Cheri ELF

Reference 1

gABI

Morello AArch64 ABI

ELF for dynamic linking

As in gABI(retrieve date 20221117)

Note Section

Type Name
0x0 [NT_CHERI_GLOBALS_ABI]
0x1 [NT_CHERI_TLS_ABI]
0x80000000 - 0xffffffff – (Reserved for processor-specific use)

NT_CHERI_GLOBALS_ABI, this note describes the ABI variant in use for accessing globals. Capabilities for globals can be obtained in the following different ways.

  • 0x0: CHERI_GLOBALS_ABI_PCREL. By indexing a table relative to the program counter.
  • 0x1: CHERI_GLOBALS_ABI_PLT_FPTR. By indexing a table pointed to by a reserved register or equivalent that is defined on entry to functions.
    • Function pointers are sealed entry capabilities to trampolines that install the correct value for the target.
  • 0x2: CHERI_GLOBALS_ABI_FDESC. By indexing a table pointed to by a reserved register or equivalent that is defined on entry to functions.
    • Function pointers are capabilities to function descriptors, the format of which is processor-specific.

NT_CHERI_TLS_ABI, this note describes the ABI variant in use for accessing thread-locals.

  • 0x0: CHERI_TLS_ABI_TRAD. Capabilities for thread-locals are obtained using traditional TLS Variant I or II with pointers implemented using capabilities.

ARM Morello

RISC-V

MIPS

([CheriABI TR932] ch4.6) The dynamic linker (RTLD) is extended to initialize external symbol references using new dynamic relocations that initialize and bound the capability.

  • a new ELF relocation R_MIPS_CHERI_CAPABILITY for external symbol references;
  • for local (non-preemptible) symbols, use a special section (__cap_relocs)
  • GOT (Global offset table) in binary contains global variables and functions. CheriABI changes this table to contain tightly bounded capabilities:
    • parse ELF symbol table and use the st_size field in the Elf_Sym structure as the size of global variables.
    • st_size is emitted by the compiler and will correspond to the size of the C/C++ declaration; and for functions it is the size of all instructions in that function.
    • However, “we only use exact bounds for data symbols and bound function symbols to the containing shared object’s code segment”. This wide bound for code will :
    • preserve the ability of code to use branches in place of jumps between functions.
    • facilitate the existing practice of referencing global variables using program-counter-relative addressing.
    • Same logic for dlsym() API.

readelf -a .exe

Examples: hello.elf kernel.elf

  1. reference ↩
Created Apr 30, 2020 // Last Updated Nov 21, 2022

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?