CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization Robert N. M. Watson∗, Jonathan Woodruff∗, Peter G. Neumanny, Simon W. Moore∗, Jonathan Andersonz, David Chisnall∗, Nirav Davey, Brooks Davisy, Khilan Gudka∗, Ben Lauriex, Steven J. Murdoch{, Robert Norton∗, Michael Roe∗, Stacey Son∗, Munraj Vadera∗ ∗University of Cambridge, ySRI International, zMemorial University, xGoogle UK Ltd., {University College London Abstract—CHERI extends a conventional RISC Instruction- In prior papers, we have described Capability Hardware Set Architecture, compiler, and operating system to support Enhanced RISC Instructions (CHERI), a set of incrementally fine-grained, capability-based memory protection to mitigate adoptable architectural extensions for scalable, in-address- memory-related vulnerabilities in C-language TCBs. We describe space memory protection that mitigates exploits via a hybrid how CHERI capabilities can also underpin a hardware-software capability-system model [54], [57], [15]. CHERI supplements object-capability model for application compartmentalization the conventional Memory Management Unit (MMU) support- that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA soft- ing virtual-memory-based processes with a capability copro- core processor, FreeBSD operating system, and LLVM compiler, cessor to implement fine-grained, compiler-directed memory we demonstrate multiple orders-of-magnitude improvement in protection. In this paper, we describe how CHERI can also scalability, simplified programmability, and resulting tangible act as the foundation for an object-capability model able security benefits as compared to compartmentalization based on to support orders of magnitude greater compartmentalization pure Memory-Management Unit (MMU) designs. We evaluate performance, and hence granularity, than current designs. incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications. As with MMU-based systems, CHERI can enforce strong isolation and controlled memory sharing, two prerequisites for compartmentalization, albeit with markedly different scal- I. INTRODUCTION ability and programming properties. We use capabilities to Vulnerability mitigation is a key tenet of contemporary build a hardware-software domain-transition mechanism and computer-system design. Deployed systems commonly em- programming model suitable for safe communication between ploy two approaches: exploit mitigation (which targets attack- mutually distrusting software. We extend our CHERI ISA and vector characteristics such as remote code injection [46]), and processor prototype with sealed capabilities and hardware- software compartmentalization (which limits privileges and accelerated object invocation, and extend the CHERI software further attack surfaces available to attackers [25], [41], [27], stack (LLVM compiler [30] and FreeBSD OS [33]) with a [53]). Exploit mitigation relies on knowledge of specific attack domain-transition calling convention and a userspace object- vectors and avoids application-level source-code modification; capability model. While our approach learns from prior capa- for example, stack canaries transparently detect attempts to bility systems, such as HYDRA [58] and the M-Machine [13], overwrite return addresses. However, these techniques are our focus is on hybridization: how to incrementally deploy often probabilistic and subject to an arms race as attack and CHERI within current C-language TCBs with source-code defense co-evolve. In contrast, compartmentalization requires and binary compatibility. We have targeted the most security- structural changes to programs: applications are decomposed critical TCBs (e.g., privileged software) and also the most vul- into isolated components that are granted selected access to nerable (e.g., compression libraries) while avoiding disruption system and application resources, limiting the rights leaked to to the remainder of the software stack. In this paper, we: attackers. Unlike exploit mitigation, compartmentalization can provide protection against yet unknown exploit techniques. The • Describe a novel hardware-software capability-system two approaches are complementary and often used together architecture supporting incrementally adoptable, fine- – e.g., OpenSSH [41] and Chromium [42] are frequently grained compartmentalization for C-language TCBs. compiled with both stack protection and sandboxing. • Explore the architecture’s practical implications through a fully functional hardware-software prototype based on Unfortunately, these techniques must be retrofitted onto a 64-bit FPGA soft-core RISC processor, compiler, OS, consensus hardware and software models that deemphasize and example applications. (To facilitate reproducibility, security. This imposes detrimental performance, additional we have open-sourced our hardware and software.) complexity, and programmability problems as stronger protec- • Demonstrate an effective and incrementally adoptable tion is layered over weaker substrates. This tendency is clearest hybrid MMU-capability model for compartmentalization, at the lowest levels of the stack: widely used CPUs provide clean composition with OS features such as virtual mem- little support for fine-grained memory protection, and exhibit ory, C-language object capabilities, library compartmen- poor compartmentalization scalability. As a result, countless talization, and an orders-of-magnitude performance gain. research papers explore ways to reintroduce omitted protection • Evaluate the security, complexity, programmability, and features through program transformation. There is little recent performance impacts of the approach, paying particular work in the area of hardware-software approaches, despite attention to compatibility concerns that have not been the a pressing need for vulnerability mitigation in C-language subject of prior capability-system research. Trusted Computing Bases (TCBs) such as language runtimes and web browsers, which are neither easily proven correct nor Throughout, we consider tradeoffs in the hardware- easily replaced with type-safe alternatives. software design space, and their impact on software structure. MMU-based OSes Hybrid capability/MMU OSes Pure capability OSes MMU-based virtual address spaces zlib libssl libssl libpng zlibzlib libssl libssl libpnglibpng zlibzlib libssllibssl class1 class1 libssl class2 ABI wrapper ABI wrapper Pure-capability ABI wrapper Legacy Fetch uses Hybrid Netsurf links Fetch command-line Netsurf Fetch can still use class3 pure-capability zlib against legacy and class2 HTTP client web browser legacy code in via an ABI wrapper pure-capability code compartments Capability-based Address-space executive Address-space executive Address-space executive unikernel OS + Capability-based FreeBSD kernel applications FreeBSD kernel single-address-space + CHERI support for userspace capabilities Address-space executive OS and applications Hypervisor / Separation Kernel Hypervisor / Separation Kernel MMU-based virtual address spaces + CHERI support for guest capabilities Address-space executive CHERI CPU CHERI CPU CHERI CPU ‘Legacy’ code compiled against a RISC ISA ‘Pure-capability’ code uses CHERI capabilities for all C pointers Regular linkage ‘Hybrid’ code uses RISC pointers or source-code annotated CHERI capabilities Per-address-space memory-management and capability executive Compartment boundary Fig. 1. While the CHERI ISA can support a spectrum of hardware-software architectures, from conventional MMU-based virtualization and OS process models to single address-space capability systems, we focus on hybridization opportunities that allow elements of both approaches to be combined. II. APPROACH Conventional UNIX process Capsicum logical application main loop Process with Capability-mode process The CHERI hardware-software architecture enhances vul- ambient authority vulnerable vulnerable nerability mitigation through two capability-based techniques compression main loop compression aimed at user-level C-language TCBs: logic logic • Memory capabilities, described in prior papers, are Kernel Kernel implemented by the ISA [57] and compiler [15], provid- Selected rights delegated to ing an incrementally deployable replacement for pointers sandbox via capabilities within address spaces, mitigating memory-based exploits. • Object capabilities, the focus of this paper, are im- Fig. 2. Software compartmentalization decomposes applications into isolated plemented by the operating system over the memory- components, limiting rights leaked to successful attackers. capability foundation, providing scalable, and likewise incrementally adoptable, software compartmentalization. We accept this adversary model, but observe that modest Capability systems are hardware, software, or distributed extensions to the CheriBSD class loader would also allow it systems designed to implement the principle of least privi- to tolerate a malicious software supply chain. We begin by lege [17], [43]. Capabilities are unforgeable tokens of authority briefly introducing capability-based compartmentalization and granting rights to objects in the system; they can be selectively the CHERI ISA. delegated between constrained programs to enforce security policies. While pure capability systems allow access to objects Capability-system concepts have proved useful in imple- only via capabilities, CHERI is a hybrid capability system menting