartmentalization with SOAAP , 2015, CCS.

[107]  Stephen T. Walker The advent of trusted computer operating systems , 1980, AFIPS '80.

[108]  Andrew Waterman,et al.  Design of the RISC-V Instruction Set Architecture , 2016 .

[109]  Andrew Waterman,et al.  The RISC-V Instruction Set Manual. Volume 1: User-Level ISA, Version 2.0 , 2014 .

[110]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[111]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[112]  Robert S. Fabry The Case for Capability-Based Computers. , 1973, SOSP 1973.

[113]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[114]  Dwight Spivey Mac OS X Snow Leopard , 2009 .

[115]  Butler W. Lampson,et al.  Dynamic protection structures , 1899, AFIPS '69 (Fall).

[116]  Alastair J. W. Mayer The architecture of the Burroughs B5000: 20 years later and still ahead of the times? , 1982, CARN.

[117]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[118]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[119]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[120]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[121]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[122]  David D. Redell,et al.  NAMING AND PROTECTION IN EXTENDABLE OPERATING SYSTEMS , 1974 .

[123]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[124]  David Jefferson,et al.  Protection in the Hydra Operating System , 1975, SOSP.