Wikipedia

Capability Hardware Enhanced RISC Instructions: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
put full name first
Use citation templates.
Line 7:
CHERI can be added to many different [[instruction set architecture]][[instruction set architecture|s]] including [[MIPS architecture|MIPS]], [[AArch64]], and [[RISC-V]], making it usable across a wide range of platforms.
 
Software must be recompiled to use CHERI, but most software requires few (if any) changes to the source code.<ref name="ecosystemviability">{{cite tech report |title=Assessing the Viability of an Open- Source CHERI Desktop Software Ecosystem, Robert N. M. Watson, Ben Laurie, and Alex Richardson Capabilities Limited, |date=17 September 2021, |publisher=Capabilities Ltd, |url=https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/20210917-capltd-cheri-desktop-report-version1-FINAL.pdf}}</ref> CHERI’s importance has been recognised by governments as a way to improve cybersecurity and protect critical systems.<ref name="ONCDReport">{{cite web |date=February 2024 |title=Final ONCD Technical Report |url=https://web.archive.org/web/20250118014817/https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf |access-date=21 January 2025 |website=White House (Archived) |publisher=Office of the National Cyber Director}}</ref> It is under active development by various business and academic organizations.<ref>{{cite web |date=13 November 2024 |title=CHERI Alliance launched |url=https://www.electronicsweekly.com/news/business/cheri-alliance-launched-2024-11/ |access-date=20 January 2025 |publisher=Electronics Weekly}}</ref>
 
== Background ==
Line 19:
This metadata is stored inline, alongside the address, in the computer's memory is protected by a [[Tagged architecture|tagged bit]], which is cleared if the capability is tampered with. This informs the computer of which areas of memory can be accessed through a specific operation and how a program can modify or read memory through that operation. This allows CHERI systems to catch cases where memory that was outside the bounds of where the program was supposed to read or write to was operated on. Associating the metadata with the value used to access memory, rather than with the memory being accessed (in contrast to a [[memory management unit]]) means that the hardware can catch cases where a program attempts to access a part of memory that it ''should'' have access to while intending to access a ''different'' piece of memory.
 
Implementations of CHERI systems also include modifications to the default [[Memory management|memory allocator]]. A memory allocator is a component that defines that a range of addresses should be treated by the programmer as an object. On a CHERI system, it must also communicate this information to the hardware, by setting the bounds on the pointer (represented by a CHERI capability) that is returned.<ref>{{Cite journal |last=Bramley |first=Jacob |last2=Jacob |first2=Dejice |last3=Lascu |first3=Andrei |last4=Singer |first4=Jeremy |last5=Tratt |first5=Laurence |date=2023-06-06 |title=Picking a CHERI Allocator: Security and Performance Considerations |url=https://dl.acm.org/doi/10.1145/3591195.3595278 |journal=Proceedings of the 2023 ACM SIGPLAN International Symposium on Memory Management |series=ISMM 2023 |___location=New York, NY, USA |publisher=Association for Computing Machinery |pages=111–123 |doi=10.1145/3591195.3595278 |isbn=979-8-4007-0179-5}}</ref> It may also communicate the ''lifetime'', to prevent use-after-free or use-after-reuse bugs.<ref name="cornucopiareloaded">{{cite conference |author1=Nathaniel Wesley Filardo, |author2=Brett F. Gutstein, |author3=Jonathan Woodruff, |author4=Jessica Clarke, |author5=Peter Rugg, |author6=Brooks Davis, |author7=Mark Johnston, |author8=Robert Norton, |author9=David Chisnall, |author10=Simon W. Moore, |author11=Peter G. Neumann, and |author12=Robert N. M. Watson. |date=2024. |title=Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal Safety. In |book-title=Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (ASPLOS '24), Vol. |volume=2. |publisher=Association for Computing Machinery, |___location=New York, NY, USA, |pages=251–268. |url=https://doi.org/10.1145/3620665.3640416}}</ref><ref name="cheriot">{{cite conference |author1=Saar Amar, |author2=David Chisnall, |author3=Tony Chen, |author4=Nathaniel Wesley Filardo, |author5=Ben Laurie, |author6=Kunyan Liu, |author7=Robert Norton, |author8=Simon W. Moore, |author9=Yucong Tao, |author10=Robert N. M. Watson, and |author11=Hongyan Xia. |date=2023. |title=CHERIoT: Complete Memory Safety for Embedded Devices. In |book-title=Proceedings of the 56th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO '23). |publisher=Association for Computing Machinery, |___location=New York, NY, USA, |pages=641–653. |url=https://doi.org/10.1145/3613424.3614266}}</ref><ref name="pdp11">{{cite conference |author1=David Chisnall, |author2=Colin Rothwell, |author3=Robert N.M. Watson, |author4=Jonathan Woodruff, |author5=Munraj Vadera, |author6=Simon W. Moore, |author7=Michael Roe, |author8=Brooks Davis, and |author9=Peter G. Neumann. |date=2015. |title=Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine. In |book-title=Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '15). |publisher=Association for Computing Machinery, |___location=New York, NY, USA, |pages=117–130. |url=https://doi.org/10.1145/2694344.2694367}}</ref>
</ref>
 
Depending on the context, CHERI systems can be used to enhance compiler-level checks, build [[Trusted execution environment|secure enclaves]],<ref>{{Cite journal |last=Van Strydonck |first=Thomas |last2=Noorman |first2=Job |last3=Jackson |first3=Jennifer |last4=Alves Dias |first4=Leonardo |last5=Vanderstraeten |first5=Robin |last6=Oswald |first6=David |last7=Piessens |first7=Frank |last8=Devriese |first8=Dominique |date=2023-07-01 |title=CHERI-TrEE: Flexible enclaves on capability machines |url=https://ieeexplore.ieee.org/document/10190507/ |journal=IEEE Euro S&P |publisher=IEEE |pages=1143–1159 |doi=10.1109/EuroSP57164.2023.00070 |isbn=978-1-6654-6512-0}}</ref> or even be used to augment existing instruction architectures. A report by Microsoft in 2019 found that CHERI’s protections could be used to mitigate over 70% of memory safety issues found in 2019 at the company.<ref>{{Cite web |title=Security Analysis of CHERI ISA {{!}} MSRC Blog {{!}} Microsoft Security Response Center |url=https://msrc.microsoft.com/blog/2020/10/security-analysis-of-cheri-isa/ |access-date=2025-01-21 |website=msrc.microsoft.com}}</ref> CHERI architectures are also designed to be backward compatible with existing programming languages such as C and C++. A study performed by University of Cambridge researchers found that porting six million lines of C and C++ code to CHERI required changes to 0.026% of the Lines-of-Code (LoC).<ref name="ecosystemviability" />
Line 27 ⟶ 26:
The architecture introduces hardware complexity due to the tag-bit mechanisms and capability checks required for enforcing memory safety. Although optimisations have been implemented to minimise these impacts<ref name=":1" />, the performance trade-offs can vary depending on specific workloads and specific implementations. Additionally, CHERI requires modifications to both software and hardware ecosystems. Implementations such as Morello allow unmodified binaries to run but these do not get any additional security benefits. Software must be recompiled or adapted to utilise CHERI’s capability-based model, and hardware manufacturers must incorporate CHERI extensions into their designs.
 
Standardisation remains an ongoing effort. While initiatives such as the CHERI Alliance and RISC-V standardisation<ref name=":2" /> aim to establish broader support, the lack of widely accepted industry standards for CHERI features have delayed adoption. Adapting legacy software or retrofitting existing systems to work with CHERI can be challenging, particularly for large and heterogeneous codebases. The difficulty often stems from programming practices used during the software's original development, such as implementing custom memory management, where identifying pointers from integers can be particularly problematic.<ref>{{cite journal |author1=Robert N.M. Watson, |author2=David Chisnall, |author3=Jessica Clarke, |author4=Brooks Davis, |author5=Nathaniel Wesley Filardo, |author6=Ben Laurie, |author7=Simon W. Moore, |author8=Peter G. Neumann, |author9=Alexander Richardson, |author10=Peter Sewell, |author11=Konrad Witaszczyk, and |author12=Jonathan Woodruff. |title=CHERI: Hardware-Enabled C/C++ Memory Protection at Scale. |journal=IEEE Security & Privacy, vol. |volume=22, no. 04, pp.|issue=4 |pages=50-61, |date=July-August 2024}}</ref>
 
== CHERI Implementations ==
Line 44 ⟶ 43:
In 2010 DARPA launched the Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) programme,<ref>{{cite web |year=2010 |title=CRASH: Clean-slate design of Resilient, Adaptive, Secure Hosts |url=https://www.darpa.mil/research/programs/clean-slate-design-of-resilient-adaptive-secure-hosts |access-date=18 January 2025 |publisher=DARPA}}</ref><ref>{{cite web |date=21 December 2012 |title=DARPA's CRASH Program Reinvents The Computer For Better Security |url=https://breakingdefense.com/2012/12/darpa-crash-program-seeks-to-reinvent-computers-for-better-secur/ |access-date=18 January 2025 |publisher=Breaking Defence}}</ref> which tasked participants with redesigning computer systems to improve security. [[SRI International]] and [[University of Cambridge]] team revisited capability architectures, seeking to address memory safety challenges inherent in conventional designs.
 
By 2012 early CHERI prototypes were presented,<ref>{{cite conference |author1=Robert N.M. Watson, |author2=Peter G. Neumann |author3=Jonathan Woodruff, |author4=Jonathan Anderson, |author5=Ross Anderson, |author6=Nirav Dave, |author7=Ben Laurie, |author8=Simon W. Moore, |author9=Steven J. Murdoch, |author10=Philip Paeps, |author11=Michael Roe, and |author12=Hassen Saidi. |title=CHERI: a research platform deconflating hardware virtualization and protection. Workshop on Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), |date=March 2, 2012.}}</ref> These prototypes ran a microkernel with hand-written assembly for manipulating capabilities. CHERI was designed to be easy to implement on modern superscalar pipelined architectures. Unlike earlier capability systems, CHERI eliminated the need for indirection tables,<ref name="isca">J. Woodruff et al., "The CHERI capability model: Revisiting RISC in an age of risk," 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA), Minneapolis, MN, USA, 2014, pp. 457-468, doi: 10.1109/ISCA.2014.6853201.</ref> avoiding the associated performance issues and proving that modern capability architectures could be efficiently implemented.
 
In 2014 CHERI hardware demonstrated its ability to run a full UNIX-like operating system, [[FreeBSD]]. This demonstration showed that CHERI’s capability model can integrate with existing software ecosystems. CHERI was originally prototyped as an extension to [[MIPS architecture|MIPS-64]].<ref name="isca" /> The implementation used 256-bit capabilities, containing fields for a 64-bit base, length, object type, and permissions, with some bits reserved for experimental purposes.
 
In 2015 CHERI introduced a new capability encoding model that separated the address (referred to as a ''cursor'') from the bounds and permissions. This refinement allowed capabilities to function as pointers in compiled C code,<ref name="pdp11" /> improving usability. That same year, Arm joined the project and provided critical feedback, highlighting that while doubling pointer sizes might be acceptable, quadrupling them would not. This feedback led to the development of CHERI Concentrate,<ref name=":1">{{cite journal |author1=Jonathan Woodruff, |author2=Alexandre Joannou, |author3=Hongyan Xia, |author4=Anthony Fox, |author5=Robert Norton, |author6=Thomas Bauereiss, |author7=David Chisnall, |author8=Brooks Davis, |author9=Khilan Gudka, |author10=Nathaniel W. Filardo, |author11=A. Theodore Markettos, |author12=Michael Roe, |author13=Peter G. Neumann, |author14=Robert N. M. Watson, and |author15=Simon W. Moore. |title=CHERI Concentrate: Practical Compressed Capabilities. In |journal=IEEE Transactions on Computers, |doi=10.1109/TC.2019.2914037, |publisher=IEEE, |date=2019.}}</ref> a compressed encoding model that reduced capability size to 128 bits by eliminating redundancy between the base, address, and top.
 
In 2019 CheriABI<ref>{{cite conference |author1=Brooks Davis, |author2=Robert N. M. Watson, |author3=Alexander Richardson, |author4=Peter G. Neumann, |author5=Simon W. Moore, |author6=John Baldwin, |author7=David Chisnall, |author8=Jessica Clarke, |author9=Nathaniel Wesley Filardo, |author10=Khilan Gudka, |author11=Alexandre Joannou, |author12=Ben Laurie, |author13=A. Theodore Markettos, |author14=J. Edward Maste, |author15=Alfredo Mazzinghi, |author16=Edward Tomasz Napierala, |author17=Robert M. Norton, |author18=Michael Roe, |author19=Peter Sewell, |author20=Stacey Son, and |author21=Jonathan Woodruff. |date=2019. |title=CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment. In |book-title=Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '19). |publisher=Association for Computing Machinery, |___location=New York, NY, USA, |pages=379–393. |url=https://doi.org/10.1145/3297858.3304042}}</ref> demonstrated a fully memory-safe implementation of POSIX, allowing existing desktop software to become memory safe with a single recompile.
 
By 2020 it became evident that software vendors were reluctant to port their software without hardware vendor support, while hardware vendors were unwilling to produce chips without sufficient customer demand. UK Research and Innovation (UKRI) launched the Digital Security by Design (DSbD) programme<ref name="dsbd">{{cite web |author=<!-- not stated --> |year=2020 |title=Digital security by design |url=https://www.ukri.org/what-we-do/browse-our-areas-of-investment-and-support/digital-security-by-design/ |access-date=2025-01-18 |publisher=UK Research and Innovation}}</ref> to address adoption barriers for CHERI. The programme allocated £70M, matched by £100M of industrial investment, to build the CHERI software ecosystem.<ref name="dsbd" />
 
This initiative funded Arm’s Morello chip, a ''superset architecture'' designed to evaluate experimental CHERI features for potential production use based on [[AArch64]]. The Morello board was designed to run CheriBSD, as well as custom versions of Android and Linux. At the same time, the Cornucopia<ref>{{cite conference |author1=Nathaniel Wesley Filardo, |author2=Brett F. Gutstein, |author3=Jonathan Woodruff, |author4=Sam Ainsworth, |author5=Lucian Paul-Trifu, |author6=Brooks Davis, |author7=Hongyan Xia, |author8=Edward Tomasz Napierala, |author9=Alexander Richardson, |author10=John Baldwin, |author11=David Chisnall, |author12=Jessica Clarke, |author13=Khilan Gudka, |author14=Alexandre Joannou, |author15=A. Theodore Markettos, |author16=Alfredo Mazzinghi, |author17=Robert M. Norton, |author18=Michael Roe, |author19=Peter Sewell, |author20=Stacey Son, |author21=Timothy M. Jones, |author22=Simon W. Moore, |author23=Peter G. Neumann, and |author24=Robert N. M. Watson. |title=Cornucopia: Temporal Safety for CHERI Heaps. In |conference=Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland 2020). locaiton=San Jose, CA, USA, |date=May 18-20, 2020.}}</ref> project demonstrated that CHERI could enforce both spatial and temporal memory safety, offering deterministic protection against heap object temporal aliasing (roughly, "use-after-free"). The follow-up project, Cornucopia Reloaded,<ref name="cornucopiareloaded" /> showcased efficient temporal safety using page-table features in Morello, in particular, near-negligible pause times for the application making use of revocation.
 
In 2023 Microsoft introduced CHERIoT<ref name="cheriot" />, a [[RISC-V]] CHERI adaptation optimised for small embedded devices. CHERIoT incorporated ideas from Cornucopia and memory colouring techniques such as SPARC ADI and Arm MTE to enhance security. As part of the UKRI-funded Sunburst project, lowRISC launched the Sonata platform to advance RISC-V-based CHERI development and support standardisation efforts. Both the CHERI RISC-V research work and CHERIoT fed into the standardisation process for an official CHERI family of RISC-V extensions.<ref name=":2">{{cite web |title=CHERI Ratification Plan |url=https://lf-riscv.atlassian.net/wiki/spaces/CTXX/pages/47022116/CHERI+Ratification+Plan |access-date=10 January 2025}}</ref> Codasip announced that they had RISC-V IP cores with CHERI extensions available to license.<ref>{{cite web |url=https://www.eenewseurope.com/en/codasip-delivers-first-commercial-cheri-processor-using-risc-v/| publisher=eeNews | access-date=20 January 2025| title= Codasip delivers first commercial CHERI processor using RISC-V| date=2 November 2023 }}</ref>
Retrieved from "https://en.wikipedia.org/wiki/Capability_Hardware_Enhanced_RISC_Instructions"