References: CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety. pdf. MICRO, 2019. Overview A new allocator with quanrantine buffer that stores “to-be-revoked” segments. Quanrantine Buffer (delayed sweeping): a list of object addresses that are freed but not safe to be reused yet. These addresses are kept in a cached list of addresses of freed object; addresses in this buffer cannot be reused (not really freed yet); only do sweep when the buffer is full; and address is available for reuse after sweep (here have the real free); sweep all memory that could contain references to the heap; invalidate any capability references that points to any region in the quanrantine buffer; sweep using a shadow map to store revocation metadata (1 bit for every 16-byte granule of the heap; 1⁄128); Revocation Shadow Map: bit-map for quarantined objects (fast look-up): bit-mapped tags for all heap memory; 1-bit for 16 byte of heap; every allocation in quanrantine buffer is ‘painted’ in this map, indicating a to-be-revoked region in the heap; To Sweep: scan all memory for references for each reference, perform a look-up at this map to determine whether to revoke the reference (capability/pointer); use the base of the reference to detect if it is pointing into a revoked object; new allocator dlmalloc_cherivoke to replace dlmalloc.
References: N. Wesley Filardo et al., “Cornucopia: Temporal Safety for CHERI Heaps” 2020 IEEE Symposium on Security and Privacy (SP), 2020. Motivation Language-level temporal safety. With CHERI, the temporal safety can be achieved via one of the two ways: Table lookups. This is avoided for performance in the CHERI design. Identifying capabilities in memory to revoke them. This is similar to a garbage-collector sweep. CHERIvoke: a prior feasibility study on latter, key aspects modeled on x86 machines.
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?