Content deleted Content added
Guy Harris (talk | contribs) Fix {{use dmy dates}} template call. |
Guy Harris (talk | contribs) |
||
Line 1:
{{Short description|Computer architecture for security}}
{{
'''Capability Hardware Enhanced RISC Instructions''' ('''CHERI''') is a computer processor technology designed to improve security. CHERI aims to address the root cause of the problems that are caused by a lack of [[memory safety]] in common implementations of languages such as [[C (programming language)|C]]/[[C++]], which are responsible for around 70% of security vulnerabilities in modern systems.<ref>{{cite web |url=https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/ |publisher=ZDNet |title=Chrome: 70% of all security bugs are memory safety issues |date=22 May 2020 |access-date=24 January 2025}}</ref><ref>{{cite web |url=https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/ |title= Microsoft: 70 percent of all security bugs are memory safety issues |publisher=ZDNet |date=11 February 2019 |access-date=24 January 2025}}</ref>
Line 6:
The hardware works by giving each reference to any piece of data or system resource its own access rules. This prevents programs from accessing or changing things they should not. It also makes it hard to trick a part of a program into accessing or changing something that it should be able to access, but at a different time. The same mechanism is used to implement [[privilege separation]], dividing processes into compartments that limit the damage that a bug (security or otherwise) can do.
CHERI can be added to many different [[instruction set architecture]] [[instruction set architecture|s]] including [[MIPS architecture|MIPS]], [[AArch64]], and [[RISC-V]], making it usable across a wide range of platforms.
Software must be recompiled to use CHERI, but most software requires few (if any) changes to the source code.<ref name="ecosystemviability">{{cite tech report |title=Assessing the Viability of an Open-Source CHERI Desktop Software Ecosystem |author1=Robert N. M. Watson |author2=Ben Laurie |author3=Alex Richardson |date=17 September 2021 |publisher=Capabilities Ltd |url=https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/20210917-capltd-cheri-desktop-report-version1-FINAL.pdf}}</ref> CHERI's importance has been recognised by governments as a way to improve cybersecurity and protect critical systems.<ref name="ONCDReport">{{cite web |date=February 2024 |title=Final ONCD Technical Report |url=https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf |access-date=21 January 2025 |website=White House |publisher=Office of the National Cyber Director|archive-url=https://web.archive.org/web/20250118014817/https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf |archive-date=18 January 2025 |url-status=dead}}</ref> It is under active development by various business and academic organizations.<ref name="cheri-alliance-launched">{{cite magazine |date=13 November 2024 |title=CHERI Alliance launched |first=David |last=Manners |url=https://www.electronicsweekly.com/news/business/cheri-alliance-launched-2024-11/ |access-date=20 January 2025 |magazine=Electronics Weekly}}</ref>
Line 19:
This metadata is stored inline, alongside the address, in the computer's memory is protected by a [[Tagged architecture|tagged bit]], which is cleared if the capability is tampered with. This informs the computer of which areas of memory can be accessed through a specific operation and how a program can modify or read memory through that operation. This allows CHERI systems to catch cases where memory that was outside the bounds of where the program was supposed to read or write to was operated on. Associating the metadata with the value used to access memory, rather than with the memory being accessed (in contrast to a [[memory management unit]]) means that the hardware can catch cases where a program attempts to access a part of memory that it ''should'' have access to while intending to access a ''different'' piece of memory.
Implementations of CHERI systems also include modifications to the default [[Memory management|memory allocator]]. A memory allocator is a component that defines that a range of addresses should be treated by the programmer as an object. On a CHERI system, it must also communicate this information to the hardware, by setting the bounds on the pointer (represented by a CHERI capability) that is returned.<ref>{{Cite conference |last1=Bramley |first1=Jacob |last2=Jacob |first2=Dejice |last3=Lascu |first3=Andrei |last4=Singer |first4=Jeremy |last5=Tratt |first5=Laurence |title=Picking a CHERI Allocator: Security and Performance Considerations |date=6 June 2023
Depending on the context, CHERI systems can be used to enhance compiler-level checks, build [[Trusted execution environment|secure enclaves]],<ref>{{Cite conference |last1=Van Strydonck |first1=Thomas |last2=Noorman |first2=Job |last3=Jackson |first3=Jennifer |last4=Alves Dias |first4=Leonardo |last5=Vanderstraeten |first5=Robin |last6=Oswald |first6=David |last7=Piessens |first7=Frank |last8=Devriese |first8=Dominique |title=CHERI-TrEE: Flexible enclaves on capability machines |date=1 July 2023
== Limitations ==
Line 51:
In 2019 CheriABI<ref>{{cite conference |author1=Brooks Davis |author2=Robert N. M. Watson |author3=Alexander Richardson |author4=Peter G. Neumann |author5=Simon W. Moore |author6=John Baldwin |author7=David Chisnall |author8=Jessica Clarke |author9=Nathaniel Wesley Filardo |author10=Khilan Gudka |author11=Alexandre Joannou |author12=Ben Laurie |author13=A. Theodore Markettos |author14=J. Edward Maste |author15=Alfredo Mazzinghi |author16=Edward Tomasz Napierala |author17=Robert M. Norton |author18=Michael Roe |author19=Peter Sewell |author20=Stacey Son |author21=Jonathan Woodruff |date=2019 |title=CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment |book-title=Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '19) |publisher=Association for Computing Machinery |___location=New York, NY, USA |pages=379–393 |doi=10.1145/3297858.3304042 |url=https://doi.org/10.1145/3297858.3304042}}</ref> demonstrated a fully memory-safe implementation of POSIX, allowing existing desktop software to become memory safe with a single recompile.
By 2020 it became evident that software vendors were reluctant to port their software without hardware vendor support, while hardware vendors were unwilling to produce chips without sufficient customer demand. UK Research and Innovation (UKRI) launched the Digital Security by Design (DSbD) programme<ref name="dsbd">{{cite web |author=<!-- not stated --> |year=2020 |title=Digital security by design |url=https://www.ukri.org/what-we-do/browse-our-areas-of-investment-and-support/digital-security-by-design/ |access-date=
This initiative funded Arm's Morello chip, a ''superset architecture'' designed to evaluate experimental CHERI features for potential production use based on [[AArch64]]. The Morello board was designed to run CheriBSD, as well as custom versions of Android and Linux. At the same time, the Cornucopia<ref>{{cite conference |author1=Nathaniel Wesley Filardo |author2=Brett F. Gutstein |author3=Jonathan Woodruff |author4=Sam Ainsworth |author5=Lucian Paul-Trifu |author6=Brooks Davis |author7=Hongyan Xia |author8=Edward Tomasz Napierala |author9=Alexander Richardson |author10=John Baldwin |author11=David Chisnall |author12=Jessica Clarke |author13=Khilan Gudka |author14=Alexandre Joannou |author15=A. Theodore Markettos |author16=Alfredo Mazzinghi |author17=Robert M. Norton |author18=Michael Roe |author19=Peter Sewell |author20=Stacey Son |author21=Timothy M. Jones |author22=Simon W. Moore |author23=Peter G. Neumann |author24=Robert N. M. Watson |title=Cornucopia: Temporal Safety for CHERI Heaps |book-title=Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland 2020) |___location=San Jose, CA, USA |date=18–20 May 2020 |url=https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2020oakland-cornucopia.pdf |doi=10.1109/SP40000.2020.00098}}</ref> project demonstrated that CHERI could enforce both spatial and temporal memory safety, offering deterministic protection against heap object temporal aliasing (roughly, "use-after-free"). The follow-up project, Cornucopia Reloaded,<ref name="cornucopiareloaded" /> showcased efficient temporal safety using page-table features in Morello, in particular, near-negligible pause times for the application making use of revocation.
| |||