Hardware support for fast capability-based addressing

Carter, Nicholas P.; Keckler, Stephen W.; Dally, William J.

doi:10.1145/195473.195579

Cited by 77 publications

(51 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Otherwise, it is kept as simple as possible. It is inspired by both the M-Machine [6] and CHERI [9]. To avoid uninteresting details, we assume an infinite address space and unbounded integers.…”

Section: A Capability Machine With Local Capabilitiesmentioning

confidence: 99%

“…The jmp instruction updates the program counter to a requested location, but it is complicated by the presence of enter capabilities, modeled after the M-Machine's [6]. Enter capabilities cannot be used to read, write or execute and their address and range cannot be modified.…”

Section: Permission Hierarchymentioning

confidence: 99%

“…Capability machines are a type of processors that remediate these limitations with a better security model at the hardware level. They are based on old ideas [6][7][8], but have recently received renewed interest; in particular, the CHERI project has proposed new ideas and ways of tackling practical challenges like backwards compatibility and realistic OS support [9,10]. Capability machines tag every word (in the register file and in memory) to enforce a strict separation between numbers and capabilities (a kind of pointers that carry authority).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Reasoning About a Machine with Local Capabilities

Skorstengaard

Devriese

Birkedal

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Capability machines provide security guarantees at machine level which makes them an interesting target for secure compilation schemes that provably enforce properties such as control-flow correctness and encapsulation of local state. We provide a formalization of a representative capability machine with local capabilities and study a novel calling convention. We provide a logical relation that semantically captures the guarantees provided by the hardware (a form of capability safety) and use it to prove control-flow correctness and encapsulation of local state. The logical relation is not specific to our calling convention and can be used to reason about arbitrary programs.

show abstract

Section: A Capability Machine With Local Capabilitiesmentioning

confidence: 99%

Section: Permission Hierarchymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Reasoning About a Machine with Local Capabilities

Skorstengaard

Devriese

Birkedal

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…CHERI is also strongly influenced by M-Machine [13], which provided tagged memory in support of fine-grained memory capabilities. Whereas M-Machine implemented an asynchronous model (reasonably described as secure closures, combining code and data references in entry and return capabilities, allowing a single-instruction call/return mechanism), CheriBSD implements secure object invocation based on a TCB-maintained reliable return stack, and separate code and data capabilities.…”

Section: Related Workmentioning

confidence: 99%

“…We extend our CHERI ISA and processor prototype with sealed capabilities and hardwareaccelerated object invocation, and extend the CHERI software stack (LLVM compiler [30] and FreeBSD OS [33]) with a domain-transition calling convention and a userspace objectcapability model. While our approach learns from prior capability systems, such as HYDRA [58] and the M-Machine [13], our focus is on hybridization: how to incrementally deploy CHERI within current C-language TCBs with source-code and binary compatibility. We have targeted the most securitycritical TCBs (e.g., privileged software) and also the most vulnerable (e.g., compression libraries) while avoiding disruption to the remainder of the software stack.…”

Section: Introductionmentioning

confidence: 99%

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Watson

Woodruff

Neumann

et al. 2015

2015 IEEE Symposium on Security and Privacy

174

155

View full text Add to dashboard Cite

CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.

show abstract

Single address space implementation in distributed systems

Bartoli

Dini

Lopriore

2000

Concurrency: Pract. Exper.

View full text Add to dashboard Cite

With reference to a distributed context consisting of computers connected by a local area network, we present the organization of a memory management system giving physical support to a uniform, persistent vision of storage according to a single address space paradigm. Our system implements a two‐layer storage hierarchy in which the distributed secondary memory stores the valid data items and the primary memory supports a form of data caching, for fast processor access. The proposed system defines a small, powerful set of operations that allow application programs to exert explicit control over the memory management activities at the levels of physical storage allocation, data migration across the network, and the data movements between the secondary memory and the primary memory. The system, that has been implemented in prototype form, is assessed from a number of viewpoints. We show that the storage requirements of the information for memory management are negligible. Moreover, the number of messages necessary to determine the network location of a given data item is low and independent of both the network size and the past movements of this data item in the distributed storage.Copyright © 2000 John Wiley & Sons, Ltd.

show abstract

Hardware support for fast capability-based addressing

Cited by 77 publications

References 14 publications

Reasoning About a Machine with Local Capabilities

Reasoning About a Machine with Local Capabilities

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Single address space implementation in distributed systems

Contact Info

Product

Resources

About