[2020 Oakland] Cornucopia: Temporal Safety for CHERI heaps
References:
- N. Wesley Filardo et al., “Cornucopia: Temporal Safety for CHERI Heaps” 2020 IEEE Symposium on Security and Privacy (SP), 2020.
Motivation
Language-level temporal safety.
With CHERI, the temporal safety can be achieved via one of the two ways:
- Table lookups. This is avoided for performance in the CHERI design.
- Identifying capabilities in memory to revoke them. This is similar to a garbage-collector sweep.
CHERIvoke: a prior feasibility study on latter, key aspects modeled on x86 machines.
Cornucopia: practical design and impl. of the CHERIvoke paper;
Overview
Cornucopia
- extends the CHERIvoke paper by:
- cocurrent sweeping revocation that can be performed in parallel with application threads (III);
- cases in sweeping revocation beyond the user address space, including user capabilities in register files and kernel structures (IV-A);
- virtual memory techniques that facilitate tracking the spread of capabilities to efficiently prune pages from sweeping passes (IV-D);
- asynchronous revocation that enables multiple allocators to safely and efficiently share kernel-managed sweeping resources (Append. A and B).
new allocators and allocator-agnostic wrappers:
dlmalloc,snmalloc;- wrapper that can augment any existing allocator with temporal safety;
impl. on MIPS, FPGA, CheriBSD.
Cornucopia
More
If you could revise
the fundmental principles of
computer system design
to improve security...
... what would you change?