Abstract
We present CHERI Concentrate, a new fat-pointer compression scheme applied to CHERI, the most developed capability-pointer system at present. Capability fat pointers are a primary candidate to enforce fine-grained and non-bypassable security properties in future computer systems, although increased pointer size can severely affect performance. Thus, several proposals for capability compression have been suggested elsewhere that do not support legacy instruction sets, ignore features critical to the existing software base, and also introduce design inefficiencies to RISC-style processor pipelines. CHERI Concentrate improves on the state-of-the-art region-encoding efficiency, solves important pipeline problems, and eases semantic restrictions of compressed encoding, allowing it to protect a full legacy software stack. We present the first quantitative analysis of compiled capability code, which we use to guide the design of the encoding format. We analyze and extend logic from the open-source CHERI prototype processor design on FPGA to demonstrate encoding efficiency, minimize delay of pointer arithmetic, and eliminate additional load-to-use delay. To verify correctness of our proposed high-performance logic, we present a HOL4 machine-checked proof of the decode and pointer-modify operations. Finally, we measure a 50 to 75 percent reduction in L2 misses for many compiled C-language benchmarks running under a commodity operating system using compressed 128-bit and 64-bit formats, demonstrating both compatibility with and increased performance over the uncompressed, 256-bit format.
Highlights
I NTEL Memory Protection Extensions (MPX) and Software Guard Extensions (SGX), as well as Oracle Silicon Secured Memory (SSM), signal an unprecedented industrial willingness to implement hardware mechanisms for memory safety and security
In order to evaluate the usable precision of CC against the Low-fat encoding, we used the dtrace framework on Mac OS X 10.9 to collect traces from every allocator found in six real-world applications: Chrome 38.0.2125, Firefox 31, Apache 2.4, iTunes 12, MPlayer build #127, and mySQL 5
When object bounds cannot be precisely represented by CC, the allocator may have to pad the allocation with unused memory to maintain memory safety
Summary
I NTEL Memory Protection Extensions (MPX) and Software Guard Extensions (SGX), as well as Oracle Silicon Secured Memory (SSM), signal an unprecedented industrial willingness to implement hardware mechanisms for memory safety and security. Capability pointers are stronger than fault detection schemes such as MPX and SSM, and are able to achieve provable containment at the granularity of program-defined objects that is as strong as address-space separation. The greatest cost for capability pointers involves the object bounds encoded with each pointer to enforce memory safety. Encoding both upper and lower bounds as well as a pointer address requires either larger capabilities [1] or. CC achieves the best published region encoding efficiency, solves important pipeline problems caused by a decompressed register file, and eases semantic restrictions due to the compressed encoding. CC improves efficiency over Low-Fat Pointers, the previous best capability bounds format, by inferring the most significant bit of the Top field and by encoding the exponent within the bounds. CC improves both semantics and timing by allowiny out-of-bounds pointer manipulations, which simplifies the pointer arithmatic check allowing it to be performed directly on the compressed format
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
