A New HOPE (2022): "CHERI: A Modern Capability Architecture" (Download)
Friday, July 22, 2022: 1:00 pm (DAC 206): CHERI (Capability Hardware Enhanced RISC Instructions) is an architectural extension to existing processor Instruction Set Architectures (ISA) that introduces capability-based memory protection. It has been realized atop MIPS64 and RISC-V in a variety of open-source FPGA soft-cores and atop 64-bit ARMv8.2a in the Morello research prototype, a 2.5GHz, 7nm, 4-core SoC. Capability-aware forks of the FreeBSD distribution, the LLVM tool chain, PostgreSQL, QT, KDE, and WebKit are under active development, as are gcc and Linux. CHERI's instantiations are formally specified and key security properties are proven.
Using CHERI's mechanisms, software can efficiently implement fine-grained, reliable, spatial, and temporal memory protection and scalable compartmentalization without needing to resort to MMU-based isolation. Though common wisdom holds that hardware capability systems are impractical, CHERI achieves its goals with low overheads while retaining compatibility with C, including modern features such as dynamic linking and thread-local storage.
CHERI occupies a unique point in the design space of architectural security work. It is a fundamental redesign of the abstract machine seen by system software programmers - the first such to the commodity abstract machine since the introduction of virtual memory - while still being a valid target for C programs. Unlike most of its competition, its security guarantees are deterministic, not probabilistic, and do not depend on secrets, reducing the risks posed to software by side-channels. All of these properties, together with the apparent viability exhibited across the decade-long research program, mean that CHERI is widely considered to be one of the few paths towards "getting to done" with vulnerabilities.
While the fundamentals of CHERI have not changed, the HOPE audience has likely not had very much exposure to the topic. Moreover, the availability of Morello silicon changes the story from "something that might have worked well with CPU designs in the 80s and 90s, but is only available in simulation now" to "this might actually be real, and might be part of the commercial ecosystem in five to ten years."
Dr. Nathaniel "nwf" Filardo