Capabilities Reincarnated: Compatibility and Better Memory Protection

July 15th, 2014 by Ann Drobnis Post a comment »

The following is a special contribution to this blog by by CCC Executive Council Member Mark D. Hill of the University of Wisconsin-Madison.

20120525-swm-beri-de4-photoBackground: Senior computer scientists remember memory “capabilities” as an abstraction for controlling access to objects in machines such as Burroughs B5000 and IBM System/38. In the late 20th century, capabilities lost out to virtual memory with a linear address and per-page protection, as these systems were faster and coarse-grain protection was deemed sufficient. In our 21st century, security is much more important and memory attacks often cross object boundaries (e.g., buffer overflow attacks).

Vision:  Wouldn’t it be interesting if one could reincarnate capabilities for better memory security with:

  • a near-standard architecture and near-standard operating system (with linear virtual memory),
  • have full compatibility when not used,
  • enable incremental use of capabilities via increment changes,
  • pay little performance penalty, and
  • be real enough to actually implement?

Reality: Researchers at University of Cambridge, SRI International, and Google have made great progress toward reincarnating capabilities via a model and prototype named CHERI: Capability Hardware Enhanced RISC Instructions.  Inspired by the Capsicum software capability model, they add capability registers that correspond to 64-bit MIPS general purpose registers and program counter, as well as a logical 1-bit tag per physical memory word. They augment the Unix-like FreeBSD operating system and the Clang/LLVM compiler suite. Programs that don’t use capabilities are unchanged.  Programs can be changed incrementally to add capabilities. The processor design, open sourced by the team, is real enough to be implemented in an FPGA and be used to project slides for the conference presentation!

For more information, please see: