eprintid: 1470067
rev_number: 35
eprint_status: archive
userid: 608
dir: disk0/01/47/00/67
datestamp: 2017-05-26 16:33:59
lastmod: 2021-09-19 23:31:59
status_changed: 2017-05-26 16:33:59
type: proceedings_section
metadata_visibility: show
creators_name: Watson, RNM
creators_name: Woodruff, J
creators_name: Neumann, PG
creators_name: Moore, SW
creators_name: Anderson, J
creators_name: Chisnall, D
creators_name: Dave, N
creators_name: Davis, B
creators_name: Gudka, K
creators_name: Laurie, B
creators_name: Murdoch, SJ
creators_name: Norton, R
creators_name: Roe, M
creators_name: Son, S
creators_name: Vadera, M
title: CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
ispublished: pub
divisions: UCL
divisions: B04
divisions: C05
divisions: F48
keywords: Science & technology, technology, computer science, theory & methods, engineering, electrical & electronic, computer science, engineering, protection.
note: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
© 2015, Robert N.M. Watson. Under license to IEEE.
abstract: CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA soft-core processor, Free BSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.
date: 2015-05-20
publisher: IEEE
official_url: http://dx.doi.org/10.1109/SP.2015.9
vfaculties: VENG
vfaculties: VENG
oa_status: green
full_text_type: other
language: eng
primo: open
primo_central: open_green
verified: verified_manual
elements_id: 1043739
doi: 10.1109/SP.2015.9
isbn_13: 9781467369497
lyricists_name: Murdoch, Steven
lyricists_id: SMURD10
actors_name: Murdoch, Steven
actors_id: SMURD10
actors_role: owner
full_text_status: public
series: IEEE Symposium on Security and Privacy
publication: 2015 IEEE SYMPOSIUM ON SECURITY AND PRIVACY SP 2015
volume: 2015
place_of_pub: San Jose, CA, USA
pagerange: 20-37
pages: 18
event_title: IEEE Symposium on Security and Privacy SP, 18-20 May 2015 San Jose, California, USA
event_location: San Jose, CA
event_dates: 18 May 2015 - 20 May 2015
institution: IEEE Symposium on Security and Privacy
issn: 1081-6011
book_title: Proceedings of 2015 IEEE Symposium on Security and Privacy
editors_name: Peisert, S
editors_name: Bauer, L
editors_name: Shmatikov, V
citation:        Watson, RNM;    Woodruff, J;    Neumann, PG;    Moore, SW;    Anderson, J;    Chisnall, D;    Dave, N;                                 ... Vadera, M; + view all <#>        Watson, RNM;  Woodruff, J;  Neumann, PG;  Moore, SW;  Anderson, J;  Chisnall, D;  Dave, N;  Davis, B;  Gudka, K;  Laurie, B;  Murdoch, SJ;  Norton, R;  Roe, M;  Son, S;  Vadera, M;   - view fewer <#>    (2015)    CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization.                     In: Peisert, S and Bauer, L and Shmatikov, V, (eds.) Proceedings of 2015 IEEE Symposium on Security and Privacy.  (pp. pp. 20-37).  IEEE: San Jose, CA, USA.       Green open access   
 
document_url: https://discovery.ucl.ac.uk/id/eprint/1470067/1/oakland15cheri.pdf