CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
Authors
Watson, Robert
Woodruff, Jonathan
Neumann, Peter G
Anderson, Jonathan
Chisnall, David
Dave, Nirav
Davis, Brooks
Gudka, Khilan
Laurie, Ben
Murdoch, Steven
Roe, Michael
Son, Stacey
Vadera, Munraj
Publication Date
2015-05-26Journal Title
IEEE Symposium on Security and Privacy
ISSN
1081-6011
Publisher
IEEE
Pages
20-37
Language
English
Type
Conference Object
Metadata
Show full item recordCitation
Watson, R., Woodruff, J., Neumann, P. G., Moore, S., Anderson, J., Chisnall, D., Dave, N., et al. (2015). CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. IEEE Symposium on Security and Privacy, 20-37. https://www.repository.cam.ac.uk/handle/1810/247946
Abstract
CHERI extends a conventional RISC Instruction-
Set Architecture, compiler, and operating system to support
fine-grained, capability-based memory protection to mitigate
memory-related vulnerabilities in C-language TCBs. We describe
how CHERI capabilities can also underpin a hardware-software
object-capability model for application compartmentalization
that can mitigate broader classes of attack. Prototyped as an
extension to the open-source 64-bit BERI RISC FPGA softcore
processor, FreeBSD operating system, and LLVM compiler,
we demonstrate multiple orders-of-magnitude improvement in
scalability, simplified programmability, and resulting tangible
security benefits as compared to compartmentalization based on
pure Memory-Management Unit (MMU) designs. We evaluate
incrementally deployable CHERI-based compartmentalization
using several real-world UNIX libraries and applications.
Sponsorship
We thank our colleagues Ross Anderson, Ruslan Bukin,
Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris
Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln,
Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W.
Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell,
Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and
Bjoern Zeeb, our anonymous reviewers, and shepherd Frank
Piessens, for their feedback and assistance. This work is part of
the CTSRD and MRC2 projects sponsored by the Defense Advanced
Research Projects Agency (DARPA) and the Air Force
Research Laboratory (AFRL), under contracts FA8750-10-C-
0237 and FA8750-11-C-0249. The views, opinions, and/or
findings contained in this paper are those of the authors and
should not be interpreted as representing the official views
or policies, either expressed or implied, of the Department
of Defense or the U.S. Government. We acknowledge the EPSRC
REMS Programme Grant [EP/K008528/1], Isaac Newton
Trust, UK Higher Education Innovation Fund (HEIF), Thales
E-Security, and Google, Inc.
Funder references
EPSRC (EP/K008528/1)
Identifiers
This record's URL: https://www.repository.cam.ac.uk/handle/1810/247946
Rights
Licence:
http://www.rioxx.net/licenses/all-rights-reserved