Cheri X86

Capability Registers vs. Segments.

x86 segments

(CHERI ISA v7, Chapter 6)

The x86 arch first added virtual memory support via relocatable and variable-sized segments. Each segment was assigned a mask of permissions. Memory references were resolved with respect to a specific segment including relocation to a base address, bounds checking, and access checks. Special segments types permitted transitions to and from different protection domains.

Key differences with CHERI:

  • x86 addresses are stored as a combination of an offset and a segment spanning two different registers. General purpose registers (GPRs) are used to hold offsets, and dedicated segment selector registers are used to hold information about a single segment. The x86 architecture provides six segment selector registers – three of which are reserved for code, stack, and general data access. A fourth register is typically used to define the location of thread-local storage (TLS). This leaves two segment registers to use for fine-graind segments such as separate segments for individual stack variables.
  • These registers do not load a segment descriptor from arbitrary locations in memory. Instead, each register selects a segment descriptor from a descriptor table with a limited number of entries. One could treat the segment descriptor tables (or portions of these tables) as a cache of active segments.
  • More fine-grained segments are not derived from existing segments. Instead, each entry in a descriptor table is independent. Write access to a descriptor table permits construction of arbitrary segments (including special segments that permit privilege transitions). Restricting descriptor-table write access to kernel mode does not protect against construction of arbitrary segments in kernel mode due to bugs or vulnerabilities. (LLM: is this argue reasonable, since every security solution is evaluated under assumptions??? If kernel does not have write access, then this would be a reasonable assumption, which does not consider any cases that kernel can do write to the descriptor-table.) As a result, segment descriptors are not able to provide the same provenance guarantees are tagged capabilities.(LLM: How can cheri tagged caps being integrated with segments???)
  • existing segment descriptors do not havve available bits for storing types or permissions more expressive than the existing read, write, and execute.
  • x86 segmentation is typically not used in modern operating systems. Software for x86 systems stores only the offset portion of virtual addresses in pointer variables. Segment registers are set to fixed values at program startup, never change, and are largely ignored.
    • 32-bit x86: generally create infinite bounds and use a non-zero base for TLS.
    • 64-bit x86: codifies this by removing segment bounds entirely and supporting non-zero-base addresses only for two segment registers. LLM: what is the codify here mean? Hardcoding??.

CHERI on x86

(CHERI ISA v7, Chapter 6) Approaches to providing CHERI capability features on x86:

  • Non-taken approach: extending the existing segment primitives to accomodate some of these differences.

    • Descriptor-table entires could be tagged. Loading an untagged segment would trigger an exception.
    • Decision to make: shall segment selectorsstore an index to a table, or a logical virtual addresses of a segment descriptor?
    • ability to share code and algorithms are limited.

  • CHERI-taken approach: extending existing general-purpose integer registers.

(CHERI ISA v7, Chapter 6.2-6.3):

Created Sep 27, 2019 // Last Updated Sep 28, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?