CHERI: A hybrid capability-system architecture for scalable software compartmentalization

Proceedings - IEEE Symposium on Security and Privacy

Volumn 2015-July, Issue , 2015, Pages 20-37

  Watson, Robert N M ^a   Woodruff, Jonathan ^a   Neumann, Peter G ^b   Moore, Simon W ^a   Anderson, Jonathan ^c   Chisnall, David ^a   Dave, Nirav ^b   Davis, Brooks ^b   Gudka, Khilan ^a   Laurie, Ben ^d   Murdoch, Steven J ^e   Norton, Robert ^a   Roe, Michael ^a   Son, Stacey ^a   Vadera, Munraj ^a  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

^b SRI INTERNATIONAL   (United States)

^c MEMORIAL UNIVERSITY OF NEWFOUNDLAND   (Canada)

^d GOOGLE   (United Kingdom)

^e UNIVERSITY COLLEGE LONDON   (United Kingdom)

Author keywords

capability system; CHERI processor; computer architecture; memory protection; object capabilities; software compartmentalization

Indexed keywords

APPLICATION PROGRAMS; COMPUTER ARCHITECTURE; MEMORY MANAGEMENT UNITS; OPEN SOURCE SOFTWARE; OPEN SYSTEMS; PHYSICAL ADDRESSES; PROGRAM COMPILERS;

CAPABILITY MODEL; CAPABILITY SYSTEM; CHERI PROCESSOR; INSTRUCTION SET ARCHITECTURE; MEMORY PROTECTION; OBJECT CAPABILITIES; SOFT-CORE PROCESSORS; SYSTEM ARCHITECTURES;

C (PROGRAMMING LANGUAGE);

EID: 84941001078     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2015.9     Document Type: Conference Paper

References (59)

1. ABADI, M., BUDIU, M., Ú LFAR ERLINGSSON, AND LIGATTI, J. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the 12th ACM conference on Computer and Communications Security (2005), ACM, pp. 340-353.
2. ACCETTA, M., BARON, R., GOLUB, D., RASHID, R., TEVANIAN, A., AND YOUNG, M. Mach: A New Kernel Foundation for UNIX Development. Tech. rep., Computer Science Department, Carnegie Mellon University, August 1986.
3. ALVES, T., AND FELTON, D. TrustZone: Integrated hardware and software security. Information Quarterly 3, 4 (2004).
4. ANDERSON, J. Computer security technology planning study. Tech. Rep. ESD-TR-73-51, U.S. Air Force Electronic Systems Division, October 1972. (Two volumes).
5. BADGER, L., STERNE, D., SHERMAN, D., WALKER, K., AND HAGHIGHAT, S. Practical domain and type enforcement for Unix. In Proceedings of the 1995 Symposium on Security and Privacy (May 1995), IEEE.
6. BELAY, A., BITTAU, A., MASHTIZADEH, A., TEREI, D., MAZIÈRES, D., AND KOZYRAKIS, C. Dune: safe user-level access to privileged CPU features. In Proceedings of the 10th Conference on Operating Systems Design and Implementation (2012), USENIX.
7. BELL, D., AND PADULA, L. L. Secure computer systems : Volume I-mathematical foundations; volume II-a mathematical model; volume III-a refinement of the mathematical model. Tech. Rep. MTR-2547 (three volumes), The Mitre Corporation, Bedford, Massachusetts, March-December 1973.
8. BELL, D., AND PADULA, L. L. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. ESD-TR-75-306, The Mitre Corporation, Bedford, Massachusetts, March 1976.
9. BIBA, K. Integrity considerations for secure computer systems. Tech. Rep. MTR 3153, The Mitre Corporation, Bedford, Massachusetts, June 1975. Also available from USAF Electronic Systems Division, Bedford, Massachusetts, as ESD-TR-76-372, April 1977.
10. BITTAU, A., MARCHENKO, P., HANDLEY, M., AND KARP, B. Wedge: Splitting Applications into Reduced-Privilege Compartments. In Proceedings of the 5th Symposium on Networked Systems Design and Implementation (2008), USENIX.
11. BOEBERT, W., AND KAIN, R. A practical alternative to hierarchical integrity policies. In Proceedings of the Eighth DoD/NBS Computer Security Initiative Conference (1-3 October 1985).
12. BRUMLEY, D., AND SONG, D. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the 13th USENIX Security Symposium (2004), USENIX.
13. CARTER, N. P., KECKLER, S. W., AND DALLY, W. J. Hardware support for fast capability-based addressing. SIGPLAN Not. 29, 11 (Nov. 1994), 319-327.
14. CHIRICESCU, S., DEHON, A., DEMANGE, D., IYER, S., KLIGER, A., MORRISETT, G., PIERCE, B. C., REUBENSTEIN, H., SMITH, J. M., SULLIVAN, G. T., THOMAS, A., TOV, J., WHITE, C. M., AND WITTENBERG, D. SAFE: A clean-slate architecture for secure systems. In Proceedings of the IEEE International Conference on Technologies for Homeland Security (Nov. 2013).
15. CHISNALL, D., ROTHWELL, C., DAVIS, B., WATSON, R. N., WOODRUFF, J., VADERA, M., MOORE, S. W., NEUMANN, P. G., AND ROE, M. Beyond the PDP-11: Processor support for a memory-safe C abstract machine. In Proceedings of the 20th Architectural Support for Programming Languages and Operating Systems (2015), ACM.
16. CORBATÓ, F. J., AND VYSSOTSKY, V. A. Introduction and overview of the Multics system. In AFIPS '65 (Fall, part I): Proceedings of the November 30-December 1, 1965, fall joint computer conference, part I (New York, NY, USA, 1965), ACM, pp. 185-196.
17. DENNIS, J. B., AND VAN HORN, E. C. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (1966), 143-155.
18. DEVIETTI, J., BLUNDELL, C., MARTIN, M. M. K., AND ZDANCEWIC, S. Hardbound: architectural support for spatial safety of the C programming language. SIGARCH Comput. Archit. News 36, 1 (Mar. 2008), 103-114.
19. GONG, L., MUELLER, M., PRAFULLCHANDRA, H., AND SCHEMERS, R. Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the Symposium on Internet Technologies and Systems (December 1997), USENIX.
20. HEINRICH, J. MIPS R4000 Microprocessor User's Manual (Second Edition). MIPS Technologies, Inc, 1994.
21. INTEL PLC. Introduction to Intel memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.
22. INTEL PLC. Intel Software Guard Extensions Programming Reference. https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf, October 2014.
23. JIM, T., MORRISETT, J. G., GROSSMAN, D., HICKS, M. W., CHENEY, J., AND WANG, Y. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference (2002), pp. 275-288.
24. KAMP, P., AND WATSON, R. N. M. Jails: Confining the omnipotent root. In Proceedings of the 2nd International SANE Conference (2000).
25. KARGER, P. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the 1987 Symposium on Security and Privacy (April 1987), IEEE.
26. KARGER, P., AND SCHELL, R. Multics security evaluation: Vulnerability analysis. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), Classic Papers section (Las Vegas, Nevada, December 2002). Originally available as U.S. Air Force report ESD-TR-74-193, Vol. II, Hanscomb Air Force Base, Massachusetts.
27. KILPATRICK, D. Privman: A Library for Partitioning Applications. In Proceedings of 2003 USENIX Annual Technical Conference (2003).
28. KLEIN, G., ANDRONICK, J., ELPHINSTONE, K., HEISER, G., COCK, D., DERRIN, P., ELKADUWE, D., ENGELHARDT, K., KOLANSKI, R., NORRISH, M., SEWELL, T., TUCH, H., AND WINWOOD, S. seL4: Formal verification of an operating-system kernel. Commun. ACM 53 (June 2009), 107-115.
29. KWON, A., DHAWAN, U., SMITH, J. M., KNIGHT, JR., T. F., AND DE-HON, A. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In 20th ACM Conference on Computer and Communications Security (November 2013).
30. LATTNER, C., AND ADVE, V. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and runtime optimization (2004), IEEE.
31. LEVY, H. M. Capability-Based Computer Systems. Butterworth-Heinemann, Newton, MA, USA, 1984.
32. LOSCOCCO, P. A., AND SMALLEY, S. D. Integrating Flexible Support for Security Policies into the Linux Operating System. In Proceedings of the USENIX Annual Technical Conference (June 2001).
33. MCKUSICK, M. K., NEVILLE-NEIL, G. V., AND WATSON, R. N. M. The Design and Implementation of the FreeBSD Operating System. Pearson, 2014.
34. METTLER, A., WAGNER, D., AND CLOSE, T. Joe-E: A Security-Oriented Subset of Java. In NDSS 2010: Proceedings of the Network and Distributed System Security Symposium (2010).
35. MILLER, M. S. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006.
36. MILLER, M. S., SAMUEL, M., LAURIE, B., AWAD, I., AND STAY, M. Caja: Safe active content in sanitized javascript, May 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.
37. MURRAY, D. G., AND HAND, S. Privilege Separation Made Easy. In Proceedings of the ACM SIGOPS European Workshop on System Security (EUROSEC) (2008), ACM.
38. NAGARAKATTE, S., ZHAO, J., MARTIN, M. M. K., AND ZDANCEWIC, S. SoftBound: highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation (2009), ACM.
39. NECULA, G. C., MCPEAK, S., AND WEIMER, W. CCured: Type-safe retrofitting of legacy code. ACM SIGPLAN Notices 37, 1 (2002), 128-139.
40. NEUMANN, P., BOYER, R., FEIERTAG, R., LEVITT, K., AND ROBINSON, L. A Provably Secure Operating System: The system, its applications, and proofs. Tech. rep., Computer Science Laboratory, SRI International, May 1980. 2nd edition, Report CSL-116.
41. PROVOS, N., FRIEDL, M., AND HONEYMAN, P. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium (2003), USENIX.
42. REIS, C., AND GRIBBLE, S. D. Isolating web programs in modern browser architectures. In EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems (2009), ACM.
43. SALTZER, J. Protection and the control of information sharing in Multics. Commun. ACM 17, 7 (July 1974), 388-402.
44. SCHROEDER, M., AND SALTZER, J. A hardware architecture for implementing protection rings. Commun. ACM 15, 3 (March 1972).
45. SHAPIRO, J., SMITH, J., AND FARBER, D. EROS: a fast capability system. In Proceedings of the seventeenth ACM Symposium on Operating Systems Principles (Dec 1999).
46. SZEKERES, L., PAYER, M., WEI, T., AND SONG, D. Eternal war in memory. In IEEE Symposium on Security and Privacy (2013).
47. THE MITRE CORPORATION. Common Vulnerabilities and Exposures List. https://cve.mitre.org, Feb 2015.
48. WAGNER, D., AND TRIBBLE, D. A security analysis of the combex darpabrowser architecture, March 2002. http://www.combex.com/papers/darpa-review/security-review.pdf.
49. WAHBE, R., LUCCO, S., ANDERSON, T. E., AND GRAHAM, S. U. L. Efficient software-based fault isolation. In Proceedings of the 14th Symposium on Operating Systems Principles (1993), ACM.
50. WANG, Z., AND LEE, R. Covert and side channels due to processor architecture. In Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual (Dec 2006), pp. 473-482.
51. WATSON, R. N., WOODRUFF, J., CHISNALL, D., DAVI S, B., KOSZEK, W., MARKETTOS, A. T., MOORE, S. W., MURDOCH, S. J., NEUMANN, P. G., NORTON, R., AND ROE, M. Bluespec Extensible RISC Implementation: BERI Hardware reference. Tech. Rep. UCAM-CL-TR-852, University of Cambridge, Computer Laboratory, Apr. 2014.
52. WAT S O N, R. N. M. A decade of OS access-control extensibility. Commun. ACM 56, 2 (Feb. 2013).
53. WATSON, R. N. M., ANDERSON, J., LAURIE, B., AND KENNAWAY, K. Capsicum: Practical capabilities for Unix. In Proceedings of the 19th USENIX Security Symposium (August 2010), USENIX.
54. WATSON, R. N. M., NEUMANN, P. G., WOODRUFF, J., ANDERSON, J., CHISNALL, D., DAVIS, B., LAURIE, B., MOORE, S. W., MURDOCH, S. J., AND ROE, M. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-set architecture. Tech. Rep. UCAM-CL-TR-864, University of Cambridge, Computer Laboratory, Dec. 2014.
55. WILKES, M., AND NEEDHAM, R. The Cambridge CAP computer and its operating system. Elsevier North Holland, New York, 1979.
56. WITCHEL, E., CATES, J., AND ASANOVIĆ, K. Mondrian memory protection. ACM SIGPLAN Notices 37, 10 (2002), 304-316.
57. WOODRUFF, J., WATSON, R. N. M., CHISNALL, D., MOORE, S. W., ANDERSON, J., DAV I S, B., LAURIE, B., NEUMANN, P. G., NORTON, R., AND ROE, M. The CHERI capability model: Revisiting RISC in an age of risk. In Proceedings of the 41st International Symposium on Computer Architecture (June 2014).
58. WULF, W., COHEN, E., CORWIN, W., JONES, A., LEVIN, R., PIER-SON, C., AND POLLACK, F. HYDRA: the kernel of a multiprocessor operating system. Commun. ACM 17, 6 (1974), 337-345.
59. YEE, B., SEHR, D., DARDYK, G., CHEN, J. B., MUTH, R., OR-MANDY, T., OKASAKA, S., NARULA, N., AND FULLAGAR, N. Native Client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th Symposium on Security and Privacy (2009), IEEE.