CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Watson, Robert N. M.; Woodruff, Jonathan; Neumann, Peter G.; Moore, Simon W.; Anderson, Jonathan; Chisnall, David; Dave, Nirav; Davis, Brooks; Gudka, Khilan; Laurie, Ben; Murdoch, Steven J.; Norton, Robert; Roe, Michael; Son, Stacey; Vadera, Munraj

View / Open Files

Watson et al 2015 IEEE Symposium on Security and Privacy.pdf (PDF, 427Kb)

Authors

Watson, Robert N. M.

Woodruff, Jonathan

Neumann, Peter G.

Moore, Simon W.

Anderson, Jonathan

Chisnall, David

Dave, Nirav

Publication Date

2015-05-26

Journal Title

IEEE Symposium on Security and Privacy

Publisher

IEEE

Pages

20-37

Language

English

Type

Article

Metadata

Show full item record

Citation

Watson, R. N. M., Woodruff, J., Neumann, P. G., Moore, S. W., Anderson, J., Chisnall, D., Dave, N., et al. (2015). CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. IEEE Symposium on Security and Privacy, 20-37.

Description

This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.9

Abstract

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.

Sponsorship

We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.

Identifiers

This record's URL: http://www.repository.cam.ac.uk/handle/1810/247946