Cornucopia: Temporal Safety for CHERI Heaps
Cornucopia: Temporal Safety for CHERI Heaps Nathaniel Wesley Filardo,∗ Brett F. Gutstein,∗ Jonathan Woodruff,∗ Sam Ainsworth,∗ Lucian Paul-Trifu,∗ Brooks Davis,y Hongyan Xia,∗ Edward Tomasz Napierala,∗ Alexander Richardson,∗ John Baldwin,z David Chisnall,x Jessica Clarke,∗ Khilan Gudka,∗ Alexandre Joannou,∗ A. Theodore Markettos,∗ Alfredo Mazzinghi,∗ Robert M. Norton,∗ Michael Roe,∗ Peter Sewell,∗ Stacey Son,∗ Timothy M. Jones,∗ Simon W. Moore,∗ Peter G. Neumann,y Robert N. M. Watson∗ ∗University of Cambridge, Cambridge, UK; ySRI International, Menlo Park, CA, USA; xMicrosoft Research, Cambridge, UK; zArarat River Consulting, Walnut Creek, CA, USA Abstract—Use-after-free violations of temporal memory safety While use-after-free heap vulnerabilities are ultimately due continue to plague software systems, underpinning many high- to application misuse of the malloc() and free() interface, impact exploits. The CHERI capability system shows great complete sanitization of the vast legacy C code base, or even promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level tem- of highly maintained security-critical programs, has proved poral safety on CHERI requires capability revocation, traditionally infeasible. Instead, we turn our attention to the allocator achieved either via table lookups (avoided for performance in itself, and seek to robustly mitigate temporal-safety bugs. the CHERI design) or by identifying capabilities in memory to Many attempts have been made to mitigate temporal-safety revoke them (similar to a garbage-collector sweep). CHERIvoke, vulnerabilities in existing architectures (discussed in §IX), and a prior feasibility study, suggested that CHERI’s tagged capa- bilities could make this latter strategy viable, but modeled only they have demonstrated that temporal safety is not possible for architectural limits and did not consider the full implementation today’s computers without overheads above 5%, a threshold that or evaluation of the approach.
[Show full text]