Content deleted Content added
m Open access bot: doi updated in citation with #oabot. |
Added a few links and another implementation of CHERI |
||
Line 21:
Implementations of CHERI systems also include modifications to the default [[Memory management|memory allocator]]. A memory allocator is a component that defines that a range of addresses should be treated by the programmer as an object. On a CHERI system, it must also communicate this information to the hardware, by setting the bounds on the pointer (represented by a CHERI capability) that is returned.<ref>{{Cite conference |last1=Bramley |first1=Jacob |last2=Jacob |first2=Dejice |last3=Lascu |first3=Andrei |last4=Singer |first4=Jeremy |last5=Tratt |first5=Laurence |title=Picking a CHERI Allocator: Security and Performance Considerations |date=6 June 2023 |book-title=Proceedings of the 2023 ACM SIGPLAN International Symposium on Memory Management |url=https://eprints.gla.ac.uk/297961/1/297961.pdf |series=ISMM 2023 |___location=New York, NY, USA |publisher=Association for Computing Machinery |pages=111–123 |doi=10.1145/3591195.3595278 |isbn=979-8-4007-0179-5}}</ref> It may also communicate the ''lifetime'', to prevent use-after-free or use-after-reuse bugs.<ref name="cornucopiareloaded">{{cite conference |author1=Nathaniel Wesley Filardo |author2=Brett F. Gutstein |author3=Jonathan Woodruff |author4=Jessica Clarke |author5=Peter Rugg |author6=Brooks Davis |author7=Mark Johnston |author8=Robert Norton |author9=David Chisnall |author10=Simon W. Moore |author11=Peter G. Neumann |author12=Robert N. M. Watson |date=2024 |title=Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal Safety |book-title=Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (ASPLOS '24) |volume=2 |publisher=Association for Computing Machinery |___location=New York, NY, USA |pages=251–268 |doi=10.1145/3620665.3640416 |url=https://doi.org/10.1145/3620665.3640416}}</ref><ref name="cheriot">{{cite conference |author1=Saar Amar |author2=David Chisnall |author3=Tony Chen |author4=Nathaniel Wesley Filardo |author5=Ben Laurie |author6=Kunyan Liu |author7=Robert Norton |author8=Simon W. Moore |author9=Yucong Tao |author10=Robert N. M. Watson |author11=Hongyan Xia |date=2023 |title=CHERIoT: Complete Memory Safety for Embedded Devices |book-title=Proceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO '23) |publisher=Association for Computing Machinery |___location=New York, NY, USA |pages=641–653 |doi=10.1145/3613424.3614266 |url=https://doi.org/10.1145/3613424.3614266|doi-access=free }}</ref><ref name="pdp11">{{cite conference |author1=David Chisnall |author2=Colin Rothwell |author3=Robert N.M. Watson |author4=Jonathan Woodruff |author5=Munraj Vadera |author6=Simon W. Moore |author7=Michael Roe |author8=Brooks Davis |author9=Peter G. Neumann |date=2015 |title=Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine |book-title=Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '15) |publisher=Association for Computing Machinery |___location=New York, NY, USA |pages=117–130 |doi=10.1145/2694344.2694367 |url=https://doi.org/10.1145/2694344.2694367}}</ref>
Depending on the context, CHERI systems can be used to enhance compiler-level checks, build [[Trusted execution environment|secure enclaves]],<ref>{{Cite conference |last1=Van Strydonck |first1=Thomas |last2=Noorman |first2=Job |last3=Jackson |first3=Jennifer |last4=Alves Dias |first4=Leonardo |last5=Vanderstraeten |first5=Robin |last6=Oswald |first6=David |last7=Piessens |first7=Frank |last8=Devriese |first8=Dominique |title=CHERI-TrEE: Flexible enclaves on capability machines |date=1 July 2023 |conference=2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P) |url=https://lirias.kuleuven.be/retrieve/715646/ |publisher=IEEE |pages=1143–1159 |doi=10.1109/EuroSP57164.2023.00070 |isbn=978-1-6654-6512-0}}</ref> or even be used to augment existing instruction architectures. A report by [[Microsoft]] in 2019 found that CHERI's protections could be used to mitigate over 70% of memory safety issues found in 2019 at the company.<ref>{{Cite web |title=Security Analysis of CHERI ISA |website=Microsoft Security Response Center blog |url=https://msrc.microsoft.com/blog/2020/10/security-analysis-of-cheri-isa/ |access-date=21 January 2025}}</ref> CHERI architectures are also designed to be backward compatible with existing programming languages such as C and C++. A study performed by University of Cambridge researchers found that porting six million lines of C and C++ code to CHERI required changes to 0.026% of the Lines-of-Code (LoC).<ref name="ecosystemviability" />
== Limitations ==
The architecture introduces hardware complexity due to the tag-bit mechanisms and capability checks required for enforcing memory safety. Although optimisations have been implemented to minimise these impacts<ref name=":1" />, the performance trade-offs can vary depending on specific workloads and specific implementations. Additionally, CHERI requires modifications to both software and hardware ecosystems. Implementations such as Morello allow unmodified binaries to run but these do not get any additional security benefits. Software must be recompiled or adapted to utilise CHERI's capability-based model, and hardware manufacturers must incorporate CHERI extensions into their designs.
Standardisation remains an ongoing effort. While initiatives such as the CHERI Alliance<ref>{{Cite web |title=CHERI Alliance – Industry-led security technology |url=https://cheri-alliance.org |access-date=2025-01-27 |website=CHERI Alliance |language=en-US}}</ref> and RISC-V standardisation<ref name=":2" /> aim to establish broader support, the lack of widely accepted industry standards for CHERI features have delayed adoption. Adapting legacy software or retrofitting existing systems to work with CHERI can be challenging, particularly for large and heterogeneous codebases. The difficulty often stems from programming practices used during the software's original development, such as implementing custom memory management, where identifying pointers from integers can be particularly problematic.<ref>{{cite journal |author1=Robert N.M. Watson |author2=David Chisnall |author3=Jessica Clarke |author4=Brooks Davis |author5=Nathaniel Wesley Filardo |author6=Ben Laurie |author7=Simon W. Moore |author8=Peter G. Neumann |author9=Alexander Richardson |author10=Peter Sewell |author11=Konrad Witaszczyk |author12=Jonathan Woodruff |title=CHERI: Hardware-Enabled C/C++ Memory Protection at Scale |journal=IEEE Security & Privacy |volume=22 |issue=4 |pages=50–61 |date=July–August 2024|doi=10.1109/MSEC.2024.3396701 }}</ref>
== CHERI implementations ==
The CHERI architecture has been implemented across multiple platforms and projects:
* '''Morello''': Developed by [[Arm Holdings|Arm]] as part of the UKRI-funded Digital Security by Design (DSbD) programme,<ref>{{cite web |url=https://www.arm.com/architecture/cpu/morello |title=Arm Morello Program |access-date=9 January 2025}}</ref><ref>{{cite web |last1=Robinson |first1=Dan |title=How Arm popped CHERI architecture into Morello Program hardware |url=https://www.theregister.com/2022/08/26/arm_cheri_morello/ |publisher=The Register |access-date=11 January 2025}}</ref> the Morello chip is a superset architecture designed to evaluate experimental CHERI features for potential production use on the AArch64 architecture. The Morello board supports CheriBSD, custom versions of Android, and Linux. It remains a research prototype.
* '''CHERIoT''':<ref name="cheriot" /> Introduced by Microsoft in 2023<ref>{{cite tech report |author1=Saar Amar |author2=Tony Chen |author3=David Chisnall |author4=Felix Domke |author5=Nathaniel Filardo |author6=Kunyan Liu |author7=Robert Norton-Wright |author8=Yucong Tao |author9=Robert N. M. Watson |author10=Hongyan Xia |title=CHERIoT: Rethinking security for low-cost embedded systems |id=MSR-TR-2023-6 |date=February 2023 |publisher=Microsoft |url=https://www.microsoft.com/en-us/research/publication/cheriot-rethinking-security-for-low-cost-embedded-systems/}}</ref> and now developed by multiple vendors,<ref>{{cite web |url=https://cheriot.org/govenance/organisation/2024/11/01/cheriot-administration.html |title=Who controls the CHERIoT project? |date=November 2024 |access-date=20 January 2025 }}</ref> CHERIoT is a RISC-V CHERI adaptation optimised for small embedded devices. CHERIoT is a hardware-software co-designed project and builds a custom RTOS and compartment model along with specialised hardware to provide string security guarantees. It incorporates advanced memory safety features inspired by the CHERI temporal safety projects performed on Morello.
* '''Sonata''':<ref>{{cite web |url=https://www.sunburst-project.org |title=Welcome to the Sunburst Project |publisher=lowRISC |access-date=20 January 2025}}</ref> Developed by [[lowRISC]] and manufactured by NewAE as part of the UKRI-funded Sunburst project, the Sonata platform is an FPGA-based system designed to run RISC-V architectures. The board has an open-source design, allowing researchers and developers to modify and adapt its hardware and software. Sonata is primarily designed as a prototyping system for CHERIoT.
* '''X730''':<ref>{{Cite web |title=Codasip Protects Memory With Cheri {{!}} TechInsights |url=https://www.techinsights.com/blog/codasip-protects-memory-cheri |access-date=2025-01-27 |website=www.techinsights.com}}</ref> Released by Codasip in 2024, this processor IP is an implementation of the draft RISC-V CHERI standard for an application-class processor.
* '''ICENI''': Announced by SCI Semiconductors in 2024,<ref name="iceni" /> ICENI is a CHERIoT-compatible microcontroller designed for secure embedded systems.
Line 55 ⟶ 56:
This initiative funded Arm's Morello chip, a ''superset architecture'' designed to evaluate experimental CHERI features for potential production use based on [[AArch64]]. The Morello board was designed to run CheriBSD, as well as custom versions of Android and Linux. At the same time, the Cornucopia<ref>{{cite conference |author1=Nathaniel Wesley Filardo |author2=Brett F. Gutstein |author3=Jonathan Woodruff |author4=Sam Ainsworth |author5=Lucian Paul-Trifu |author6=Brooks Davis |author7=Hongyan Xia |author8=Edward Tomasz Napierala |author9=Alexander Richardson |author10=John Baldwin |author11=David Chisnall |author12=Jessica Clarke |author13=Khilan Gudka |author14=Alexandre Joannou |author15=A. Theodore Markettos |author16=Alfredo Mazzinghi |author17=Robert M. Norton |author18=Michael Roe |author19=Peter Sewell |author20=Stacey Son |author21=Timothy M. Jones |author22=Simon W. Moore |author23=Peter G. Neumann |author24=Robert N. M. Watson |title=Cornucopia: Temporal Safety for CHERI Heaps |book-title=Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland 2020) |___location=San Jose, CA, USA |date=18–20 May 2020 |url=https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/2020oakland-cornucopia.pdf |doi=10.1109/SP40000.2020.00098}}</ref> project demonstrated that CHERI could enforce both spatial and temporal memory safety, offering deterministic protection against heap object temporal aliasing (roughly, "use-after-free"). The follow-up project, Cornucopia Reloaded,<ref name="cornucopiareloaded" /> showcased efficient temporal safety using page-table features in Morello, in particular, near-negligible pause times for the application making use of revocation.
In 2023 Microsoft introduced CHERIoT<ref name="cheriot" />, a [[RISC-V]] CHERI adaptation optimised for small embedded devices. CHERIoT incorporated ideas from Cornucopia and memory colouring techniques such as SPARC ADI and Arm MTE to enhance security. As part of the UKRI-funded Sunburst project, lowRISC launched the Sonata platform to advance RISC-V-based CHERI development and support standardisation efforts. Both the CHERI RISC-V research work and CHERIoT fed into the standardisation process for an official CHERI family of RISC-V extensions.<ref name=":2">{{cite web |title=CHERI Ratification Plan |url=https://lf-riscv.atlassian.net/wiki/spaces/CTXX/pages/47022116/CHERI+Ratification+Plan |access-date=10 January 2025}}</ref> [[Codasip]] announced that they had RISC-V IP cores with CHERI extensions available to license.<ref>{{cite web |url=https://www.eenewseurope.com/en/codasip-delivers-first-commercial-cheri-processor-using-risc-v/ |publisher=eeNews |access-date=20 January 2025 |title=Codasip delivers first commercial CHERI processor using RISC-V |date=2 November 2023 }}</ref>
By 2024 SCI Semiconductors announced ICENI,<ref name=iceni>{{cite web |last1=Flaherty |first1=Nick |date=23 October 2024 |title=First CHERI RISC-V embedded chip and Early Access Programme |url=https://www.eenewseurope.com/en/first-cheri-risc-v-embedded-chip-and-early-access-programme/ |access-date=11 January 2025 |publisher=eeNews Europe}}</ref> a CHERIoT-compatible chip designed specifically for secure embedded systems. Codasip is actively developing a Linux kernel implementation for the RISC-V architecture.<ref>{{cite web |url=https://codasip.com/press-release/2024/10/21/codasip-enables-secure-linux-by-donating-cheri-risc-v-sdk-to-the-cheri-alliance/ |title=Codasip enables secure Linux by donating CHERI RISC-V SDK to the CHERI Alliance |publisher=Codasip |date=21 October 2024 |access-date=20 January 2025}}</ref> The CHERI Alliance, a non-profit organisation based in Cambridge, UK, was established to promote the adoption of CHERI technology and its integration into secure digital products and systems, including Google as a founding member.<ref name="cheri-alliance-launched" />
| |||