Department of Computer Science and Technology

CHERI

CHERI compartmentalization figure

CHERI Software Stack

This page describes our CHERI software-stack prototypes, including the CHERI Clang/LLVM/LLD compiler suite and linker, CheriBSD operating system, and QEMU-CHERI ISA-level simulator. We have also performed CHERI adaptations of the GDB debugger, FreeRTOS embedded operating system, and Spike RISC-V simulator, as well as applications such as WebKit. Entirely new software is released under a BSD license; extensions to existing software packages are released under the license used by that package.

Our ASPLOS 2019 paper on CheriABI provides the best current general introduction to CHERI memory safety for operating systems and applications. There is also an extended CheriABI technical report that contains additional implementation information on this work.

CHERI Clang/LLVM compiler suite, LLD linker, and GDB debugger

CHERI Clang/LLVM and LLD are a complete compiler suite and compile-time linker for use with the CHERI architecture as instantiated for 32/64-bit RISC-V. Arm has also forked this tree to develop Morello LLVM, and developed an initial prototype Morello gcc. We have adapted the GDB debugger to use CHERI. The suite targets two C interpretations and ABIs:

Hybrid-capability C and binary code
Hybrid-capability C/C++ starts with the conventional integer implementation of C/C++ pointers, but allows types to be optionally qualified in order to trigger implementation using CHERI capabilities. This model could also transparently introduce capability use where it does not interfere with existing ABIs. This model is typically used in low-level OS components and compatibility layers, such as in allowing the pure-capability CheriABI process environment to be implemented over a hybrid-capability kernel.
Pure-capability C and binary code
Pure-capability C/C++ implements all C/C++ pointers using CHERI capabilities. This includes explicit pointers (such as explicitly declared pointers to functions, global variables, local variables, and heap allocations), and also implicit pointers (such as return addresses, and GOT pointers). This model is suitable for a broad variety of uses, including in providing strong memory safety for operating-system kernels and user applications. CHERI C is documented in our CHERI C/C++ Programming Guide.

CheriBSD operating system

CheriBSD is an adaptation of the open-source FreeBSD operating system to utilize the CHERI Architecture's capability-system model. CheriBSD provides strong CHERI-based memory protection for the kernel and userspace, as well as support for scalable single-address-space software compartmentalization. By default, the kernel is compiled as a hybrid-capability binary, but we have experimental extensions that allow it to run as a pure-capability binary. Both kernels support running existing off-the-shelf userspace 64-bit RISC-V and aarch64 binaries, as well as pure-capability binaries running in the CheriABI process environment. CheriBSD runs on 64-bit CHERI-RISC-V and Arm Morello.

QEMU-CHERI

We have also developed a QEMU CHERI-RISC-V and Morello implementation, which provides an ISA-level emulation of our CHERI extensions to the 32/64-bit RISC-V ISA, as well as Arm's Morello architecture. While not micro-architecturally realistic, this emulation can be useful for software development, especially in the absence of an FPGA or access to Bluespec. It is faster than the Sail-generated C emulator, but less directly based on the Sail CHERI-RISC-V ISA specification.

Other ported software

CheriBSD ships with around 10,000 lightly adapted open-source packages including a desktop stack. These are available via precompiled packages in CheriBSD Morello, as well as the CheriBSD ports collection for CHERI-RISC-V and Morello. As described in Getting Started with CheriBSD, these are compilations rather than full software adaptations, so they should be used with some awareness.