Computing Community Consortium Blog

The goal of the Computing Community Consortium (CCC) is to catalyze the computing research community to debate longer range, more audacious research challenges; to build consensus around research visions; to evolve the most promising visions toward clearly defined initiatives; and to work with the funding organizations to move challenges and visions toward funding initiatives. The purpose of this blog is to provide a more immediate, online mechanism for dissemination of visioning concepts and community discussion/debate about them.


Capabilities Reincarnated: Compatibility and Better Memory Protection

July 15th, 2014 / in research horizons, Research News / by Ann Drobnis

The following is a special contribution to this blog by by CCC Executive Council Member Mark D. Hill of the University of Wisconsin-Madison.

20120525-swm-beri-de4-photoBackground: Senior computer scientists remember memory “capabilities” as an abstraction for controlling access to objects in machines such as Burroughs B5000 and IBM System/38. In the late 20th century, capabilities lost out to virtual memory with a linear address and per-page protection, as these systems were faster and coarse-grain protection was deemed sufficient. In our 21st century, security is much more important and memory attacks often cross object boundaries (e.g., buffer overflow attacks).

Vision:  Wouldn’t it be interesting if one could reincarnate capabilities for better memory security with:

  • a near-standard architecture and near-standard operating system (with linear virtual memory),
  • have full compatibility when not used,
  • enable incremental use of capabilities via increment changes,
  • pay little performance penalty, and
  • be real enough to actually implement?

Reality: Researchers at University of Cambridge, SRI International, and Google have made great progress toward reincarnating capabilities via a model and prototype named CHERI: Capability Hardware Enhanced RISC Instructions.  Inspired by the Capsicum software capability model, they add capability registers that correspond to 64-bit MIPS general purpose registers and program counter, as well as a logical 1-bit tag per physical memory word. They augment the Unix-like FreeBSD operating system and the Clang/LLVM compiler suite. Programs that don’t use capabilities are unchanged.  Programs can be changed incrementally to add capabilities. The processor design, open sourced by the team, is real enough to be implemented in an FPGA and be used to project slides for the conference presentation!

For more information, please see:

Capabilities Reincarnated: Compatibility and Better Memory Protection