UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Watson, RNM; Woodruff, J; Neumann, PG; Moore, SW; Anderson, J; Chisnall, D; Dave, N; ... Vadera, M; + view all (2015) CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In: Peisert, S and Bauer, L and Shmatikov, V, (eds.) Proceedings of 2015 IEEE Symposium on Security and Privacy. (pp. pp. 20-37). IEEE: San Jose, CA, USA. Green open access

[img]
Preview
Text
oakland15cheri.pdf

Download (432kB) | Preview

Abstract

CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA soft-core processor, Free BSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.

Type: Proceedings paper
Title: CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
Event: IEEE Symposium on Security and Privacy SP, 18-20 May 2015 San Jose, California, USA
Location: San Jose, CA
Dates: 18 May 2015 - 20 May 2015
ISBN-13: 9781467369497
Open access status: An open access version is available from UCL Discovery
DOI: 10.1109/SP.2015.9
Publisher version: http://dx.doi.org/10.1109/SP.2015.9
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. © 2015, Robert N.M. Watson. Under license to IEEE.
Keywords: Science & technology, technology, computer science, theory & methods, engineering, electrical & electronic, computer science, engineering, protection.
UCL classification: UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: http://discovery.ucl.ac.uk/id/eprint/1470067
Downloads since deposit
134Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item