CHERI

CHERI Software Stack

This page describes our CHERI software-stack prototypes, including the CHERI Clang/LLVM/LLD compiler suite and linker, CheriBSD operating system, and QEMU-CHERI ISA-level simulator. We have also performed CHERI adaptations of the GDB debugger, FreeRTOS embedded operating system, and Spike RISC-V simulator, as well as applications such as WebKit. Entirely new software is released under a BSD license; extensions to existing software packages are released under the license used by that package.

Our recent ASPLOS 2019 paper on CheriABI provides the best current general introduction to CHERI memory safety for operating systems and applications. There is also an extended CheriABI technical report that contains additional implementation information on this work.

CHERI Clang/LLVM compiler suite, LLD linker, and GDB debugger

CHERI Clang/LLVM and LLD are a complete compiler suite and compile-time linker for use with the CHERI architecture as instantiated for 64-bit MIPS and 32/64-bit RISC-V. We have also adapted the GDB debugger to use CHERI. The suite targets two C interpretations and ABIs:

Hybrid-capability C and binary code

Hybrid-capability C/C++ starts with the conventional integer implementation of C/C++ pointers, but allows types to be optionally qualified in order to trigger implementation using CHERI capabilities. This model could also transparently introduce capability use where it does not interfere with existing ABIs. This model is typically used in low-level OS components and compatibility layers, such as in allowing the pure-capability CheriABI process environment to be implemented over a hybrid-capability kernel.

Pure-capability C and binary code

Pure-capability C/C++ implements all C/C++ pointers using CHERI capabilities. This includes explicit pointers (such as explicitly declared pointers to functions, global variables, local variables, and heap allocations), and also implicit pointers (such as return addresses, and GOT pointers). This model is suitable for a broad variety of uses, including in providing strong memory safety for operating-system kernels and user applications. CHERI C is documented in our CHERI C/C++ Programming Guide.

CheriBSD operating system

CheriBSD is an adaptation of the open-source FreeBSD operating system to utilize the CHERI Architecture's capability-system model. CheriBSD provides strong CHERI-based memory protection for the kernel and userspace, as well as support for scalable single-address-space software compartmentalization. By default, the kernel is compiled as a hybrid-capability binary, but we have experimental extensions that allow it to run as a pure-capability binary. Both kernels support running existing off-the-shelf userspace MIPS and RISC-V binaries, as well as pure-capability binaries running in the CheriABI process environment. CheriBSD runs on 64-bit CHERI-MIPS and 64-bit CHERI-RISC-V.

QEMU-CHERI

We have also developed a QEMU CHERI-MIPS and CHERI-RISC-V implementation, which provides an ISA-level emulation of our CHERI extensions to the 64-bit MIPS and RISC-V ISAs. While not micro-architecturally realistic, this emulation can be useful for software development, especially in the absence of an FPGA or access to Bluespec. It is faster than the Sail-generated C emulator, but less directly based on the Sail CHERI-MIPS and CHERI-RISC-V ISA specifications.

Other ported software

In addition to software packages such as OpenSSL and OpenSSH that are included in CheriBSD, we have ported a number of other applications to CHERI. These include:

nginx

Webserver

newlib

Embedded/baremetal C standard library.

PostgreSQL

Enterprise relational database.

Qt

Cross-platform GUI framework.

SQLite

Embedded relational database.

WebKit

The WebKit browser platform and JavaScript Core (JSC) language runtime. This includes a CHERI-adapted JIT for Morello