CHERI: Privilege separation through multiprocess compartmentalisation

CHERI (Capability Hardware Enhanced RISC Instructions) is a joint research project in hardware-software co-design between the University of Cambridge and SRI International. The project explores improving system security by extending existing RISC Instruction-Set Architectures (ISAs) with capabilities, with the aim of fundamentally improving system security through improvements in computer architecture, compilers/programming languages, and operating systems. The methodology used in this project will be to vary the instruction set, exploring the implications for hardware design and software structure, evaluating the impact on hardware expense, software performance, software compatibility, and security. Architectural capabilities are unforgeable tokens which themselves prove that their owner has the right to access a resource, and CHERI uses this abstract concept for protecting main memory; capabilities are bounded pointers with associated permissions; each pointer has a base, length and current offset within the described region of memory. No instruction provides a means to create a capability with greater bounds or permissions than its inputs, and the validity of every capability is tracked by the processor to prevent forgery. This provides greater protection against memory-based exploits, but can also be used to compartmentalise parts of applications, confining any successful exploit to just that compartment. Currently, the version of CHERI used for research is CHERI-MIPS, an extension of the 64-bit MIPS instruction set. However, MIPS is not used widely any more, and various historical decisions around the architecture and application binary interface (ABI) mean that as a baseline it is not so representative of contemporary architectures. Thus CHERI-RISC-V is being developed, a new implementation of CHERI informed by the existing work on CHERI-MIPS and based on top of the open-source RISC-V instruction set. This makes CHERI-RISC-V an ideal testing ground for experimentation with the CHERI model, revisiting key design choices with the flexibility to select multiple points in various design dimensions, evaluating each variation.
With CHERI, one important aspect to consider is that the processor needs general-purpose registers able to hold capabilities, just like integers and floating point numbers, in order to be able to perform operations with them. There are two ways this can be achieved: either a whole new bank of capability registers can be added ("split" register file), or existing integer registers can be widened to allow them to contain both integers and capabilities ("merged" register file). The former will generally offer better performance as more registers are available to the compiler to allocate rather than needing to spill variables to the stack, but this can be costly and require a large amount of space on a chip, so the latter approach is more practical. Since CHERI-MIPS provided a split register file, CHERI-RISC-V will be offering a merged register file to give a more practical implementation, but with the option for a split register file in order to offer a point of comparison. However, for a merged register file, it is unclear whether every register needs to be widened or whether a more minimal subset of them is sufficient. The aim is to explore the whole design space around CHERI-RISC-V's register file, looking at the consequences of using a merged register file instead of a split register file, as well as only allowing some registers to hold capabilities. Such design decisions affect system software throughout the stack, from the kernel managing the processor state, through to compilers, linkers and loaders implementing the calling convention prescribed by the ABI, and architecture-specific parts of the C runtime. If successful, this project will lower the hardware expense, improve software performance, and improve software compatibility while retaining the key security objectives of the CHERI architecture.