research-article

Public Access

CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment

ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 379 - 393

https://doi.org/10.1145/3297858.3304042

Published: 04 April 2019 Publication History

Abstract

The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world behavior of operating systems, run-time environments, and applications. When the process model, user-kernel interactions, dynamic linking, and memory management are all considered, we observe that simple derivation of architectural capabilities is insufficient to describe appropriate access to memory. We bridge this conceptual gap with a notional abstract capability that describes the accesses that should be allowed at a given point in execution, whether in the kernel or userspace. To investigate this notion at scale, we describe the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) for complete spatial and referential memory safety. We show that awareness of abstract capabilities, coupled with CHERI architectural capabilities, can provide more complete protection, strong compatibility, and acceptable performance overhead compared with the pre-CHERI baseline and software-only approaches. Our observations also have potentially significant implications for other mitigation techniques.

References

[1]

CHERI open-source web site. http://www.cheri-cpu.org/. Accessed: 2018--12--16.

[2]

The Open Group base specifications issue 7. Technical report, 2016.

[3]

M. Abadi, M. Budiu, Úlfar Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the 12th ACM conference on Computer and Communications Security. ACM, 2005.

Digital Library

[4]

A. Alkazimi and E. B. Fernandez. "heartbleed": A misuse pattern for the openssl implementation of the ssl/tls protocol. In Proceedings of the 23rd Conference on Pattern Languages of Programs, PLoP '16, pages 6:1--6:8, USA, 2016. The Hillside Group.

Digital Library

[5]

M. D. Bond, N. Nethercote, S. W. Kent, S. Z. Guyer, K. S. McKinley, M. D. Bond, N. Nethercote, S. W. Kent, S. Z. Guyer, and K. S. McKinley. Tracking bad apples. In Proceedings of the 22nd annual ACM SIGPLAN conference on Object oriented programming systems and applications - OOPSLA '07, volume 42, page 405, New York, New York, USA, 2007. ACM Press.

Digital Library

[6]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In P. Syverson and S. Jha, editors, Proceedings of CCS 2008, pages 27--38. ACM Press, Oct. 2008.

Digital Library

[7]

N. P. Carter, S. W. Keckler, and W. J. Dally. Hardware support for fast capability-based addressing. SIGPLAN Not., 29(11):319--327, Nov. 1994.

Digital Library

[8]

D. Chisnall, B. Davis, K. Gudka, D. Brazdil, A. J. J. Woodruff, A. T. Markettos, J. E. Maste, R. Norton, S. Son, M. Roe, S. W. Moore, P. G. Neumann, B. Laurie, and R. N. M. Watson. CHERI JNI: Sinking the Java security model into the C. In Proceedings of the Twenty Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '17, New York, NY, USA, 2017. ACM.

Digital Library

[9]

D. Chisnall, C. Rothwell, B. Davis, R. N. M. Watson, J. Woodruff, M. Vadera, S. W. Moore, P. G. Neumann, and M. Roe. Beyond the PDP-11: Processor support for a memory-safe C abstract machine. In Proceedings of the 20th Architectural Support for Programming Languages and Operating Systems. ACM, 2015.

Digital Library

[10]

J. Condit, M. Harren, Z. Anderson, D. Gay, and G. C. Necula. Dependent types for low-level programming. In Proceedings of the 16th European Symposium on Programming, ESOP'07, pages 520--535, Berlin, Heidelberg, 2007. Springer-Verlag.

[11]

J. Condit, M. Harren, S. McPeak, G. G. Necula, and W. Weimer. CCured in the real world. In Proceedings of the ACM SIGPLAN 2003 conference on programming language design and implementation, pages 232--244, New York, NY, USA, 2003. ACM.

Digital Library

[12]

N. Cooprider, W. Archer, E. Eide, D. Gay, and J. Regehr. Efficient memory safety for TinyOS. In Proceedings of the 5th International Conference on Embedded Networked Sensor Systems, SenSys '07, pages 205--218, New York, NY, USA, 2007. ACM.

Digital Library

[13]

F. J. Corbató and V. A. Vyssotsky. Introduction and overview of the Multics system. In AFIPS '65 (Fall, part I): Proceedings of the November 30--December 1, 1965, fall joint computer conference, part I, pages 185--196, New York, NY, USA, 1965. ACM.

Digital Library

[14]

J. Corbet. Software-tag-based KASAN. https://lwn.net/Articles/766768/, September 2018. Accessed: 2018--12--16.

[15]

B. Davis. Everything you ever wanted to know about “hello, world”* (*but were afraid to ask.). In Proceedings of AsiaBSDCon 2017, AsiaBSDCon 2017, 2017.

[16]

B. Davis, R. N. M. Watson, A. Richardson, P. G. Neumann, S. W. Moore, J. Baldwin, D. Chisnall, J. Clarke, N. W. Filardo, K. Gudka, A. Joannou, B. Laurie, A. T. Markettos, J. E. Maste, A. Mazzinghi, E. T. Napierala, R. M. Norton, M. Roe, P. Sewell, S. Son, and J. Woodruff. CheriABI: Enforcing valid pointer provenance and minimizing pointer privilege in the POSIX C run-time environment (extended version). Technical Report UCAM-CL-TR-932, University of Cambridge, Computer Laboratory, Apr. 2019.

[17]

J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. Hardbound: architectural support for spatial safety of the C programming language. SIGARCH Comput. Archit. News, 36(1):103--114, Mar. 2008.

Digital Library

[18]

U. Dhawan, C. Hritcu, R. Rubin, N. Vasilakis, S. Chiricescu, J. M. Smith, T. F. Knight, B. C. Pierce, and A. DeHon. Architectural Support for Software-Defined Metadata Processing. In 20th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM, March 2015.

Digital Library

[19]

J. Evans. A scalable concurrent malloc(3) implementation for FreeBSD. In BSDCan, 2006.

[20]

B. Gras, K. Razavi, E. Bosman, H. Bos, and C. Giuffrida. ASLR on the Line: Practical Cache Attacks on the MMU. In NDSS, Feb. 2017.

[21]

M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. Mibench: A free, commercially representative embedded benchmark suite. In Proceedings of the Workload Characterization, 2001. WWC-4. 2001 IEEE International Workshop, WWC '01, pages 3--14, Washington, DC, USA, 2001. IEEE Computer Society.

Digital Library

[22]

Intel Plc. Introduction to Intel® memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.

[23]

T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the USENIX Annual Technical Conference, Berkeley, CA, USA, 2002. USENIX.

Digital Library

[24]

K. Kratkiewicz. Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code. Master's thesis, 2005.

[25]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI'14, pages 147--163, Berkeley, CA, USA, 2014. USENIX Association.

Digital Library

[26]

A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. DeHon. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In 20th Conference on Computer and Communications Security. ACM, November 2013.

Digital Library

[27]

A. T. Markettos, C. Rothwell, B. F. Gutstein, A. Pearce, P. G. Neumann, S. W. Moore, and R. N. M. Watson. Thunderclap: Exploring vulnerabilities in Operating System IOMMU protection via DMA from untrustworthy peripherals. In Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, USA, Feb. 2019. Internet Society.

[28]

A. J. Mashtizadeh, A. Bittau, D. Mazieres, and D. Boneh. Cryptographically enforced control flow integrity. arXiv preprint arXiv:1408.1451, 2014.

[29]

M. McKusick, K. Bostic, M. Karels, and J. Quarterman. The Design and Implementation of the 4.4 BSD Operating System. Addison-Wesley, Reading, Massachusetts, 1996.

Digital Library

[30]

M. K. McKusick, G. V. Neville-Neil, and R. N. M. Watson. The Design and Implementation of the FreeBSD Operating System . Pearson, 2014.

Digital Library

[31]

K. Memarian, V. B. F. Gomes, B. Davis, S. Kell, A. Richardson, R. N. M. Watson, and P. Sewell. Exploring C semantics and pointer provenance. In POPL 2019: Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages, Jan. 2019. Proc. ACM Program. Lang. 3, POPL, Article 67.

Digital Library

[32]

S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. SoftBound: highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation. ACM, 2009.

Digital Library

[33]

G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. ACM SIGPLAN Notices, 37(1):128--139, 2002.

Digital Library

[34]

P. G. Neumann, R. S. Boyer, R. J. Feiertag, K. N. Levitt, and L. Robinson. A Provably Secure Operating System: The system, its applications, and proofs. Technical report, Computer Science Laboratory, SRI International, May 1980. 2nd edition, Report CSL-116.

[35]

D. M. Ritchie and K. Thompson. The UNIX time-sharing system. Communications of the ACM, 17(7):365--375, 1974.

Digital Library

[36]

N. Roessler and A. DeHon. Protecting the stack with metadata policies and tagged hardware. In 2018 IEEE Symposium on Security and Privacy (SP), volume 00, pages 1072--1089, 2018.

[37]

J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, September 1975.

[38]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A fast address sanity checker. In Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), pages 309--318, Boston, MA, 2012. USENIX.

Digital Library

[39]

K. Serebryany, E. Stepanov, A. Shlyapnikov, V. Tsyrklevich, and D. Vyukov. Memory tagging and how it improves c/c

[40]

memory safety. Technical report, February 2018.

[41]

W. R. Stevens and S. A. Rago. Advanced Programming in the UNIX Environment, 3rd Edition. Addison-Wesley Professional, May 2013.

Digital Library

[42]

L. Szekeres, M. Payer, T. Wei, and D. Song. Eternal war in memory. In IEEE Symposium on Security and Privacy, 2013.

Digital Library

[43]

D. Tarditi. Extending C with bounds safety. Technical report, June 2016.

[44]

the PaX Team. Address space layout randomization, 2006.

[45]

The Santa Cruz Operation, Inc. System V application binary interface, intel386#8482; architecture processor supplement (fourth edition). Technical report, 1996.

[46]

R. Watson, P. Neumann, J. Woodruff, J. Anderson, R. Anderson, N. Dave, B. Laurie, S. Moore, S. Murdoch, P. Paeps, et al. CHERI: A Research Platform Deconflating Hardware Virtualization and Protection. In Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), 2012.

[47]

R. N. Watson, R. M. Norton, J. Woodruff, S. W. Moore, P. G. Neumann, J. Anderson, D. Chisnall, B. Davis, B. Laurie, M. Roe, N. H. Dave, K. Gudka, A. Joannou, A. T. Markettos, E. Maste, S. J. Murdoch, C. Rothwell, S. D. Son, and M. Vadera. Fast protection-domain crossing in the cheri capability-system architecture. IEEE Micro, 36(5):38--49, Sept. 2016.

Digital Library

[48]

R. N. M. Watson, P. G. Neumann, J. Woodruff, M. Roe, H. Almatary, J. Anderson, J. Baldwin, D. Chisnall, B. Davis, N. W. Filardo, A. Joannou, B. Laurie, S. W. Moore, S. J. Murdoch, K. Nienhuis, R. Norton, A. Richardson, P. Sewell, S. Son, and H. Xia. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture (Version 7). Technical Report UCAM-CL-TR-927, University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom, phone

[49]

44 1223 763500, 2018.

[50]

R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. s Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In Proceedings of the 36th IEEE Symposium on Security and Privacy, May 2015.

Digital Library

[51]

E. Witchel, J. Rhee, and K. Asanović. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.

Digital Library

[52]

J. Woodruff, R. N. M. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. The CHERI capability model: Revisiting RISC in an age of risk. In Proceedings of the 41st International Symposium on Computer Architecture, June 2014.

Digital Library

Cited By

Zaliva VMemarian KCampbell BAlmeida RFilardo NStark ISewell PStark KTimany ABlazy STabareau N(2025)A CHERI C Memory Model for Verified Temporal SafetyProceedings of the 14th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3703595.3705878(112-126)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3703595.3705878
Wang XShen WBu YZhou JZhou YBalzarotti DXu W(2024)DMAAUTHProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698961(1081-1098)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698961
Dudina IStark IMonat RRubio-González C(2024)Static Analysis for Transitioning to CHERI C/C++Proceedings of the 13th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3652588.3663323(52-59)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3652588.3663323
Show More Cited By

Index Terms

CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment
1. Security and privacy
  1. Security in hardware
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Maintaining software

Recommendations

The Kaya OS project and the μMPS hardware emulator

Ideally, the most meaningful learning experience for students in an undergraduate OS course would be to develop fully-functional OS's on their own. This can be accomplished using μmps, a hardware emulator for a pedagogically undergraduate-appropriate ...
Efficient and provable local capability revocation using uninitialized capabilities

Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but ...
Running on the bare metal with GeekOS
SIGCSE '04: Proceedings of the 35th SIGCSE technical symposium on Computer science education

Undergraduate operating systems courses are generally taught using one of two approaches: abstract or concrete. In the abstract approach, students learn the concepts underlying operating systems theory, and perhaps apply them using user-level threads in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems

April 2019

1126 pages

ISBN:9781450362405

DOI:10.1145/3297858

General Chairs:
Iris Bahar
Brown University
,
Maurice Herlihy
Brown University
,
Program Chairs:
Emmett Witchel
University of Texas, Austin
,
Alvin Lebeck
Duke University

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASPLOS '19

Sponsor:

ASPLOS '19: Architectural Support for Programming Languages and Operating Systems

April 13 - 17, 2019

RI, Providence, USA

Acceptance Rates

ASPLOS '19 Paper Acceptance Rate 74 of 351 submissions, 21%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
1,484
Total Downloads

Downloads (Last 12 months)314
Downloads (Last 6 weeks)42

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zaliva VMemarian KCampbell BAlmeida RFilardo NStark ISewell PStark KTimany ABlazy STabareau N(2025)A CHERI C Memory Model for Verified Temporal SafetyProceedings of the 14th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3703595.3705878(112-126)Online publication date: 10-Jan-2025
https://dl.acm.org/doi/10.1145/3703595.3705878
Wang XShen WBu YZhou JZhou YBalzarotti DXu W(2024)DMAAUTHProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698961(1081-1098)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698961
Dudina IStark IMonat RRubio-González C(2024)Static Analysis for Transitioning to CHERI C/C++Proceedings of the 13th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis10.1145/3652588.3663323(52-59)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3652588.3663323
Filardo NGutstein BWoodruff JClarke JRugg PDavis BJohnston MNorton RChisnall DMoore SNeumann PWatson RTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal SafetyProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640416(251-268)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640416
Zaliva VMemarian KAlmeida RClarke JDavis BRichardson AChisnall DCampbell BStark IWatson RSewell PTsafrir DMUSUVATHI MGupta RAbu-Ghazaleh N(2024)Formal Mechanised Semantics of CHERI C: Capabilities, Undefined Behaviour, and ProvenanceProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3617232.3624859(181-196)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3617232.3624859
Watson RChisnall DClarke JDavis BFilardo NLaurie BMoore SNeumann PRichardson ASewell PWitaszczyk KWoodruff J(2024)CHERI: Hardware-Enabled C/C++ Memory Protection at ScaleIEEE Security and Privacy10.1109/MSEC.2024.339670122:4(50-61)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1109/MSEC.2024.3396701
Ullah SRashid A(2024)Porting to Morello: An In-depth Study on Compiler Behaviors, CERT Guideline Violations, and Security Implications2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00028(381-397)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00028
Yu JWatt CBadole ACarlson TSaxena PCalandrino JTroncoso C(2023)CAPSTONEProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620282(787-804)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620282
Liu CWu YWu JZhao C(2023)A buffer overflow detection and defense method based on RISC-V instruction set extensionCybersecurity10.1186/s42400-023-00164-x6:1Online publication date: 6-Sep-2023
https://doi.org/10.1186/s42400-023-00164-x
Patel SAgrawal SFedorova ASeltzer M(2023)CHERI-pickingProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624553(58-65)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624553
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten