research-article

The CHERI capability model: revisiting RISC in an age of risk

Authors:

Jonathan Woodruff,

Robert N.M. Watson,

David Chisnall,

Simon W. Moore,

Jonathan Anderson,

Peter G. Neumann,

Michael RoeAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 42, Issue 3

Pages 457 - 468

https://doi.org/10.1145/2678373.2665740

Published: 14 June 2014 Publication History

Abstract

Motivated by contemporary security challenges, we reevaluate and refine capability-based addressing for the RISC era. We present CHERI, a hybrid capability model that extends the 64-bit MIPS ISA with byte-granularity memory protection. We demonstrate that CHERI enables language memory model enforcement and fault isolation in hardware rather than software, and that the CHERI mechanisms are easily adopted by existing programs for efficient in-program memory safety. In contrast to past capability models, CHERI complements, rather than replaces, the ubiquitous page-based protection mechanism, providing a migration path towards deconflating data-structure protection and OS memory management. Furthermore, CHERI adheres to a strict RISC philosophy: it maintains a load-store architecture and requires only singlecycle instructions, and supplies protection primitives to the compiler, language runtime, and operating system. We demonstrate a mature FPGA implementation that runs the FreeBSD operating system with a full range of software and an open-source application suite compiled with an extended LLVM to use CHERI memory protection. A limit study compares published memory safety mechanisms in terms of instruction count and memory overheads. The study illustrates that CHERI is performance-competitive even while providing assurance and greater flexibility with simpler hardware

References

[1]

T. Alves and D. Felton, "ARM TrustZone: Integrated hardware and software security," Information Quarterly, vol. 3, no. 4, July 2004.

[2]

T. M. Austin, S. E. Breach, and G. S. Sohi, "Efficient detection of all pointer and array access errors," in Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, ser. PLDI '94. New York, NY, USA: ACM, 1994, pp. 290--301.

Digital Library

[3]

A. Belay, A. Bittau, A. Mashtizadeh, D. Terei, D. Maziàres, and C. Kozyrakis, "Dune: safe user-level access to privileged CPU features," in Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, ser. OSDI'12, 2012, pp. 335--348.

Digital Library

[4]

Bluespec SystemVerilog Version 3.8 Reference Guide, Bluespec, Inc., Waltham, MA, November 2004.

[5]

N. P. Carter, S. W. Keckler, and W. J. Dally, "Hardware support for fast capability-based addressing," SIGPLAN Not., vol. 29, no. 11, pp. 319--327, Nov. 1994.

Digital Library

[6]

B. Chess, "Improving computer security using extended static checking," in Proceedings of the 2002 Symposium on Security and Privacy. Oakland, California: IEEE Computer Society, May 2002, pp. 160--173.

Digital Library

[7]

R. Childs Jr, J. Crawford, D. House, and R. Noyce, "A Processor Family for Personal Computers," Proceedings of the IEEE, vol. 72, no. 3, pp. 363--376, 1984.

[8]

S. Cleveland, "x86--64 technology white paper," Advanced Micro Devices, Tech. Rep., 02 2002.

[9]

C. Cowan, F. Wagle, C. Pu, S. Beattie, and J. Walpole, "Buffer overflows: Attacks and defenses for the vulnerability of the decade," in DARPA Information Survivability Conference and Exposition, 2000. DISCEX'00. Proceedings, vol. 2. IEEE, 2000, pp. 119--129.

[10]

P. Denning, "Virtual memory," ACM Computing Surveys (CSUR), vol. 2, no. 3, pp. 153--189, 1970.

Digital Library

[11]

J. B. Dennis and E. C. Van Horn, "Programming semantics for multiprogrammed computations," Commun. ACM, vol. 9, no. 3, pp. 143--155, 1966.

Digital Library

[12]

J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic, "Hardbound: architectural support for spatial safety of the C programming language," SIGARCH Comput. Archit. News, vol. 36, no. 1, pp. 103--114, Mar. 2008.

Digital Library

[13]

J. Evans, "A scalable concurrent malloc(3) implementation for FreeBSD," in BSDCan, 2006.

[14]

J. Fotheringham, "Dynamic storage allocation in the Atlas computer, including an automatic use of a backing store," Communications of the ACM, vol. 4, no. 10, pp. 435--436, 1961.

Digital Library

[15]

A. Frame and C. Turner, "Introducing new ARM Cortex-R technology for safe and reliable systems," ARM, Tech. Rep., 03 2011.

[16]

J. Gosling and H. McGilton, The Java language environment. Sun Microsystems Computer Company, 1995, vol. 2550.

Digital Library

[17]

Intel Plc., "Introduction to IntelR memory protection extensions," http://software.intel.com/en-us/articles/ introduction-to-intel-memory-protection-extensions, July 2013.

[18]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang, "Cyclone: A safe dialect of C," in ATEC '02: Proceedings of the USENIX Annual Technical Conference, 2002, pp. 275--288.

Digital Library

[19]

G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood, "seL4: Formal verification of an operatingsystem kernel," Commun. ACM, vol. 53, pp. 107--115, June 2009.

Digital Library

[20]

A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. De- Hon, "Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security," in 20th ACM Conference on Computer and Communications Security, November 2013.

Digital Library

[21]

L. Lam and T. Chiueh, "Checking array bound violation using segmentation hardware," in IEEE International Conference on Dependable Systems and Networks, 2005, pp. 388--397.

Digital Library

[22]

C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Proceedings of the International Symposium on Code Generation and Optimization: Feedbackdirected and runtime optimization, ser. CGO '04, 2004, pp. 75--86.

Digital Library

[23]

H. M. Levy, Capability-Based Computer Systems. Newton, MA, USA: Butterworth-Heinemann, 1984.

Digital Library

[24]

Y. Mao, H. Chen, D. Zhou, X.Wang, N. Zeldovich, and M. F. Kaashoek, "Software fault isolation with API integrity and multi-principal modules," in SOSP 2011: Proceedings of the 23rd ACM Symposium on Operating Systems Principles, 2011.

Digital Library

[25]

A. J. Mayer, "The architecture of the Burroughs B5000: 20 years later and still ahead of the times?" ACM SIGARCH Computer Architecture News, vol. 10, no. 4, pp. 3--10, 1982.

Digital Library

[26]

M. K. McKusick and G. V. Neville-Neil, The design and implementation of the FreeBSD operating system. Pearson Education, 2004.

Digital Library

[27]

J. Navarro, S. Iyer, P. Druschel, and A. L. Cox, "Practical, transparent operating system support for superpages," in OSDI, 2002.

Digital Library

[28]

G. C. Necula, S. McPeak, and W. Weimer, "CCured: Type-safe retrofitting of legacy code," in ACM SIGPLAN Notices, vol. 37, no. 1, 2002, pp. 128--139.

Digital Library

[29]

D. A. Patterson and C. H. Sequin, "RISC I: A reduced instruction set VLSI computer," in Proceedings of the 8th Annual Symposium on Computer Architecture, 1981, pp. 443--457.

Digital Library

[30]

F. J. Pollack, G. W. Cox, D. W. Hammerstrom, K. C. Kahn, K. K. Lai, and J. R. Rattner, "Supporting Ada memory management in the iAPX-432," in ACM SIGARCH Computer Architecture News, vol. 10, no. 2, 1982, pp. 117--131.

Digital Library

[31]

F. Qian, L. Hendren, and C. Verbrugge, "A comprehensive approach to array bounds check elimination for Java," in Compiler Construction. Springer, 2002, pp. 325--341.

Digital Library

[32]

B. Randell and C. Kuehner, "Dynamic Storage Allocation Systems," Communications of the ACM, vol. 11, no. 5, pp. 297--306, 1968.

Digital Library

[33]

C. Reis and S. D. Gribble, "Isolating web programs in modern browser architectures," in EuroSys '09: Proceedings of the 4th ACM EuropeanConference on Computer Systems. New York, NY, USA: ACM, 2009, pp. 219--232.

Digital Library

[34]

A. Rogers, M. C. Carlisle, J. H. Reppy, and L. J. Hendren, "Supporting dynamic data structures on distributed-memory machines," ACM Trans. Program. Lang. Syst., vol. 17, no. 2, pp. 233--263, Mar. 1995.

Digital Library

[35]

J. Saltzer and M. Schroeder, "The protection of information in computer systems," Proceedings of the IEEE, vol. 63, no. 9, pp. 1278--1308, September 1975.

[36]

M. Schroeder and J. Saltzer, "A hardware architecture for implementing protection rings," Communications of the ACM, vol. 15, no. 3, March 1972.

Digital Library

[37]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, "Address- Sanitizer: A fast address sanity checker," in USENIX ATC, vol. 12, 2012.

Digital Library

[38]

R. Shetty, M. Kharbutli, Y. Solihin, and M. Prvulovic, "Heapmon: a helper-thread approach to programmable, automatic, and low-overhead memory bug detection," IBM J. Res. Dev., vol. 50, no. 2/3, pp. 261--275, Mar. 2006.

Digital Library

[39]

R. Wahbe, S. Lucco, T. E. Anderson, and S. u. L. Graham, "Efficient software-based fault isolation," in SOSP '93: Proceedings of the fourteenth ACM Symposium on Operating Systems Principles, New York, NY, USA, 1993, pp. 203--216.

Digital Library

[40]

R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway, "Capsicum: Practical capabilities for Unix," in Proceedings of the 19th USENIX Security Symposium. USENIX, August 2010.

Digital Library

[41]

R. N. M. Watson, P. G. Neumann, J. Woodruff, J. Anderson, D. Chisnall, B. Davis, B. Laurie, S. W. Moore, S. J. Murdoch, and M. Roe, "Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture," University of Cambridge, Computer Lab., Tech. Rep. UCAM-CL-TR-850, May 2014. {Online}. Available: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-850.html

[42]

M. Wilkes and R. Needham, The Cambridge CAP computer and its operating system. Elsevier North Holland, New York, 1979.

Digital Library

[43]

A. Wilkinson et al., "A penetration study of a Burroughs large system," ACM Operating Systems Review, vol. 15, no. 1, pp. 14--25, January 1981.

Digital Library

[44]

I. Williams and M. Wolczko, "An object-based memory architecture," in Fourth International Workshop on Persistent Objects. Morgan Kaufmann, 1990, pp. 114--130.

[45]

E. Witchel, J. Cates, and K. Asanovi?, Mondrian memory protection. ACM, 2002, vol. 37, no. 10.

Digital Library

[46]

E. Witchel, J. Rhee, and K. Asanovi?, "Mondrix: Memory isolation for Linux using Mondriaan memory protection," in Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.

Digital Library

[47]

G. Wright, M. L. Seidl, and M. Wolczko, "An object-aware memory architecture," Science of Computer Programming, vol. 62, pp. 145--163, 2006.

Digital Library

[48]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, "Native client: A sandbox for portable, untrusted x86 native code," in SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, 2009, pp. 79--93.

Digital Library

Cited By

Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana A(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportACM SIGMETRICS Performance Evaluation Review10.1145/3673660.365505652:1(65-66)Online publication date: 13-Jun-2024
https://dl.acm.org/doi/10.1145/3673660.3655056
Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana AGaretto MMarin ACiucu FFanti GRighter R(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportAbstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems10.1145/3652963.3655056(65-66)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3652963.3655056
Joannou ARugg PWoodruff JFuchs Fvan der Maas MNaylor MRoe MWatson RNeumann PMoore S(2024)Randomized Testing of RISC-V CPUs Using Direct Instruction InjectionIEEE Design & Test10.1109/MDAT.2023.326274141:1(40-49)Online publication date: Feb-2024
https://doi.org/10.1109/MDAT.2023.3262741
Show More Cited By

Index Terms

The CHERI capability model: revisiting RISC in an age of risk
1. Computer systems organization
  1. Architectures
2. Security and privacy
  1. Systems security
    1. Operating systems security

Index terms have been assigned to the content through auto-classification.

Recommendations

The CHERI capability model: revisiting RISC in an age of risk
ISCA '14: Proceeding of the 41st annual international symposium on Computer architecuture

Motivated by contemporary security challenges, we reevaluate and refine capability-based addressing for the RISC era. We present CHERI, a hybrid capability model that extends the 64-bit MIPS ISA with byte-granularity memory protection. We demonstrate ...
Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a ...
CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 42, Issue 3

ISCA '14

June 2014

552 pages

ISSN:0163-5964

DOI:10.1145/2678373

Editor:
Doug DeGroot
acm dot org

Issue’s Table of Contents

ISCA '14: Proceeding of the 41st annual international symposium on Computer architecuture
June 2014
566 pages
ISBN:9781479943944
General Chairs:
Pen-Chung Yew
University of Minnesota
,
Antonia Zhai
University of Minnesota
,
Program Chair:
Steve Keckler
NVIDIA/University of Texas at Austin

Copyright © 2014 IEEE.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2014

Published in SIGARCH Volume 42, Issue 3

Check for updates

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

118
Total Citations
View Citations
1,317
Total Downloads

Downloads (Last 12 months)251
Downloads (Last 6 weeks)17

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana A(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportACM SIGMETRICS Performance Evaluation Review10.1145/3673660.365505652:1(65-66)Online publication date: 13-Jun-2024
https://dl.acm.org/doi/10.1145/3673660.3655056
Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana AGaretto MMarin ACiucu FFanti GRighter R(2024)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportAbstracts of the 2024 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems10.1145/3652963.3655056(65-66)Online publication date: 10-Jun-2024
https://dl.acm.org/doi/10.1145/3652963.3655056
Joannou ARugg PWoodruff JFuchs Fvan der Maas MNaylor MRoe MWatson RNeumann PMoore S(2024)Randomized Testing of RISC-V CPUs Using Direct Instruction InjectionIEEE Design & Test10.1109/MDAT.2023.326274141:1(40-49)Online publication date: Feb-2024
https://doi.org/10.1109/MDAT.2023.3262741
Das Chowdhury PRenaud K(2023)‘Ought’ should not assume ‘Can’? Basic Capabilities in Cybersecurity to Ground Sen’s Capability ApproachProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633506(76-91)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633506
Chacon GWilliams CKnechtel JSinanoglu OGratz PSoteriou V(2023)Coherence Attacks and Countermeasures in Interposer-based Chiplet SystemsACM Transactions on Architecture and Code Optimization10.1145/363346121:2(1-25)Online publication date: 20-Nov-2023
https://dl.acm.org/doi/10.1145/3633461
Bitchebe SKone YOlivier PBoukhobza JBromberg YHagimont DTchana A(2023)GuaNary: Efficient Buffer Overflow Detection In Virtualized Clouds Using Intel EPT-based Sub-Page Write Protection SupportProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36267877:3(1-26)Online publication date: 7-Dec-2023
https://dl.acm.org/doi/10.1145/3626787
Kressel JLefeuvre HOlivier P(2023)Software Compartmentalization Trade-Offs with Hardware CapabilitiesProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624550(49-57)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624550
Lowther DJacob DSinger JRosà AHenz M(2023)CHERI Performance Enhancement for a Bytecode InterpreterProceedings of the 15th ACM SIGPLAN International Workshop on Virtual Machines and Intermediate Languages10.1145/3623507.3623552(1-10)Online publication date: 18-Oct-2023
https://dl.acm.org/doi/10.1145/3623507.3623552
Bramley JJacob DLascu ALowther DSinger JTratt LBruno RMoss E(2023)Capable VMs Project Overview (Poster Abstract)Proceedings of the 20th ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3617651.3624308(183-184)Online publication date: 19-Oct-2023
https://dl.acm.org/doi/10.1145/3617651.3624308
Lowther DJacob DSinger JBruno RMoss E(2023)Morello MicroPython: A Python Interpreter for CHERIProceedings of the 20th ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3617651.3622991(62-69)Online publication date: 19-Oct-2023
https://dl.acm.org/doi/10.1145/3617651.3622991
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents