Department of Computer Science and Technology

CHERI

CHERI compartmentalization figure

CHERI Software Stack

April 2019: We are pleased to announce that our ASPLOS 2019 paper on CHERI and OS design, CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment, on the general-purpose OS design implications of CHERI when used for ubiquitous memory safety, has won an ASPLOS Best Paper award.
June 2017: We have now posted our ASPLOS 2017 paper, CHERI-JNI: Sinking the Java security model into the C, which explores how CHERI capabilities can be used to support sandboxing with safe and efficient memory sharing between Java Native Interface (JNI) code and the Java Virtual Machine.
June 2016: We have now posted our PLDI 2016 paper, Into to the depths of C: elaborating the de facto standards, which develops a formal model for the C language, and explores its implications for CHERI. This paper won a PLDI 2016 distinguished paper award.

This page describes our CHERI software-stack prototypes, including the CHERI Clang/LLVM/LLD compiler suite and linker, CheriBSD operating system, and QEMU-CHERI ISA-level simulator. We have also performed CHERI adaptations of the LLD GDB debugger, FreeRTOS embedded operating system, and Spike RISC-V simulator, as well as applications such as WebKit. Entirely new software is released under a BSD license; extensions to existing software packages are released under the license used by that package.

Our recent ASPLOS 2019 paper on CheriABI provides the best current general introduction to CHERI memory safety for operating systems and applications. There is also an extended CheriABI technical report that contains additional implementation information on this work.

CHERI Clang/LLVM compiler suite and LLD debugger

CHERI Clang/LLVM and LLD are a complete compiler suite and compile-time linker for use with the CHERI architecture as instantiated for 64-bit MIPS and 32/64-bit RISC-V. The suite targets two C interpretations and ABIs:

Hybrid-capability C and binary code
Hybrid-capability C/C++ starts with the conventional integer implementation of C/C++ pointers, but allows types to be optionally qualified in order to trigger implementation using CHERI capabilities. This model could also transparently introduce capability use where it does not interfere with existing ABIs. This model is typically used in low-level OS components and compatibility layers, such as in allowing the pure-capability CheriABI process environment to be implemented over a hybrid-capability kernel.
Pure-capability C and binary code
Pure-capability C/C++ implements all C/C++ pointers using CHERI capabilities. This includes explicit pointers (such as explicitly declared pointers to functions, global variables, local variables, and heap allocations), and also implicit pointers (such as return addresses, and GOT pointers). This model is suitable for a broad variety of uses, including in providing strong memory safety for operating-system kernels and user applications.

CheriBSD operating system

CheriBSD is an adaptation of the open-source FreeBSD operating system to utilize the CHERI Architecture's capability-system model. CheriBSD provides strong CHERI-based memory protection for the kernel and userspace, as well as support for scalable single-address-space software compartmentalization. By default, the kernel is compiled as a hybrid-capability binary, but we have experimental extensions that allow it to run as a pure-capability binary. Both kernels support running existing off-the-shelf userspace MIPS binaries, as well as pure-capability binaries running in the CheriABI process environment. CheriBSD runs on 64-bit CHERI-MIPS, and we are currently adapting it to run on 64-bit CHERI-RISC-V.

QEMU-CHERI

We have also developed a QEMU CHERI-MIPS implementation, which provides an ISA-level emulation of our CHERI extensions to the 64-bit MIPS ISA. While not micro-architecturally realistic, this emulation can be useful for software development, especially in the absence of an FPGA or access to Bluespec. It is faster than the Sail-generated C emulator, but less directly based on the Sail CHERI-MIPS ISA specification.