Technical Report

Number 940



**Computer Laboratory** 

Rigorous engineering for hardware security: formal modelling and proof in the CHERI design and implementation process

Kyndylan Nienhuis, Alexandre Joannou, Anthony Fox, Michael Roe, Thomas Bauereiss, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, Peter Sewell

September 2019

15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500

https://www.cl.cam.ac.uk/

© 2019 Kyndylan Nienhuis, Alexandre Joannou, Anthony Fox, Michael Roe, Thomas Bauereiss, Brian Campbell, Matthew Naylor, Robert M. Norton, Simon W. Moore, Peter G. Neumann, Ian Stark, Robert N. M. Watson, Peter Sewell, SRI International

This work was supported by EPSRC programme grant EP/K008528/1 (REMS: Rigorous Engineering for Mainstream Systems). This work was supported by a Gates studentship (Nienhuis). This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement 789108). This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (CTSRD), HR0011-18-C-0016 (ECATS), and FA8650-18-C-7809 (CIFV). The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. Approved for public release; distribution is unlimited.

Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet:

https://www.cl.cam.ac.uk/techreports/

ISSN 1476-2986

# Contents

| 1            | Intr | oduction                                               | 4         |  |  |
|--------------|------|--------------------------------------------------------|-----------|--|--|
|              | 1.1  | 1.1 The CHERI context                                  |           |  |  |
|              | 1.2  | The problems with traditional engineering methods      | 6         |  |  |
|              | 1.3  | Contributions                                          | 6         |  |  |
|              |      | 1.3.1 Lightweight rigorous engineering $(\S3)$         | 6         |  |  |
|              |      | 1.3.2 Stating architectural security properties (§4)   | 7         |  |  |
|              |      | 1.3.3 Formal proofs of security properties (§5)        | 7         |  |  |
|              | 1.4  | Non-goals and Limitations                              | 7         |  |  |
| <b>2</b>     | Bac  | kground: CHERI                                         | 8         |  |  |
|              | 2.1  | Fine-grained memory protection                         | 8         |  |  |
|              | 2.2  | Software compartmentalisation                          | 10        |  |  |
| 3            | Ligł | ntweight rigorous engineering                          | 11        |  |  |
|              | 3.1  | Using the models as design documents                   | 12        |  |  |
|              | 3.2  | Using the models as oracles for hardware testing       | 14        |  |  |
|              | 3.3  | Using the models for software bring-up                 | 14        |  |  |
|              | 3.4  | Using the models for test generation                   | 15        |  |  |
| 4            | Stat | ing architectural security properties                  | 15        |  |  |
|              | 4.1  | Capability order                                       | 16        |  |  |
|              | 4.2  | Capturing the intention of instructions                | 17        |  |  |
|              |      | 4.2.1 Defining security properties for the abstraction | 19        |  |  |
|              |      | 4.2.2 Defining invariants of the execution step        | 20        |  |  |
|              |      | 4.2.3 Defining capability derivations                  | 20        |  |  |
|              | 4.3  | Characterising reachable capabilities                  | 21        |  |  |
|              | 4.4  | Isolating a user space compartment                     | 22        |  |  |
| <b>5</b>     | Pro  | ving the architectural security properties             | <b>24</b> |  |  |
| 6            | Bug  | s found by proof work                                  | <b>25</b> |  |  |
| 7            | Tra  | nsition from L3 to Sail                                | 26        |  |  |
| 8            | Rel  | ated work                                              | 26        |  |  |
|              | 100M |                                                        | _0        |  |  |
| $\mathbf{A}$ | Add  | litional property definitions                          | <b>28</b> |  |  |

#### Abstract

The root causes of many security vulnerabilities include a pernicious combination of two problems, often regarded as inescapable aspects of computing. First, the protection mechanisms provided by the mainstream processor architecture and C/C++ language abstractions, dating back to the 1970s and before, provide only coarse-grain virtual-memory-based protection. Second, mainstream system engineering relies almost exclusively on test-and-debug methods, with (at best) prose specifications. These methods have historically sufficed commercially for much of the computer industry, but they fail to prevent large numbers of exploitable bugs, and the security problems that this causes are becoming ever more acute.

In this paper we show how more rigorous engineering methods can be applied to the development of a new security-enhanced processor architecture, with its accompanying hardware implementation and software stack. We use formal models of the complete instruction-set architecture (ISA) at the heart of the design and engineering process, both in lightweight ways that support and improve normal engineering practice – as documentation, in emulators used as a test oracle for hardware and for running software, and for test generation – and for formal verification. We formalise key intended security properties of the design, and establish that these hold with mechanised proof. This is for the same complete ISA models (complete enough to boot operating systems), without idealisation.

We do this for CHERI, an architecture with *hardware capabilities* that supports fine-grained memory protection and scalable secure compartmentalisation, while offering a smooth adoption path for existing software. CHERI is a maturing research architecture, developed since 2010, with work now underway to explore its possible adoption in mass-market commercial processors. The rigorous engineering work described here has been an integral part of its development to date, enabling more rapid and confident experimentation, and boosting confidence in the design.

## 1 Introduction

Despite decades of research, memory safety bugs are still responsible for many security vulnerabilities [1]. Microsoft estimates that 70% of the vulnerabilities they have patched between 2006 and 2018 are caused by memory safety issues [2], MITRE considers classic buffer overflows as the third most dangerous software error [3], and high-profile memory-safety bugs such as Heartbleed [4] have become common in recent years.

There are two fundamental problems here. First, mainstream hardware architectures and C/C++ language abstractions provide only coarse-grained memory protection, via the memory management unit (MMU). This is hard to change: introducing fine-grained memory protection in software, e.g. with software bounds-checking, is often too inefficient, while the mass of legacy C/C++ code makes it infeasible to migrate everything to a typesafe language, or to radically change hardware architectures.

Second, mainstream systems are typically developed using test-and-debug engineering methods. While this often suffices to build systems that are sufficiently functionally correct under normal use, it fails to build secure systems: it is easy to miss a small mistake that manifests itself only in a corner case, but attackers will actively try to find these, and one small bug can compromise the entire system.

CHERI is an ongoing research project that addresses the first problem with hardware support for fine-grained memory protection and scalable software compartmentalisation, aiming to provide practically deployable performance and compatibility [5, 6, 7]. CHERI achieves this by extending commodity architectures with new security mechanisms, and adapting a conventional software stack to make use of these.

This paper addresses the second problem: we show how more rigorous engineering methods can be used to improve assurance and complement traditional methods, using the CHERI project as a whole as a testbench for this. These include both lightweight methods – formal specification and testing methods that provide engineering and assurance benefits for hardware and software engineering without the challenges of full formal verification – and more heavyweight machine-checked proof, establishing very high confidence that the architecture design provides specific security properties.

### 1.1 The CHERI context

The CHERI design is based on two principles. The principle of least privilege [8] says that each part of a program should run only with the permissions it needs to function. For example, a conventional C/C++ program implicitly uses permission to its entire memory region for accesses via a pointer, making it vulnerable to buffer overflows, but in CHERI it can be limited to the permission to access the pointed-to object. On a larger scale, the JavaScript execution engine of a browser does not need access to the encryption keys used in SSL connections, so by restricting its permissions one can ensure that even a compromised JavaScript engine cannot access these keys. The principle of *intentional use* states that when a program performs an action, it should explicitly state which permissions it uses to authorise that action. This helps avoid the confused deputy problem [9]. For example, an operating system (OS) may need to hold permission to access the entirety of a user process (e.g. for paging), but when that process makes a read() system call, passing a pointer to a user-space buffer, CHERI makes it possible for the relevant OS code to use the more restricted permission to just that buffer. The CHERI design involves no lookup or searching for permissions, which is important both to embody this principle and for performance.

These principles are realised in CHERI with *hardware capabilities*: to access memory, one needs to possess a capability that authorises that access. A capability augments the usual virtual address of a language-level pointer with bounds that specify the memory region it relates to, and with permission bits that specify what kind of actions it can authorise. To distinguish capabilities from data, CHERI uses *tagged memory*. Valid capabilities have their tag set, and if they are overwritten with a non-capability, their tag is cleared, rendering them safely unusable. CHERI introduces new instructions that can manipulate a capability without clearing its tag: to change its virtual address, shrink its bounds, decrease its permissions, or copy it. It is crucial to the design that no instruction can grow the bounds of a capability, or add permissions. To enable software compartmentalisation, CHERI provides additional mechanisms for mutually untrusting compartments to communicate.

The CHERI design has been elaborated initially as CHERI-MIPS, extending 64-bit MIPS [10] with capabilities. Our CHERI-MIPS architecture definition, including the description of the programmer-visible machine state and instruction behaviour that make up the instruction-set architecture (ISA), is the central design artefact [6]. As usual for a processor architecture, it defines the hardware/software interface: the envelope of programmer-visible allowed behaviour of CHERI hardware implementations (that software must be programmed above), but without any hardware-implementation (microarchitectural) specifics, e.g. of pipelines, cache hierarchies, etc. Then there is a Bluespec [11]

FPGA hardware implementation of the architecture, and a software stack above it, adapting LLVM [12] and FreeBSD [13] to CHERI-MIPS. All this has involved extensive work on the interaction between the capability system and systems aspects of memory management (static and dynamic linking, process creation, context switching, page swapping and signal delivery) [14]; on the overhead of compiling pointers to capabilities [5, 15]; on compartmentalisation of legacy software [16]; and on the performance overhead of tagged memory [17] and protection-domain switches [18]. The underlying ideas are portable, not MIPS-specific, and work is underway on experimental RISC-V and ARM versions.

## 1.2 The problems with traditional engineering methods

CHERI-MIPS was initially developed using the traditional engineering methods mentioned above: the security properties that the architecture is intended to enforce were described in prose; the architecture was described in prose and pseudocode; and the hardware implementation of the architecture was validated with hand-written tests. This led to the following problems, often accepted as inescapable aspects of normal practice.

First, the prose and pseudocode architecture description was not executable as a test oracle, to check the hardware implementation behaviour against, or as an emulator, to run software above. Hardware validation tests therefore required manual curation of their intended outcomes, so tests could not be automatically generated, and it was not possible to rerun software tests after changes in the architecture until the hardware implementation was updated.

Second, while the designers had strong intuitions about the security properties the architecture should provide, their prose statements were inevitably less precise than they could be, and omitted crucial details. This led to unnecessary confusion in internal discussions of (for example) the concepts of capability provenance and monotonicity, central to the design, and made it harder to explain these to others.

Third, it was very difficult to assess whether the architecture actually provided these intended security properties. Architecture descriptions are large and complex, from 100s to 1000s of pages, and security properties can depend on much or all of this. For example, in CHERI-MIPS, a mis-specification of the interaction between user and system modes, exceptions, address translation, or any of the 180-odd instructions could potentially break its security protection. At the same time, CHERI's correctness is crucially important: its security protection will come under direct attack, and one mistake could be enough to cancel out all the protection that CHERI offers. Moreover, if the architecture specification is flawed, containing some security vulnerability, then any conforming hardware implementation will inherit that vulnerability.

### **1.3** Contributions

We address these problems with three contributions.

### 1.3.1 Lightweight rigorous engineering (§3)

We show that prose-and-pseudocode ISA descriptions can be replaced in the architecture design process with rigorous definitions, which are at once clearly readable, executable as test oracles, and support automatic test generation. Importantly, developing such formal definitions for CHERI-MIPS did not require any formal background, so the researchers and engineers who would otherwise write a prose/pseudocode architecture document could

write and own them. As is familiar from other uses of formal specification, this low-cost activity already brought several benefits, even before any proof work was undertaken.

#### 1.3.2 Stating architectural security properties (§4)

We show how the intended security properties of the architecture can be precisely and formally stated, in terms of the above rigorous definitions of instruction behaviour. Furthermore, we express these properties in relatively simple terms, using basic operations over sets and quantified formulas, so understanding them does not require extensive formal background. This makes it possible to unambiguously communicate the guarantees that CHERI-MIPS offers to the relevant audiences: to software users of the architecture, so they understand the limits of its protection; to hardware engineers, so their implementations do not accidentally break said guarantees; and among the authors of the architecture themselves, so they can ensure that the guarantees are as intended.

The properties we define for CHERI-MIPS (1) capture the memory access intentions of the instructions, (2) capture a reachable-capability monotonicity property, that arbitrary code, if given some initial permissions, cannot increase those during its execution (up to the point of any domain transition); (3) capture the property that arbitrary code, if not initially given permission to access particular system registers and memory regions, leaves them invariant as that code is executed; and (4) capture the guarantees one has (and the required assumptions) when executing an untrusted subprogram within a controlled isolation boundary.

#### **1.3.3** Formal proofs of security properties (§5)

Finally, we show how to mathematically prove these security properties, with machinechecked proof, in a way that is scalable to the entire ISA and that can be integrated in the ISA design process. This gives a level of confidence that is not achievable with testing alone.

Fig. 1 illustrates the main artifacts of the CHERI engineering process. We have done this for CHERI-MIPS, but the same problems exist for other security architecture features, e.g. Intel SGX and ARM TrustZone, and we believe similar solutions could be applied. CHERI started off with a hardware/software co-design approach, which is already unusual but is necessary for improving security at the architectural interface. Here we show the benefits of a three-way *hardware/software/formal-semantics* co-design approach.

### 1.4 Non-goals and Limitations

Our focus here is on the definition and proof of specific security properties of the CHERI *processor architecture*: the specification of the hardware/software interface. This is an essential step in increasing confidence in CHERI-MIPS, but we have not, of course, proved that CHERI as a whole "is secure" (which is not even precisely statable). Our work has helped validate the CHERI-MIPS hardware implementation, but it does not prove the hardware implementation correct with respect to the architecture, or prove correctness or security properties of system software above the architecture (though it is a necessary precondition for any such proofs). Our security properties only address behaviour that is visible at the architectural abstraction. As usual, this abstracts from timing behaviour and power consumption, so our properties cannot talk about possible side-channel information flow via these. How to manage side channels remains an open research area, but



Figure 1: The main artifacts of the CHERI engineering process. Those in the central column are all automatically generated from the L3/Sail formal ISA specifications. The CHERI hardware design is tested against the generated emulators, using both autogenerated and (not shown) manually written tests. The CHERI software stack, including adaptions of Clang and FreeBSD, is developed by running above the generated emulators, the hardware, and (not shown) a QEMU emulator. The security properties are stated and proved in terms of the automatically generated Isabelle version of the ISA specification.

the isolation properties that we establish are certainly necessary, even if not sufficient, for whole-system security. There is ongoing non-formal work exploring side-channels w.r.t. CHERI [19]. Moreover, the architecture is an intentionally loose specification, to admit implementation variation, and therefore our properties also cannot talk about *architecturally visible* information flow: a (compromised or adversarial) hardware implementation could leak information while conforming to the architecture by exploiting this looseness. Our properties do exclude architecturally visible *capability* flow, which is likewise necessary, even if not sufficient, for whole-system security. Finally, the formal semantics only covers the uniprocessor case.

# 2 Background: CHERI

CHERI aims to prevent or mitigate many security vulnerabilities. It does so by extending commodity instruction-set architectures with a capability system, enabling fine-grained memory protection and scalable software compartmentalisation, while offering a practical gradual adoption path for existing software. In this section we explain the main aspects of the CHERI capability system, with two examples. CHERI also supports a range of other use-cases with additional features that we cannot explain here; for details of those see [6].

## 2.1 Fine-grained memory protection

As highlighted at the start, many security vulnerabilities involve memory safety violations arising from coding errors in unsafe languages. The CHERI hardware extensions make it



Figure 2: Comparing ISO C with CHERI C. In ISO C the (flawed) program on the left has undefined behaviour, but in practice can leak the secret key. In CHERI C the same program has defined behaviour and will always trap with a hardware exception, because the address used for the \*p access is not within the footprint of the capability.

possible to implement unsafe languages, notably C and C++, in ways that enforce spatial memory safety – thus preventing or mitigating many vulnerabilities – while aiming to keep performance and code-porting costs acceptable.

For example, consider the C program on the left of Fig. 2. This declares a secret\_key, but the programmer does not intend that the main() function access that, let alone leak it. However, a coding error introduced code that creates a pointer p to another global, x, increments p, and dereferences it with \*p. In ISO C this program has undefined behaviour, because the \*p access is to a location outside the x allocation, meaning that conventional C implementations can assume that programs do not contain such accesses (implementations are not required to trap or otherwise detect the error). In practice, however, the machine representation of a pointer is typically just an integer address, and a conventional implementation will typically output whatever is next to x in the memory layout, which here can be, and often is, secret\_key. The middle of Fig. 2 illustrates one such execution, with x allocated at 0x14 and secret\_key at 0x18. After the increment, the value of p is just 0x18; a conventional processor implementation will simply load from that address – turning that coding error into a security leak.

In CHERI, however, one can compile C or C++ source to represent pointer values with capabilities instead of integer addresses, as shown on the right of Fig. 2. On a 64-bit CHERI architecture, the value of p is a 256-bit or 128-bit capability that includes not just a virtual address but also identifies the *base*, *length*, and *permissions* of the memory region that the capability is allowed to access – here that of the original x allocation. A compression scheme [15] can keep these and other data within a 128-bit representation, exploiting the redundancy from allocation alignment, though the proofs later in this paper are about the earlier uncompressed 256-bit version. C pointer arithmetic is compiled to instructions that change capability virtual addresses, leaving their allowed memory regions unchanged. All this means the hardware can do an efficient access-time check, at the \*p dereference, that the access is within that region, and deterministically trap otherwise. So far, this is similar to software fat-pointer designs [20, 21, 22], but CHERI capabilities are protected from accidental or malicious modification: an additional *tag* bit, one per capability-sized and aligned 128-bit region of memory, keeps track of whether that memory holds a valid capability. The hardware preserves the tag if valid capability instructions are used, but clears it otherwise (e.g., if individual bytes are written); tags are not independently addressable; and the ISA is designed so that no instruction can increase the access rights of a capability. The hardware provides a universal capability at start-up, and the OS, linker, compiler-generated code, and language runtime allocators gradually construct appropriately smaller capabilities; in this example, the linker constructs precise capabilities for the globals. Capabilities are also used to protect non-source pointers, including code pointers such as PC values and return addresses.

This example illustrates the principles of least privilege and intentional use: the program as a whole has the permission to load the secret key, but it was not the programmer's intention to do this when dereferencing p. In CHERI C this intention is preserved and the capability which is the value of p has the least privilege required to access x, so it is impossible to load the key through that memory access.

Porting legacy software to CHERI is eased by the fact that source changes are needed only in rare cases, e.g. where code manipulates the representation bytes of pointers explicitly. This example requires none, just a re-compile. In other work we have ported FreeBSD user-space to CHERI and analysed the changes required [14, 23]; we have also ported other software, including WebKit. Porting does involve an ABI change, as pointer sizes change, but one can also compile in a hybrid mode, with only selected pointers represented with capabilities, or encapsulate legacy code compiled in the normal way by running it with default data and code capabilities.

The above provides spatial but not temporal memory safety, but the fact that CHERI pointers and integers can be reliably distinguished creates new possibilities for temporal enforcement, currently being investigated.

### 2.2 Software compartmentalisation

At a larger granularity, and especially when running untrusted binaries, or code for which the porting or performance costs of CHERI C (modest though they are) are not acceptable, software compartmentalisation can help to make a system more robust against attacks by mitigating the effects of successful exploits. Conventional systems do this with operating system processes and hypervisor virtual machines, using hardware memory-managementunit (MMU) protection, managed by trusted OS or hypervisor code, to enforce memory isolation (or confinement) between arbitrary untrusted binaries. However, MMU protection scales poorly with larger numbers of compartments and operates only at page granularity, limiting its applicability.

CHERI supports scalable compartmentalisation by extending the core capability system described above with additional mechanisms for controlled communication between mutually untrusting compartments. Memory isolation is achieved with the same mechanism as above: if a compartment does not possess (and is not passed) a capability with permission to access a region of memory, CHERI guarantees that it cannot access that region. Controlled communication between compartments is achieved with *sealed* capabilities. A capability can be sealed with an *object type* (currently an 18-bit field within the compressed capability). A sealed capability has temporarily lost all authority for memory accesses; it can only be passed around, unsealed (with permission), or *invoked* with a **CCall** instruction. This takes two capabilities, one for code and one for data, which must both be sealed and have the same object type. It supports two kinds of secure domain transition: one via an exception to a trusted handler (which might manage a trusted stack), and the other a direct jump to the address of the sealed code capability, that also atomically unseals the sealed data capability.

For example, one compartment A might give a mutually untrusted compartment B a sealed code capability to a particular entry point within A, and a sealed data capability to the local data of A, both sealed with some particular object type o. Since these are sealed, B cannot use them to directly access the code or data of A, but it can **CCall** them to invoke that specific entry point. If it does so, A is back in control, and can again access its local data using the now-unsealed data capability. B might also have passed in a capability to a specific sub-region of its own local data, to let A operate on it. The sealing and unsealing of capabilities is itself capability-controlled; for the above to be secure it is essential that B is set up without the capability to unseal object type o.

In some compartmentalisation scenarios one trusts compartments to not leak their own capabilities, but in others one wants to prevent (malicious or compromised) compartments from cooperating. To support that, CHERI defines separate permissions for storing/load-ing data and for storing/loading capabilities. For example, to allow two compartments to communicate plain data while preventing them from exchanging their capabilities, one could give them authority to load and store data (only) to a shared region. Additionally, CHERI has a mechanism to allow some capabilities to be shared but not others: capabilities can be flagged as *local* (as opposed to global). To store local capabilities one needs an additional permission. By setting up compartments with just the authority to read capabilities, and to store global capabilities to a shared region, they cannot exchange their local capabilities.

These mechanisms can be used for secure encapsulation at various scales, from protection of individual C++ objects that call each other's methods, to vulnerability-prone compression or media code libraries, to whole processes within the same address space, protected from each other using CHERI alone rather than with MMU protection.

## 3 Lightweight rigorous engineering

Formal specifications, in security and elsewhere, are often introduced solely to support mechanised proofs, and the skills and techniques this needs often makes formal specification divorced from normal engineering practice. For example, much (though not all) of the large literature on security protocol verification only addresses abstract models of protocols, disconnected from their actual implementations, and its techniques are often not accessible to the engineers who code those.

In contrast, in bringing rigorous techniques to bear on the CHERI secure architecture design, an important goal was to support the security, architecture, and operating systems researchers and developers involved, who are not theorem-prover experts, by fitting in with and complementing their normal engineering practice – while simultaneously enabling formal statement and proof of security properties of their actual architecture design, not just some idealised model thereof. We aimed to improve their engineering practice in multiple lightweight ways, with immediate benefits long before the formal proof was complete.

Industrial processor architecture specifications, including AMD64, IBM POWER, Intel 64, MIPS, RISC-V, and SPARC, usually define their envelopes of programmer-visible allowed behaviour with documents containing a mix of prose and pseudocode [24, 25, 26, 27, 28]. These are typically multi-thousand-page books containing masses of detail, about instruction behaviour, encodings, address translation, interrupts, etc. They are not computational artefacts, so vendors typically also develop internal "golden" reference models to use as oracles for hardware testing, often in conventional programming languages such as C++. Arm, exceptionally, have recently transitioned to a machine-processed pseudocode, so what is in their manual can actually be tested against [29].

A reference model could be written in almost any language, but a rigorous architecture specification should be clear enough to also use as readable documentation of instruction behaviour. For this, it is desirable to use as simple a language as possible, close in appearance to the imperative pseudocode common in industrial architectures, with intentionally limited expressiveness compared to general-purpose languages such as C or C++. Many such Instruction Definition Languages (IDLs) have been developed [30]. Then, for use in testing, it has to be possible to execute the definitions efficiently enough, and to support proof, the IDL must have a straightforward semantics that can be mapped directly into the input languages of theorem provers.

For CHERI, we started off in 2011 with traditional pseudocode descriptions, together with experimental formal modelling (unpublished) of key instructions in PVS [31]. In 2014, starting the work reported on in this paper, we began work on complete formal models in the L3 [32] IDL, and more recently in Sail [33], partly developed with CHERI in mind.

L3 and Sail are both strongly typed, first-order imperative language that aim to be accessible to engineers without a formal background. To illustrate this, Fig. 3 shows the L3 specification of the CHERI-MIPS CLB rd, rt, offset(cb) instruction, to load a byte via the capability in register cb. This takes a capability from cb, calculates an effective address (Line 15) by summing its virtual address, the value in register rt, and the sign-extended offset, uses that to load a byte from memory (Line 29), and writes the appropriate value (possibly sign-extended) back into rd. The instruction checks several conditions, e.g. (Lines 5–10) that the capability has its tag set, is not sealed, and has permission to load, and (Lines 23–27) that the address is within the bounds of the capability. If any of these fail, the instruction raises a hardware exception.

The complete model includes everything that is necessary to boot an operating system, including exceptions, the translation lookaside buffer (TLB), and the programmable interrupt controller (PIC). The Sail specification is broadly similar; Sail differs from L3 mainly in providing a rich but decidable type system, with lightweight dependent types to let computed bitvector lengths be statically checked. The L3 and Sail versions are each around 7k lines of specification.

### 3.1 Using the models as design documents

Our first lightweight use of these rigorous models is as improved design documentation. L3 and Sail parse and type-check their input, immediately catching errors that are easy to make in non-mechanised pseudocode specifications, and they allow no ambiguity. For example, Fig. 3 makes clear exactly what checks are done, which exceptions will be flagged if they fail, and the priority among these. The Sail specifications of each instruction are

```
1 define CLoad (rd::reg, cb::reg, rt::reg, offset::bits(8),
2
             s::bits(1), t::bits(2)) =
3 if not CP0.Status.CU2 then
     SignalCP2UnusableException
4
5 else if not getTag(CAPR(cb)) then
6
     SignalCapException(capExcTag,cb)
7 else if getSealed(CAPR(cb)) then
     SignalCapException(capExcSeal,cb)
8
9 else if not getPerms(CAPR(cb)).Permit_Load then
10
     SignalCapException(capExcPermLoad,cb)
11 else {
12
     cap_cb = CAPR(cb);
13
     cursor = getBase(cap_cb) + getOffset(cap_cb);
14
     extOff = (([offset<7>]::bits(1))^3:offset) << [t];</pre>
15
     addr = cursor + GPR(rt) + SignExtend(extOff);
16
     var size; var access; var bytesel = '000';
17
     match t {
       case 0 => {
18
19
        size <- 1;
20
        access <- BYTE;</pre>
21
        bytesel <- addr<2:0> ?? BigEndianCPU^3 }
22
       [...OTHER CASES ELIDED, FOR 2,4,8-BYTE LOADS...] };
23
     if ('0':addr) + ('0':size) >+
24
        ('0':getBase(cap_cb)) + ('0':getLength(cap_cb)) then
25
       SignalCapException(capExcLength,cb)
26
     else if addr <+ getBase(cap_cb) then</pre>
27
       SignalCapException(capExcLength,cb)
     else {
28
29
       data = LoadMemoryCap(access, true, [addr], false);
30
       when not exceptionSignalled do {
31
        data_list = [data]::bool list;
32
        bottom = ([bytesel]::nat)*8;
33
        top = ([bytesel]::nat)*8 + ([size]::nat)*8 - 1;
34
        final_data = data_list<top:bottom>;
35
        if s == 0 then
36
           GPR(rd) <- [ZeroExtendBitString(64, final_data)]</pre>
37
        else GPR(rd) <- [SignExtendBitString(64, final_data)]</pre>
38
```

Figure 3: The L3 specification of the CLB rd, rt, offset(cb) Load Integer via Capability Register instruction, and variants.

now (2019) included verbatim in the CHERI architecture document [6], replacing earlier informal pseudocode that had to be maintained separately.

### 3.2 Using the models as oracles for hardware testing

The second lightweight use is as oracles for testing our Bluespec FPGA hardware implementations of CHERI processors against. L3 and Sail both automatically generate emulators from ISA models, variously in SML, OCaml, and C. For CHERI-MIPS these run at 300–400 KIPS, which is fast enough to boot FreeBSD in around four minutes, and to run many hardware tests. Being able to automatically re-run such tests against the architecture specification in a continuous integration environment has been invaluable, as both the architecture and the hardware implementations have been developed in parallel.

The simplicity of the L3 and Sail IDLs enabled Computer Architecture and Security researchers to directly edit and own the CHERI models, and to automatically see the benefits in the continuous integration setup. In turn, this assisted in updating the other artifacts in the project (FPGA implementation, software unit tests, etc.), which ultimately led to the adoption of this approach by the whole research team.

Furthermore, executable specifications make it easier to experiment with design alternatives, as one can compute their behaviours without needing micro-architectural implementations. For example, early exploration of compression schemes for CHERI capabilities and their potential architectural impacts were explored in the CHERI L3 model. We also extended the models with some microarchitectural details, such as a cache hierarchy, to rapidly explore potential uses of CHERI capabilities within the memory subsystem. This is also an appealing feature to a Computer Architecture researcher.

We also wrote a traditional QEMU [34] CHERI emulator, by hand. This was useful, with 100x the speed of the L3 model, and support for many devices, but it was in C, in a not particularly readable style, and was quite error prone.

The L3 model and the original prose ISA specification do have some intentional subtle differences, to ease comparison of hardware-implementation and L3 model traces in a few cases where the former is non-deterministic. For example, the TLBWR instruction architecturally writes a random TLB entry, but our hardware implementation writes a certain entry based on a counter, and the L3 model follows that.

### 3.3 Using the models for software bring-up

Being a whole-system project, CHERI involves extensive hardware and software work by different sub-teams. This means that when something goes wrong, it may not be clear whether the hardware is failing to meet the spec, or the software is making an invalid assumption. A big benefit of the architecture specification being executable is that it can help answer this question. For example, when first bringing up multicore CHERI on FPGA, FreeBSD was getting stuck late in boot. It seemed most likely that this was a hardware issue in the new cache coherency mechanism, but we could use our recently-developed L3 model to reproduce the problem, suggesting a software issue. After exploring the trace, we identified a kernel bug in which the programmable interrupt controller was being mapped to an incorrect address, preventing inter-processor interrupts. Simply narrowing down the source of the problem saved many futile hours of painful hardware debugging. We now routinely bring up new software, e.g. CHERI compiler support, above the formal models.

### 3.4 Using the models for test generation

Our initial hardware development relied on a manually (and painfully) written test suite. With authoritative formal models, it is no longer necessary to manually specify the intended outcomes of tests, as one can simply compare hardware vs model running arbitrary code, so it becomes possible to autogenerate tests. To generate random sequences of instructions that achieve good coverage in the presence of a large number of security tests in the capability instructions, it was important to control which instructions could generate a processor exception and why. We used a combination of symbolic execution of the L3 specification and automatic constraint solving [35] to find an initial processor state where only the chosen instruction would fault. A few thousand tests generated in this way were sufficient to cover almost all of the instruction behaviour in the specification. These revealed discrepancies between the L3, the hardware, and the QEMU simulator, including bugs in the modelling and simulation of delay slots and exceptions (one in the upstream QEMU MIPS), and a security-relevant bug in the hardware. This automatic technique was easily adapted to changes as the ISA was developed.

## 4 Stating architectural security properties

Formal security properties have two main benefits over prose properties. First, prose properties are prone to ambiguities, which may lead to security vulnerabilities if users, designers, and implementers misunderstand each other. Formalisation helps by forcing one to identify and resolve these ambiguities. Second, it is hard to establish that prose properties actually hold, as they are not susceptible to either experimental validation (by testing or model-checking) or mathematical proof. It is possible to formally state properties about L3 or Sail specifications because these can be automatically exported to theorem prover definitions: variously Isabelle/HOL [36], HOL4 [37] and/or Coq [38].

To illustrate the first benefit, we identify ambiguities in the prose definition of a fundamental property of CHERI's capability system, namely *capability monotonicity*. The prose documentation defines this as the property that "new capabilities must be derived from existing capabilities only via valid manipulations that may narrow (but never broaden) rights ascribed to the original capability" [39, §2.3.4]. But what constitutes broadening the rights of a capability? Broadening its bounds and increasing its permissions are given as examples, but does unsealing a capability also broaden its rights? This is left unclear. Furthermore, the documentation states that "controlled violation of monotonicity can be achieved via the exception delivery mechanism  $[\ldots]$  and also by the CCall instruction", without specifying what "controlled violation" means. It continues with "monotonicity allows reasoning about the set of reachable rights for executing code, as they are limited to the rights in any capability registers, and inductively, the set of any rights reachable from those capabilities". This property describes an upper bound of the rights that (untrusted) code can use if we allow it to execute arbitrary instructions. This upper bound is defined as the rights that are transitively reachable from the capabilities in the capability registers. However, the documentation does not define when a right is reachable from a capability, so one cannot know exactly what this upper bound is.

To illustrate the second benefit we discuss a security property that describes how CHERI's capability system can be used to protect a reference monitor from untrusted code [39, §9.4]. The property describes the guarantees and the assumptions under which they hold in great detail, but originally the property was verified only by a high-level paper proof outline. During our work we discovered that the CHERI ISA does not satisfy the property, not because of a bug in the ISA, but because of a mistake in the definition of the security property: the property mistakenly states that after a domain transition to the reference monitor, the reference monitor does not have permission to its own memory anymore. While it would be easy to fix the mistake in the prose definition, it would remain difficult to validate whether the property would then be correct, and whether the CHERI ISA would satisfy it.

To show that it is possible to formally define and prove security properties over a production scale architecture, in the remainder of this section we formally define the following properties about CHERI, and formally prove (in Isabelle/HOL) that the CHERI ISA satisfies them in §5.

- We define an order over capabilities, capturing when the authority of one capability is contained in the authority of another capability (§4.1). This order clarifies what "broadening the rights of a capability" should mean in the prose definition of capability monotonicity.
- We define an abstraction of CHERI-MIPS with abstract actions for each type of memory access and capability manipulation, capturing the intentions of CHERI-MIPS instructions by mapping them onto these actions (§4.2). For each action, we state under what conditions it can be performed, and what effects it has. Amongst other things, this precisely states the effects of instructions that can broaden the rights of a capability, clarifying what "controlled violation of capability monotonic-ity" should mean. It also states properties that have no prose counterparts in the CHERI documentation, but that are nonetheless crucial to the capability system.
- We characterise which capabilities a (potentially compromised) compartment could access or construct if it is allowed to execute arbitrary code, and we state related properties about which part of the memory and which registers the compartment can overwrite (§4.3). This captures the "reachable rights for executing code".
- Turning from properties about the capability system itself to use-cases thereof, we state what assumptions need to be satisfied in order to isolate a compartment from the rest of the program, and we state which guarantees CHERI-MIPS then offers (§4.4). This property is inspired by the reference monitor example discussed above.

When formalising security properties one should consider which mathematical concepts to use to express them: more sophisticated mathematics can let one state properties closer to one's intention, or more elegantly, but it can also make them less accessible. Here, we spell out properties in terms of concrete traces of the ISA model, for accessibility.

## 4.1 Capability order

We define an order,  $\leq$ , over capabilities, capturing when the authority of a capability is contained in the authority of another capability. It is based on the following observations. The authorities of sealed and unsealed capabilities are incomparable even if they have the same bounds and permissions: the unsealed capability can authorise memory accesses but the sealed capability cannot, while the sealed capability can be invoked (with the right permissions) but the unsealed one cannot. We also observe that invalid capabilities have no authority; sealed capabilities are immutable while they stay sealed; unsealed capabilities can be restricted by shrinking their bounds or removing their permissions; and the virtual address of unsealed capabilities can be changed to any value without affecting the authority. This leads to the following. **Definition 1** (Order over capabilities). We say  $cap \leq cap'$  if either cap is invalid (Line 2 below), or cap and cap' are equal (Line 3), or both capabilities are valid and unsealed (Lines 4 and 5) and: the bounds of cap is contained in the bounds of cap' (Line 6), the permissions of cap are less then or equal to those of cap' (Line 7) and similarly for the user permissions (Line 8), their object types agree (Line 9), and their reserved bits agree (Line 10). Note that Lines 4–10 do not constrain the virtual addresses. As usual in Isabelle and in functional languages, we write function application just with juxtaposition, e.g. IsSealed cap is just the IsSealed function (returning a boolean) applied to cap.

| 1  | $\operatorname{cap} \leq \operatorname{cap}'$ is defined as |
|----|-------------------------------------------------------------|
| 2  | $\mathbf{not}  \mathrm{Tag}  \mathrm{cap}$                  |
| 3  | $\mathbf{or} \operatorname{cap} = \operatorname{cap}'$      |
| 4  | or Tag cap and Tag cap'                                     |
| 5  | and not IsSealed cap and not IsSealed cap'                  |
| 6  | and CapBounds cap $\subseteq$ CapBounds cap'                |
| 7  | and Perms cap $\leq_{\text{bitwise}}$ Perms cap'            |
| 8  | and UPerms cap $\leq_{\text{bitwise}}$ UPerms cap'          |
| 9  | and $ObjectType cap = ObjectType cap'$                      |
| 10 | and Reserved cap = Reserved cap'                            |

This order is reflexive and transitive (a preorder). It is not antisymmetric: if cap and cap' are valid, unsealed, and differ only by their virtual addresses, we can have  $cap \leq cap'$ ,  $cap' \leq cap$ , and  $cap \neq cap'$ . The preorder is also not total: if cap and cap' are respectively the sealed and unsealed version of the same capability, then  $cap \leq cap'$  and  $cap' \leq cap$ .

### 4.2 Capturing the intention of instructions

We now define properties about the effects of a single execution step, abstracting from the detailed behaviour of CHERI-MIPS instructions defined by the L3 (or Sail) model. Our first goal is to capture the principle of intentional use: for example, if the intention of the execution step is to load data using the authority of the capability in register 2, then our properties should forbid this execution step if that does not have enough authority, even if capabilities in other registers would be able to authorise the load. We capture the intentions of each instruction by mapping them onto abstract actions: we define an abstract action for each kind of memory access (loading data, storing data, loading capabilities, and storing capabilities), one for each kind of capability manipulation (restricting, sealing, unsealing, and invoking it), and one for hardware exceptions. Abstract actions contain some extra information, for example the register index of the capability that is used as authority (if applicable). By mapping the 180-odd CHERI-MIPS instructions onto these nine actions we abstract away from many details but retain the ability to define different security properties for different intentions.

Our second goal is that the properties defined in this subsection are strong enough to imply the properties in §4.3 and §4.4. To achieve this we define invariants about address translation, kernel mode, and the exception-control 'CP0' registers, and properties that describe what happens when a certain abstract action is *not* intended, for example if the instruction does not intend to store anything to an address a, then the memory at ashould remain unchanged.

We first define the non-domain-crossing abstract actions.

- LoadDataAction has parameters auth, the register of the capability that is used as authority, a, the physical address of the data, and l, the length of the data that is loaded. StoreDataAction is the analogue for stores.
- LoadCapAction has parameters auth, the register of the capability that is used as authority, a, the physical address of the capability that is loaded, and r, the destination register. StoreCapAction is the analogue for storing capabilities, except here r is the source register and a the physical address of the destination.
- RestrictCapAction has parameters r, the source register, and r', the destination register where a restricted version of the source is copied to.
- SealCapAction has parameters auth, the register of the capability that is used as authority, r, the source register, and r', the destination register where a sealed version of the source is copied to. UnsealCapAction is the analogue for unsealing capabilities.

The following actions yield the execution to another domain:

- *RaiseException* has no parameters.
- Invoke Capability has parameters r, the register of the code capability, and r', the register of the data capability that is invoked.

An instruction intention can either be a single action that yields the execution, or a set of actions that do not (e.g. for the CJALR "jump and link capability register" instruction, which manipulates two capabilities in one execution step):

- SwitchDomain has parameter a, an action that yields the execution to another domain,
- *KeepDomain* has parameter *actions*, a set of actions that continue the execution in same domain.

Mapping instructions onto the abstraction is mostly straightforward. For example, the CSeal instruction executed with parameters (cd, cs, ct) maps to

KeepDomain {SealCapAction ct cs cd}.

Instructions that access memory are less straightforward, as their parameters refer to virtual memory, while the parameters of abstract actions refer to physical memory. When mapping these instructions we therefore translate the addresses. Since CHERI-MIPS instructions only access memory from at most one page, these translated addresses form a contiguous region of physical memory. Furthermore, instructions that load capabilities map to both a *LoadCapAction* and a *LoadDataAction* because they can indirectly be used to load data (for example, by loading data into a capability register and inspecting the fields of the capability). Similarly, instructions that store capabilities map to a *StoreCapAction* and a *StoreDataAction*.

### 4.2.1 Defining security properties for the abstraction

For each abstract action we define a property that states the prerequisites and effects of that action. These are properties of an arbitrary CHERI-MIPS ISA semantics *sem*, which we later prove hold of the actual semantics. The property about restricting capabilities is the simplest, requiring only that the resulting capability is less than or equal to the original:

**Property 2** (Restricting capabilities). An ISA semantics *sem* satisfies this property if Lines 2–6 below hold. Assume s is a valid machine state (Line 3). This is a technical assumption: the type *state* can express things that are not supported by CHERI-MIPS, e.g. little-endian mode, so we need to require that s does not. Then consider an execution step from state s to s' with the intention to keep the domain and perform a number of actions (Line 4) and assume that *RestrictCapAction* r r' is one of those (Line 5). The property then requires that the capability in the destination register r' in the resulting state s' is less than or equal (in the §4.1 order) to the capability in the source register r in the original state s (Line 6).

#### 1 RestrictCapProp sem is defined as

- 2 for all s s' actions r r'.
- 3 if StateIsValid s
- 4 and (KeepDomain actions, s')  $\in$  sem s
- 5 and RestrictCapAction r r'  $\in$  actions
- $6 \quad \text{then CapReg s' r' \le CapReg s r}$

The next property states that to store data one needs a valid, unsealed capability with the *PermitStore* permission, and the physical addresses stored to should correspond to virtual addresses that lie within the bounds of the capability:

**Property 3** (Storing data). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3), consider an execution step from state s to s' with the intention to keep the domain and perform a number of actions (Line 4), and assume that *StoreDataAction auth a ln* is one of those (Line 5). The property then requires the capability used as authority has a tag (Line 6), is unsealed (Line 7), and has *PermitStore* permission (Line 8); and that the length *ln* of the stored segment is non-zero (Line 9); that the addresses of the segment are all translations of virtual addresses that the capability has authority to (Line 10); and that the tag at address *a* has been stripped, or the capability at that address remained unchanged (Line 13). The latter case allows the action to behave as a no-op, relevant e.g. for stores to UART devices.

#### 1 StoreDataProp sem is defined as

- 2 for all s s' actions auth a ln.
- 3 if StateIsValid s
- 4 and (KeepDomain actions, s')  $\in$  sem s
- 5 and StoreDataAction auth a  $\ln \in$  actions
- 6 then Tag (CapReg s auth)

| 7  | and not IsSealed (CapReg s auth)                           |
|----|------------------------------------------------------------|
| 8  | and PermitStore (CapReg s auth)                            |
| 9  | and $\ln \neq 0$                                           |
| 10 | and MemSegment a ln                                        |
| 11 | $\subseteq$ TranslateAddresses (CapBounds (CapReg s auth)) |
| 12 | Store $\mathbf{s}$                                         |
| 13 | and not Tag (MemCap s' (GetCapAddress a))                  |
| 14 | or MemCap s' (GetCapAddress a) =                           |
| 15 | MemCap s (GetCapAddress a)                                 |

For the other abstract actions we also define a property that describes the necessary authority and the effects of the action, and we define two security properties that are not directly linked to performing a specific action, but that are linked to the execute and access-system-register permissions. For lack of space we define them in the appendix.

#### 4.2.2 Defining invariants of the execution step

There are two invariants capturing what happens if certain abstract actions are *not* performed. The first requires that if no action specifies that anything was stored to address a, then the memory at a remains unchanged. The second requires that if no action has capability register r as its destination register, the capability at r remains unchanged. Their formal definitions are given in the appendix. Then there are invariants that require that the address translation function, the kernel mode flag, and the CP0-access flag remain unchanged during execution steps that do not raise an exception and that start in user mode.

#### 4.2.3 Defining capability derivations

The CHERI documentation describes informal properties about *capability derivations*. For example, *capability provenance* states that valid capabilities can only be "derived from" other valid capabilities [39, §2.3.1], and capability monotonicity states that new capabilities must be "derived from" existing capabilities via manipulations that do not broaden the rights of the capability. But what "derive" precisely means is not defined.

We can now precisely define what derivations are, in terms of the abstract actions an instruction maps to. For example, if an instruction maps to RestrictCapAction r r', we say the capability in register r' in the resulting state is derived from the capability in r in the original state. Capability provenance can then be formalised by stating that the derived capability can only be valid if the capability it is derived from is valid, and capability monotonicity can be formalised by stating that for all actions except SealCapAction, UnsealCapAction, InvokeCapability, and RaiseException the derived capability is less than or equal to the capability it is derived from.

Capability provenance and monotonicity capture properties about derivations that should certainly hold and that help explain the capability system. Nevertheless, in our proofs we did not find them useful as independent properties: whenever we needed to relate a derived capability to the original capability, we also needed to know that the capability that authorised the derivation had enough authority and, in the case of nonmonotonic derivations, what the resulting capability could be, which is not captured by these. In other words, the proof forced us to identify more fundamental properties about the design.

## 4.3 Characterising reachable capabilities

We now characterise which capabilities a (potentially untrusted) compartment can access or construct if it is allowed to execute arbitrary code. This is a fundamental property for compartmentalisation, as it allows reasoning about which memory or system registers the compartment can access, whether it can delegate its own capabilities to other compartments, and which addresses in other compartments it can jump to. CHERI supports many compartmentalisation scenarios, for example compartments that can communicate via a region of shared memory, or that can only communicate via another compartment, or that share the same code but work on isolated data, or have isolated code but share their data. Much of what compartmentalisation means is common to all these.

Our definition of reachable capabilities depends on the capabilities in the current state. The definition is inductive because reaching a capability can make other capabilities reachable. For example, a capability in a register might authorise loading another capability from memory, and that capability might be able to authorise unsealing a capability, etc.

**Definition 4.** The set of reachable capabilities in a state *s* are inductively defined by the following rules.

- The base case: if a register r is always accessible (either a normal register, or the special registers DDC or TLSC) and the capability *cap* in that register is valid, then *cap* is reachable.
- If cap is a reachable, unsealed capability with the PermitAccessSystemRegisters permission, r is a special register, and the capability cap' in that register is valid, then cap' is reachable.
- If *cap* is a reachable, unsealed capability with the *PermitLoadCapability* permission, *a* is a physical address that is a translation of a virtual address within the bounds of *cap*, and the capability *cap'* at address *a* is valid, then *cap'* is reachable.
- If cap is a reachable capability, and cap' is a valid capability less than or equal to cap, then cap' is reachable.
- If cap is a reachable, unsealed capability, and *sealer* is a reachable, unsealed capability with the *PermitSeal* permission, and the object type t lies within its bounds, then the capability that is the result of sealing cap with object type t is reachable.
- If *cap* is a reachable, sealed capability, and *unsealer* is a reachable, unsealed capability with the *PermitUnseal* permission, and the object type of *cap* lies within its bounds, then the capability that is the result of unsealing *cap* is reachable.

The property that justifies the name "reachable capabilities" says that, until the execution is yielded to another domain, the set of reachable capabilities is monotonic. To avoid confusion with capability monotonicity (above), we call that property *intra-instruction capability monotonicity* and the property we define here *reachable capability monotonicity*:

**Property 5** (Reachable capability monotonicity). An ISA semantics *sem* satisfies this if the following holds. Assume s is a valid state, with no CP0 access and not in kernel mode. Consider an execution trace from s to s' and assume it is intra-domain (no instruction in the trace yields the execution to another domain). Then the property requires that the capabilities reachable in s' were already reachable in s.

1 MonotonicityReachableCaps sem is defined as

- 2 for all s s' trace.
- 3 **if**  $s' \in$  FutureStates sem s trace
- 4 and IntraDomainTrace trace
- 5 and not AccessToCU0 s
- 6 and not KernelMode s
- 7 and StateIsValid s
- 8 then ReachableCaps  $s' \subseteq$  ReachableCaps s

From reachable capability monotonicity we can derive properties about which memory a compartment can overwrite:

**Property 6** (Intra-domain memory invariant). If each reachable capability in s either does not have the *PermitStore* and *PermitStoreCapability* permissions, or does not contain an address within its bounds that translates to a; the execution trace from s to s' is intradomain; and s is valid and in user mode; then the memory at a in s' is the same as in s.

The memory does not change during execution steps that yield the execution, so we define the same property for traces that are intra-domain except for the last step, which yields the execution to another domain. For the invariance of memory tags and special registers we define similar properties.

## 4.4 Isolating a user space compartment

Finally, we consider a simple compartmentalisation scenario, where a compartment is isolated from the rest of the program. Isolation here means that the compartment can only access its own region of memory, it cannot access any special registers, and when it yields the execution it can jump only to a restricted set of addresses. CHERI only guarantees this if the compartment is set up correctly. The definition below states the required assumptions in detail. Due to space limitations we describe auxiliary definitions only in prose.

**Definition 7** (Isolation assumptions). Let *addrs* be the set of virtual addresses that we grant to the compartment, *types* the set of object types we grant to the compartment, and s an arbitrary state. Then the following defines when s can be used as a starting state for the compartment.

- 1 IsolatedState addrs types s is defined as
- 2 CapabilityAligned addrs
- 3 and NoSystemRegisterAccess addrs types s
- 4 and ContainedCapBounds addrs types s
- 5 **and** ContainedObjectTypes addrs types s
- 6 and InvokableCapsNotUsable addrs types s
- 7 and not AccessToCU0 s
- 8 and not KernelMode s
- 9 and StateIsValid s

Line 2 requires that addrs is capability aligned. This means that for every a and a' within the same capability (only differing in their last 5 bits) either both or neither are in addrs.

Our aim is then to require that each unsealed capability the compartment can reach (according to Definition 4) does not have authority outside the virtual addresses addrs and types types that we granted to the compartment. We could directly assume this, but the inductive definition of reachable capabilities is difficult to work with. Instead, we overapproximate the authority of unsealed, reachable capabilities. First, consider the set *grantedCaps* of capabilities that we granted to the compartment, consisting of the program counter capability (PCC), the capability in the MIPS branch slot (if there is one), capabilities in normal capability registers, capabilities in the special registers 0 and 1 (DDC and TLSC), and the capabilities in the physical region of memory that correspond to the virtual addresses *addrs*. From that set, we take each capability whose authority can be used by the compartment, namely each capability that has a tag, and that is either unsealed, or sealed with an object type in *types*. The resulting set, *grantedAuth*, is the overapproximation (the following lines do not claim that, but we prove it as part of Theorem 12). Line 3 requires that capabilities in grantedAuth do not have the permission to access system registers; Line 4 requires that the bounds of capabilities in grantedAuth with permission to access memory are contained in addrs; and Line 5 requires that capabilities in grantedAuth with permission to seal or unseal have authority only to object types in types (a capability has authority to an 18-bit object type t if the unsigned extension of t to a 64-bit virtual address lies within its bounds). Line 6 is an assumption on the capabilities that the compartment can invoke. The compartment can invoke any capability in grantedCaps that has a tag and that has the PermitCCall permission. The assumption requires that these capabilities are sealed and that their object type is not contained in *types*. This ensures that the compartment cannot directly use the authority of these capabilities. Finally, Line 7 requires that s does not have access to coprocessor 0, Line 8 requires that is is not in kernel mode, and Line 9 requires that s is a valid state.

We now define what isolation means in our scenario.

**Definition 8** (Isolation guarantees). Let *addrs*, *types*, and *s* be as in the previous definition, and let s' be a state. The following describes the guarantees that one expects if a compartment starts in *s* and has yielded the execution in s'.

IsolationGuarantees addrs types s s' is defined as 1 2Base (PCC s') + PC s' 3  $\in$  ExceptionPCs  $\cup$  InvokableAddresses addrs s 4 and for all a. 5if not  $a \in TranslateAddresses$  addrs Store s then MemData s' a = MemData s a6 7 and MemTag s' (GetCapAddress a) = 8 MemTag s (GetCapAddress a) 9 and for all r. 10 if  $r \neq 0$  and  $r \neq 1$  and  $r \neq 31$ 11 then SpecialCapReg s' r =SpecialCapReg s r

Lines 2–3 limit the exit points of the compartment. They state that the address of the next instruction in s' (given by the base of the PCC plus the PC) is either an exception handler entry address (CHERI-MIPS has a fixed set of these) or an address that one of the invokable capabilities point to.

Lines 4–8 state that the memory that is not granted to the compartment remained unchanged. More precisely, if the physical address a is not a translation of a virtual

address in *addrs* (Line 5), then the memory value at a in s' is still the same as it was in s (Line 6), and the tag of the 32-byte region that a belongs to is still the same (Lines 7–8).

Finally, Lines 9–11 state that the special registers stayed the same, except for registers 0, 1, and 31 (DDC, TLSC, and EPCC). The DDC and TLSC are always accessible, while the EPCC is overwritten if the compartment raises a hardware exception.

The property below precisely defines when CHERI offers the isolation guarantees.

**Property 9** (Compartment isolation). An ISA semantics *sem* satisfies this property if the following holds. Assume s is a state that satisfies the assumptions we defined before (Line 3). Consider an execution trace consisting of a prefix *trace* that is intra-domain, meaning none of its steps yield the execution (Line 4), and a final *step* that does yield the execution (Line 5). Let s' be the state after the latter (Line 6). Then the property requires that the above isolation guarantees hold in s' (Line 7).

1 CompartmentIsolation sem is defined as

- 2 for all addrs types s s' trace step.
- 3 **if** IsolatedState addrs types s
- 4 and IntraDomainTrace trace
  - and SwitchesDomain step

5

- 6 and  $s' \in FutureStates sem s$  (trace; step)
- 7 then IsolationGuarantees addrs types s s'

## 5 Proving the architectural security properties

Mathematical proof can give much higher confidence than traditional testing-based methods, because it considers every possible corner case, not just those exercised by the tests. This is especially important for security properties. However, there are three challenges in proving security properties for production-scale architectures. The first is that architectures contain many low-level details that are easy to miss, so checking a paper proof by hand would be unusably error-prone. To solve this we *mechanised* all our proofs in Isabelle [36], an interactive theorem prover. Such tools (Isabelle, Coq, HOL4, and others) let one write proof scripts – instructions for how to construct a proof, combining automated and manual reasoning – and the machine checks that they do construct valid proofs. To minimise the trusted computing base (TCB) Isabelle has an LCF-style inference kernel [40]: proof scripts generate a series of simple inference steps that are checked by a small kernel. Because we use the Isabelle export of the L3 model as the definition of CHERI-MIPS, our TCB consists only of this L3-to-Isabelle translation and the Isabelle kernel. This gives very high assurance that the proved statements are indeed true in the L3 definition of CHERI-MIPS (the user also has to read and understand the statements, of course).

The second challenge is the scale of the proof development. Production-scale architecture specifications are large, and any part of the architecture could potentially break security properties, even if it does not directly interact with the security mechanisms. For example, in CHERI-MIPS, the majority of the 180-odd instructions do not interact with capabilities, but could still break the properties of §4. To solve this challenge we developed automated proof methods, tailored to L3 specifications, that reduce the need for manual proof scripts. We used Eisbach [41], an extension of Isabelle's proof language, for these. Our custom tactics can automatically prove the security properties for most CHERI-MIPS instructions that do not directly interact with the capability mechanisms, and significantly simplify the proofs for the others.

The third challenge is that architectures keep evolving. As a research architecture, CHERI has evolved rapidly, but industrial architectures such as Intel 64/IA-32 and ARMv8-A do too, with new versions every six months or so. It would be infeasible to continuously re-check whether a manual proof still holds for updated versions of the architecture, but automated theorem provers can do this automatically, and will point out any places where the proof fails. Our automatic proof tactics are somewhat resilient to changes in the model. To further reduce the effort needed to change our proofs we use python scripts to generate the statements and proofs of many lemmas. The Isabelle LCF-style kernel means that these scripts are not part of our TCB.

We finished the proof of our first variant of monotonicity of reachable capabilities in October 2016 and since then have rerun the proof regularly on new versions of the L3 model. In our experience the effort needed to adapt our proofs to changes in the ISA were reasonable. Some changes caused us to invent new properties, for example the introduction of capability invocation; and other changes involved refactoring properties and proofs, for example when capability registers were split into normal and special registers; but for most changes we only needed to update the scripts that auto-generate the majority of our proofs. This did need prover expertise, though.

All this made it possible to integrate our proofs in the CHERI-MIPS design process.

**Theorem 10.** The L3 model of the CHERI-MIPS ISA satisfies the properties defined or mentioned in §4.2, namely properties about execution, loading and storing data, loading, storing, restricting, sealing, unsealing and invoking capabilities, accessing system registers, and exceptions; and invariants about memory values, tags, valid states, CP0-access, kernel mode and address translation.

**Theorem 11.** Any semantics that satisfies the security properties defined in §4.2, satisfies *reachable capability monotonicity* (Property 5), the *intra-domain memory invariant* (Property 6), and the other properties mentioned in §4.3.

Together with Theorem 10 this shows that CHERI-MIPS satisfies the properties we defined in §4.3.

**Theorem 12.** Any semantics that satisfies the security properties defined in §4.2, satisfies the property about compartment isolation (Property 9).

The entire proof development is 33k lines of Isabelle/HOL, of which 16k lines are generated. Checking the proof in Isabelle takes 25 minutes on a 16GB Intel i7-2600.

## 6 Bugs found by proof work

The point of our proof is to provide *assurance* that the properties hold of the CHERI-MIPS architecture, not merely to find some bugs, but, unsurprisingly, we did find some along the way. CHERI-MIPS was already reasonably mature when we started the proof, so these are not very numerous – but each could lead to security vulnerabilities, and it is instructive to see what can remain, even in a carefully considered and reviewed design, without proof.

- The CLC instruction loads a capability *cap* if the capability *cap'* that is used as authority has the *PermitLoadCapability* permission. If *cap'* does not have that permission, the instruction still loads the byte representation of *cap*, but without its tag. This does not violate our property about loading capabilities, but it does violate our property about loading data, as CLC loads from the memory without checking the *PermitLoad* permission. This bug was in the architecture document and the L3 model.
- Legacy MIPS stores allowed writing one byte past the region of memory the code had permission to, and, if the code had access to the end of the address space, stores could write to the beginning of the address space. (In L3)
- In some cases, unaligned MIPS loads allowed loading from a region of memory without permission. (In the L3 model and the Bluespec hardware implementation.)
- The CBuildCap instruction created a capability with the wrong base. (In L3)
- Exception return (ERET) could access a system register (the EPCC) without permission. (In L3)
- The CCallFast instruction, which invokes capabilities, exposed the unsealed code capability, breaking isolation between compartments that can invoke each other's capabilities. (In L3)

We also found counter-intuitive behaviour that led to the discovery of a vulnerability in CheriBSD, allowing a leak of an unsealed data capability. Throwing an exception just after performing a "CCallFast" gave the exception handler access to the unsealed data capability. By registering a signal handler to deal with segfaults and triggering a segfault in the delay slot of CCallFast, the signal handler could obtain the unsealed data capability of another protection domain and use it to access memory. One could conceivably fix this in CheriBSD, but correct code would be harder to write and understand, so we removed the CCallFast delay slot.

## 7 Transition from L3 to Sail

In another aspect of formal engineering maintenance, we are in the process of shifting our ISA specifications from L3 to Sail [33], the design of which has been informed by our experience with L3. Sail generates emulators in OCaml and C, as well as theorem prover definitions for Isabelle/HOL, HOL4, and Coq, and Sail definitions can be integrated with multicore relaxed memory models. Sail models include CHERI-MIPS (ported from the L3 model and included in the CHERI architecture document [6]), a complete ISA semantics for ARMv8-A (automatically derived from the Arm-internal definition), and new hand-written models for RISC-V and CHERI-RISC-V. In ongoing and future work (not part of the contribution of this paper) we aim to *uniformly* prove security properties of multiple realisations of CHERI for different base architectures; we have already established a version of intra-instruction capability monotonicity for Sail CHERI-MIPS.

## 8 Related work

In terms of formalising full-scale ISA definitions, using them in mainstream engineering, and proving security properties of them, the closest related work is Reid et al.'s within Arm, shifting essentially the entire ARMv8-M and ARMv8-A sequential ISA specifications

from pseudocode to machine-readable definitions, which are now used for documentation and hardware verification [42, 29, 43]. These specifications are 10x or more larger, and much more complex, than CHERI-MIPS. For ARMv8-M, he formalised 59 properties about the ISA, based on prose statements in the architecture document, and used an SMT model-checking approach to verify that they hold [44]. Some of these properties are security-relevant, but they are much more specific than the whole-architecture properties we consider, which are strong enough to prove a use case correct (Property 9). On the other hand, his SMT approach is largely automated, while our proofs require theoremproving expertise. In earlier work we proved correctness of an abstraction of address translation w.r.t. the Sail version of this ARMv8-A model [33].

Schwarz and Dam [45] use the HOL4 interactive theorem prover to verify noninterference properties of MIPS and a fragment of ARMv7, showing that the contents of privileged registers do not have observable effects during user-mode execution. These properties are certainly necessary, but are not by themselves strong enough to prove the correctness of use cases.

Turning to security properties for capability systems, the closest related work is by Skorstengaard et al. [46]. Our properties give an upper bound on what (untrusted) code can do until it yields the execution, but their *capability safety* result also allows reasoning about intermingled trusted and untrusted execution. They use it to prove that a certain calling convention guarantees control-flow correctness and encapsulation of local state. This is a stronger result than ours, but it is w.r.t. an idealised capability machine, inspired by CHERI but much simpler, rather than a complete ISA; their security properties are defined in terms of a step-indexed Kripke logical relation, which is hard to understand for practitioners; and their proofs are not mechanised. Ideally one would combine the two.

De Amorim et al. [47, 48] prove that their PUMP [49, 50] architecture, supporting multiple hardware security policies, correctly implements a memory safety policy. This is mechanised, but for an idealised PUMP, not a full ISA.

To reason about confidentiality in x86 SGX enclave programs, Sinha et al. [51] extend BAP [52] with a model of the SGX instructions, mapped into BoogiePL [53], but they do not discuss validation of this model, or its relationship with the complex x86 system semantics.

Ferraiuolo et al. [54] describe a RISC-V-based processor implementation that enforces secure information flow, including controlled timing channels, established using a security-typed hardware description language. Zagieboylo et al. [55] discuss an ISA for this and non-mechanised proofs, albeit somewhat idealised.

There is a very extensive literature discussing capabilities, access control, and information flow control in general, both informally and formally, dating back to the 1960s. We situate CHERI in that context in [6, Ch. 11]; space precludes detailed discussion here. In the context of software capability systems, Doerrie [56, Ch. 12] illustrates the need for proof mechanisation, identifying flaws in an earlier pen-and-paper proof of confinement for an idealised capability machine [57]. Their "proof that the potential access of the system is attenuating" is broadly similar to our Property 5 *Reachable capability monotonicity*. Murray et al. [58] give a mechanised proof of information flow properties for seL4.

Leaving security aside, there is extensive work on formal ISA modelling for hardware verification, e.g. for x86 in ACL2 [59, 60], in Coq [61], for RISC-V [62], and for Arm [29].

## Acknowledgements

We thank Wes Filardo and Prashanth Mundkur for comments, and all the members of the CHERI team for their work on the project as a whole.

This work was supported by EPSRC programme grant EP/K008528/1 (REMS: Rigorous Engineering for Mainstream Systems). This work was supported by a Gates studentship (Nienhuis). This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement 789108). This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (CTSRD), HR0011-18-C-0016 (ECATS), and FA8650-18-C-7809 (CIFV). The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. Approved for public release; distribution is unlimited.

## A Additional property definitions

In §4 we defined the properties about restricting capabilities (Property 2) and storing data (Property 3). In this appendix we define some of the additional properties needed, all of which have been established by our proof (Theorem 10).

The property for storing capabilities is similar to that for storing data, requiring both the *PermitStore* and the *PermitStoreCapability* permissions, and describing the capability flow:

**Property 13** (Storing capabilities). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3), consider an execution step from state s to s' with the intention to keep the domain and perform a number of actions (Line 4), and assume that *StoreCapAction auth* r a is one of those (Line 5). The property then requires the capability used as authority has a tag (Line 6), is unsealed (Line 7), and has *PermitStore* and *PermitStoreCapability* permissions (Line 8–9); that the addresses of the capability-sized segment are all translations of virtual addresses that the capability has authority to (Line 10); and that the capability in the memory of the resulting state equals the capability in the source register in the original state (Line 13).

| 1  | StoreCapProp sem is defined as                             |
|----|------------------------------------------------------------|
| 2  | for all $s s'$ actions auth $r a$ .                        |
| 3  | if StateIsValid s                                          |
| 4  | and (KeepDomain actions, $s' \in sem s$                    |
| 5  | and StoreCapAction auth r $a \in actions$                  |
| 6  | then Tag (CapReg s auth)                                   |
| 7  | and not IsSealed (CapReg s auth)                           |
| 8  | and PermitStore (CapReg s auth)                            |
| 9  | and PermitStoreCapability (CapReg s auth)                  |
| 10 | and MemSegment (ExtendCapAddress a) 32                     |
| 11 | $\subseteq$ TranslateAddresses (CapBounds (CapReg s auth)) |
| 12 | Store s                                                    |
| 13 | and MemCap s' a = NormalCapReg s r                         |

The properties about loading data and loading capabilities are analogues of respectively the properties about storing data and storing capabilities. The property about unsealing capabilities describes the necessary authority and the result of unsealing a capability:

**Property 14** (Unsealing capabilities). A semantics *sem* satisfies this property if the following holds. Assume *s* is a valid state (Line 3), consider an execution step from state *s* to *s'* with the intention to keep the domain and perform a number of actions (Line 4), and assume that *UnsealCapAction auth* r r' is one of those actions (Line 5). The property then requires the capability that is used as authority has a tag (Line 6), is unsealed (Line 7), and has the *PermitUnseal* permission (Line 8). Furthermore, it requires that the object type of the capability that is being unsealed lies within the bounds of the capability that is used as authority that is being unsealed was sealed in state *s* (Line 12), and the capability in the destination register r' in the resulting state s' is less than or equal to the unsealed version of the original capability (Line 13).

| 1  | UnsealCapProp sem is defined as                                                  |
|----|----------------------------------------------------------------------------------|
| 2  | for all s s' actions auth r r'.                                                  |
| 3  | if StateIsValid s                                                                |
| 4  | and (KeepDomain actions, $s' \in sem s$                                          |
| 5  | and UnsealCapAction auth r r' $\in$ actions                                      |
| 6  | $\mathbf{then} \operatorname{Tag} (\operatorname{CapReg s} \operatorname{auth})$ |
| 7  | and not IsSealed (CapReg s auth)                                                 |
| 8  | and PermitUnseal (CapReg s auth)                                                 |
| 9  | and UCast                                                                        |
| 10 | (ObjectType (NormalCapReg s r))                                                  |
| 11 | $\in$ CapBounds (CapReg s auth)                                                  |
| 12 | and IsSealed (NormalCapReg s r)                                                  |
| 13 | and NormalCapReg s' r'                                                           |
| 14 | $\leq \text{NormalCapReg s r with}$                                              |
| 15 | IsSealed $\leftarrow$ False, ObjectType $\leftarrow 0$                           |

The property about sealing capabilities is the analogue of the above. Then there are two security properties that are not linked to performing a specific action, but to the execute and access-system-register permissions. The first describes the authority the PCC must have if an action was performed without raising an exception:

**Property 15** (Executing). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3), consider an execution step from state s to s' (Line 4), assume that no exception was raised (Line 5), and assume that if the domain was kept, at least one action was performed (Line 6, note that  $\emptyset$  denotes the empty set). The property then requires that the PCC has a tag (Line 7), is unsealed (Line 8), has the *PermitExecute* permission (Line 9), and that the address of the next instruction lies within its bounds (Line 10).

| 1  | ExecuteProp sem is defined as               |
|----|---------------------------------------------|
| 2  | for all s s' step.                          |
| 3  | if StateIsValid s                           |
| 4  | and $(step, s') \in sem s$                  |
| 5  | and step $\neq$ SwitchDomain RaiseException |
| 6  | and step $\neq$ KeepDomain $\emptyset$      |
| 7  | then Tag (PCC s)                            |
| 8  | and not IsSealed (PCC s)                    |
| 9  | and $PermitExecute (PCC s)$                 |
| 10 | and Base $(PCC s) + PC s$                   |
| 11 | $\in$ CapBounds (PCC s)                     |

The second requires that if r is a special register (other than the DDC or TLSC) that is the parameter of a performed action, then the PCC must have permission to access system registers (the DDC and TLSC registers are accessible without that permission):

**Property 16** (Special register access). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3), that does not have access to CP0 (Line 4), and that is not in kernel mode (Line 5). Consider an execution step from state s to s' that keeps the domain and performs a number of actions (Line 6). Let r be a register that is not equal to 0 or 1 (respectively the DDC and TLSC, Line 7) and that is a parameter of an action that was performed (Line 8). The property then requires that the PCC has the *PermitAccessSystemRegisters* permission (Line 11).

- 1 SpecialRegisterProp sem is defined as
- 2 for all s s' actions r.
- 3 **if** StateIsValid s
- 4 and not AccessToCU0 s
- 5 and not KernelMode s
- 6 and (KeepDomain actions, s')  $\in$  sem s
- 7 and  $r \neq 0$  and  $r \neq 1$
- 8 and exists action.
- 9  $action \in actions$
- 10 and  $r \in CapDerivationRegisters action$
- 11 then PermitAccessSystemRegisters (PCC s)

Then there are two invariants about what happens when certain actions are not taken. The auxiliary function *CapDerivationTargets* returns the target locations of an action. For example, the target of *StoreCapAction auth* r a is the address a and the target of *SealCapAction auth* r r' is the register r'. The first invariant states that the capability at location *loc* (either a register or a virtual address) remains invariant of none of the performed actions has *loc* as their target:

**Property 17** (Capability invariant). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3), consider an execution step from state s to s' with the intention to keep the domain and perform a number of actions (Line 4), and assume that none of these actions has the location *loc* as their target (Line 5). The property then requires that the capability at location *loc* in the resulting state equals the capability at *loc* in the original state (Line 8).

1 CapabilityInvariant sem is defined as

| 2 | for all s s' actions loc.                 |
|---|-------------------------------------------|
| 3 | if StateIsValid s                         |
| 4 | and (KeepDomain actions, $s' \in sem s$   |
| 5 | and not exists action.                    |
| 6 | $action \in actions$                      |
| 7 | and loc $\in$ CapDerivationTargets action |
| 8 | then Cap s' loc = Cap s loc               |

The second invariant is very similar: if none of the performed actions has the address a as their target, then the value at a in the memory remains invariant. This property is more granular than the capability invariant. For example, if an action changes one byte in the byte representation of a capability, the memory invariant requires that the other 31 bytes of the representation remain unchanged even though the capability (as a whole) changes.

Finally, there are two properties about actions that yield the execution. The first describes capability invocation:

**Property 18** (Invoking capabilities). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3) and consider an execution step from state s to s' that invokes a pair of a code and a data capability (Line 4). The property then requires that both code and data capability are valid (Line 8), sealed (Line 9), have the permission to be invoked (Line 10–11), the code capability has the permission to execute (Line 12), but the data capability does not (Line 13), and both capabilities have the same object type (Line 14). Furthermore, it requires that the offset of the code capability is copied to the PC (Line 15), the unsealed code capability is copied to the PCC (Line 16), the MIPS branch slots are cleared (Line 18–19), the unsealed data capability is copied to the IDC (Line 20), all normal registers except register 26 (the IDC) remain unchanged (Line 22), all special registers remain unchanged (Line 26), and the (entire) memory remains unchanged (Line 28).

| 1  | InvokeCapProp sem is defined as                                                                                   |
|----|-------------------------------------------------------------------------------------------------------------------|
| 2  | for all s s' r r'.                                                                                                |
| 3  | if StateIsValid s                                                                                                 |
| 4  | and (SwitchDomain (InvokeCapability r r'), s')                                                                    |
| 5  | $\in$ sem s                                                                                                       |
| 6  | $\mathbf{then} \ \mathbf{let} \ \mathbf{codeCap} = \mathbf{NormalCapReg} \ \mathbf{s} \ \mathbf{r} \ \mathbf{in}$ |
| 7  | let dataCap = NormalCapReg s r' in                                                                                |
| 8  | Tag codeCap <b>and</b> Tag dataCap                                                                                |
| 9  | and IsSealed codeCap and IsSealed dataCap                                                                         |
| 10 | and PermitCCall codeCap                                                                                           |
| 11 | and PermitCCall dataCap                                                                                           |
| 12 | and PermitExecute codeCap                                                                                         |
| 13 | and not PermitExecute dataCap                                                                                     |
| 14 | and ObjectType codeCap = ObjectType dataCap                                                                       |
| 15 | and PC $s' = Offset codeCap$                                                                                      |
| 16 | and PCC s' = codeCap with IsSealed $\leftarrow$ False,                                                            |
| 17 | $ObjectType \leftarrow 0$                                                                                         |
| 18 | and BranchDelay $s' = None$                                                                                       |
| 19 | and BranchDelayPCC $s' = None$                                                                                    |
| 20 | and IDC s' = dataCap with IsSealed $\leftarrow$ False,                                                            |
| 21 | $ObjectType \leftarrow 0$                                                                                         |
| 22 | and for all cb.                                                                                                   |
| 23 | if $cb \neq 26$                                                                                                   |
| 24 | <b>then</b> NormalCapReg s' cb =                                                                                  |
| 25 | $NormalCapReg \ s \ cb$                                                                                           |
| 26 | and for all cb. SpecialCapReg s' $cb =$                                                                           |
| 27 | $SpecialCapReg \ s \ cb$                                                                                          |
| 28 | and for all a. Mem s' $a = Mem s a$                                                                               |

The second describes the effects of a hardware exception:

**Property 19** (Exceptions). A semantics *sem* satisfies this property if the following holds. Assume s is a valid state (Line 3) and consider an execution step from state s to s' that raises an exception (Line 4). The property then requires that the exception flag is set (Line 5), the address of the next instruction if one of a fixed set of exception entry addresses (Line 6), the KCC is copied to the PCC (Line 7), all the normal capability registers remain unchanged (Line 8), if the exception flag was not already set the PCC is copied to the EPCC (Line 10), the special registers remain unchanged except for the EPCC (Line 13), the (entire) memory remains unchanged (Line 16), and the MIPS branch slots are cleared (Line 17–18).

| 1  | ExceptionProp sem is defined as                    |
|----|----------------------------------------------------|
| 2  | for all $s s'$ .                                   |
| 3  | if StateIsValid s                                  |
| 4  | and (SwitchDomain RaiseException, $s' \in sem s$   |
| 5  | then EXL s'                                        |
| 6  | and Base (PCC s') + PC s' $\in$ ExceptionPCs       |
| 7  | and PCC $s' = KCC s$                               |
| 8  | and for all r.                                     |
| 9  | NormalCapReg s' r = NormalCapReg s r               |
| 10 | and if EXL s                                       |
| 11 | then EPCC $s' = EPCC s$                            |
| 12 | else EPCC s' = PCC s with Offset $\leftarrow$ PC s |
| 13 | and for all r.                                     |
| 14 | if $r \neq 31$                                     |
| 15 | then SpecialCapReg s' $r = SpecialCapReg s r$      |
| 16 | and for all a. Mem $s' a = Mem s a$                |
| 17 | and BranchDelay $s' = None$                        |
| 18 | and BranchDelayPCC $s' = None$                     |

## References

- L. Szekeres, M. Payer, T. Wei, and D. Song, "Sok: Eternal war in memory," in 2013 IEEE Symposium on Security and Privacy. IEEE, 2013, pp. 48–62.
- [2] M. Miller, "Trends, challenge, and shifts in software vulnerability mitigation," https://github.com/Microsoft/MSRC-Security-Research/tree/master/ presentations/2019\_02\_BlueHatIL, Februari 2019, microsoft Security Response Center.
- [3] B. Martin, M. Brown, A. Paller, D. Kirby, and S. Christey, "2011 CWE/SANS top 25 most dangerous software errors," *Common Weakness Enumeration*, 2011.
- [4] Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey et al., "The matter of Heartbleed," in *Proceedings* of the 2014 conference on Internet Measurement. ACM, 2014, pp. 475–488.
- [5] J. Woodruff, R. N. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe, "The CHERI capability model: Revisiting RISC in an age of risk," in ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, Minneapolis, MN, USA, June 14-18, 2014, 2014, pp. 457–468.
- [6] R. N. Watson, P. G. Neumann, J. Woodruff, M. Roe, H. Almatary, J. Anderson, J. Baldwin, D. Chisnall, B. Davis, N. W. Filardo, A. Joannou, B. Laurie, A. T. Markettos, S. W. Moore, S. J. Murdoch, K. Nienhuis, R. Norton, A. Richardson, P. Rugg, P. Sewell, S. Son, and H. Xia, "Capability hardware enhanced RISC instructions: CHERI instruction-set architecture (version 7)," University of Cambridge, Computer Laboratory, Tech. Rep., 2019. [Online]. Available: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-927.pdf
- [7] "CHERI," https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/.
- [8] J. Saltzer, "Protection and the control of information sharing in Multics," *Communications of the ACM*, vol. 17, no. 7, pp. 388–402, July 1974. [Online]. Available: https://multicians.org/saltzer-pacisim.pdf
- [9] N. Hardy, "The confused deputy (or why capabilities might have been invented)," ACM SIGOPS Operating Systems Review, vol. 22, no. 4, pp. 36–38, 1988.
- [10] I. T. LTD, "MIPS<sup>®</sup> architecture for programmers volume II-A: The MIPS64<sup>®</sup> instruction set reference manual," 2016.
- [11] R. Nikhil, "Bluespec System Verilog: efficient, correct RTL from high level specifications," in Proceedings. Second ACM and IEEE International Conference on Formal Methods and Models for Co-Design, 2004. MEMOCODE'04. IEEE, 2004, pp. 69–70.
- [12] C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in *Proceedings of the international symposium on Code* generation and optimization: feedback-directed and runtime optimization. IEEE Computer Society, 2004, p. 75.

- [13] M. K. McKusick, G. V. Neville-Neil, and R. N. Watson, The design and implementation of the FreeBSD operating system. Pearson Education, 2014.
- [14] B. Davis, R. N. Watson, A. Richardson, P. G. Neumann, S. W. Moore, J. Baldwin, D. Chisnall, J. Clarke, N. W. Filardo, K. Gudka *et al.*, "CheriABI: Enforcing valid pointer provenance and minimizing pointer privilege in the POSIX C run-time environment," University of Cambridge, Computer Laboratory, Tech. Rep., 2019.
- [15] J. Woodruff, A. Joannou, H. Xia, B. Davis, P. G. Neumann, R. N. M. Watson, S. Moore, A. Fox, R. Norton, and D. Chisnall, "Cheri concentrate: Practical compressed capabilities," *IEEE Transactions on Computers*, 2019.
- [16] K. Gudka, R. N. Watson, J. Anderson, D. Chisnall, B. Davis, B. Laurie, I. Marinos, P. G. Neumann, and A. Richardson, "Clean application compartmentalization with SOAAP," in *Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security*. ACM, 2015, pp. 1016–1031.
- [17] A. Joannou, J. Woodruff, R. Kovacsics, S. W. Moore, A. Bradbury, H. Xia, R. N. Watson, D. Chisnall, M. Roe, B. Davis *et al.*, "Efficient tagged memory," in *Computer Design (ICCD)*, 2017 IEEE International Conference on. IEEE, 2017, pp. 641–648.
- [18] R. N. Watson, R. M. Norton, J. Woodruff, S. W. Moore, P. G. Neumann, J. Anderson, D. Chisnall, B. Davis, B. Laurie, M. Roe *et al.*, "Fast protection-domain crossing in the CHERI capability-system architecture," *IEEE Micro*, vol. 36, no. 5, pp. 38–49, 2016.
- [19] R. N. M. Watson, J. Woodruff, M. Roe, S. W. Moore, and P. G. Neumann, "Capability Hardware Enhanced RISC Instructions (CHERI): Notes on the Meltdown and Spectre Attacks," University of Cambridge, Computer Laboratory, Tech. Rep. UCAM-CL-TR-916, Feb. 2018. [Online]. Available: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-916.pdf
- [20] T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang, "Cyclone: A safe dialect of C," in USENIX Annual Technical Conference, General Track, 2002, pp. 275–288.
- [21] G. C. Necula, S. McPeak, and W. Weimer, "CCured: Type-safe retrofitting of legacy code," in ACM SIGPLAN Notices, vol. 37, no. 1. ACM, 2002, pp. 128–139.
- [22] S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic, "Softbound: Highly compatible and complete spatial memory safety for C," ACM Sigplan Notices, vol. 44, no. 6, pp. 245–258, 2009.
- [23] K. Memarian, V. B. F. Gomes, B. Davis, S. Kell, A. Richardson, R. N. M. Watson, and P. Sewell, "Exploring C semantics and pointer provenance," in *Proc.* 46th ACM SIGPLAN Symposium on Principles of Programming Languages, Jan. 2019, proc. ACM Program. Lang. 3, POPL, Article 67. Also available as ISO/IEC JTC1/SC22/WG14 N2311.
- [24] AMD, "AMD64 Architecture Programmer's Manual, Volumes 1–5," http:// developer.amd.com/resources/developer-guides-manuals/, Mar. 2017, 3178 pages.

- [25] IBM, "Power ISA Version 3.0," Nov. 2015, 1246 pages.
- [26] Intel Corporation, "Intel 64 and IA-32 Architectures Software Developer's Manual. Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4." https://software. intel.com/en-us/articles/intel-sdm, Jul. 2017, 325462-063US. 4744 pages.
- [27] "The RISC-V Instruction Set Manual. Volume I: User-Level ISA; Volume II: Privileged Architecture," https://riscv.org/specifications/, May 2017, 236 pages.
- [28] The SPARC Architecture Manual, Version 9. SPARC International, Inc., 1994, sAV09R1459912.
- [29] A. Reid, R. Chen, A. Deligiannis, D. Gilday, D. Hoyes, W. Keen, A. Pathirane, O. Shepherd, P. Vrabel, and A. Zaidi, "End-to-end verification of processors with ISA-Formal," in *International Conference on Computer Aided Verification*. Springer, 2016, pp. 42–58.
- [30] P. Misra and N. Dutt, Eds., *Processor Description Languages*. Morgan Kaufmann, 2008.
- [31] "PVS specification and verification system," http://pvs.csl.sri.com/, accessed 2019-07-27.
- [32] A. C. Fox, "Directions in ISA specification," in *ITP*, 2012, pp. 338–344. [Online].
   Available: https://doi.org/10.1007/978-3-642-32347-8\_23
- [33] A. Armstrong, T. Bauereiss, B. Campbell, A. Reid, K. E. Gray, R. M. Norton, P. Mundkur, M. Wassell, J. French, C. Pulte, S. Flur, I. Stark, N. Krishnaswami, and P. Sewell, "ISA semantics for ARMv8-A, RISC-V, and CHERI-MIPS," in *POPL 2019: Proc. 46th ACM SIGPLAN Symposium on Principles of Programming Languages*, 2019.
- [34] "QEMU: the FAST! processor emulator," 2017, https://www.qemu.org/.
- [35] B. Campbell and I. Stark, "Extracting behaviour from an executable instruction set model," in *Formal Methods in Computer-Aided Design (FMCAD)*, 2016. IEEE, 2016, pp. 33–40.
- [36] T. Nipkow, L. C. Paulson, and M. Wenzel, Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Springer, 2012.
- [37] M. Gordon and A. Pitts, "The HOL logic and system," in *Real-Time Safety Critical Systems*. Elsevier, 1994, vol. 2, pp. 49–70.
- [38] P. Castéran and Y. Bertot, "Interactive theorem proving and program development. Coq'Art: The calculus of inductive constructions." 2004.
- [39] R. N. Watson, P. G. Neumann, J. Woodruff, M. Roe, J. Anderson, J. Baldwin, D. Chisnall, B. Davis, A. Joannou, B. Laurie, S. W. Moore, S. J. Murdoch, R. Norton, S. Son, and H. Xia, "Capability hardware enhanced RISC instructions: CHERI instruction-set architecture (version 6)," University of Cambridge, Computer Laboratory, Tech. Rep., 2017. [Online]. Available: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-907.pdf

- [40] M. Gordon, R. Milner, and C. Wadsworth, Edinburgh LCF: a mechanised logic of computation. Springer-Verlag, 1979.
- [41] D. Matichuk, T. Murray, and M. Wenzel, "Eisbach: A proof method language for Isabelle," *Journal of Automated Reasoning*, vol. 56, no. 3, pp. 261–282, 2016.
- [42] A. Reid, "Trustworthy Specifications of Arm v8-A and v8-M system Level Architecture," in Proceedings of Formal Methods in Computer-Aided Design (FMCAD 2016), October 2016, pp. 161–168. [Online]. Available: https: //alastairreid.github.io/papers/fmcad2016-trustworthy.pdf
- [43] —, "Defining interfaces between hardware and software: Quality and performance," Ph.D. dissertation, School of Computing Science, University of Glasgow, March 2019.
- [44] ——, "Who guards the guards? formal validation of the Arm v8-M architecture specification," *Proceedings of the ACM on Programming Languages*, vol. 1, no. OOPSLA, p. 88, 2017.
- [45] O. Schwarz and M. Dam, "Automatic derivation of platform noninterference properties," in Software Engineering and Formal Methods - 14th International Conference, SEFM 2016, Held as Part of STAF 2016, Vienna, Austria, July 4-8, 2016, Proceedings, ser. Lecture Notes in Computer Science, R. De Nicola and eva Kühn, Eds., vol. 9763. Springer, 2016, pp. 27–44. [Online]. Available: https://doi.org/10.1007/978-3-319-41591-8\_3
- [46] L. Skorstengaard, D. Devriese, and L. Birkedal, "Reasoning about a machine with local capabilities," in *European Symposium on Programming*. Springer, 2018, pp. 475–501.
- [47] A. A. De Amorim, M. Dénes, N. Giannarakis, C. Hriţcu, B. C. Pierce, A. Spector-Zabusky, and A. Tolmach, "Micro-policies: Formally verified, tag-based security monitors," in *Security and Privacy (SP)*, 2015 IEEE Symposium on. IEEE, 2015, pp. 813–830.
- [48] A. Azevedo de Amorim, N. Collins, A. DeHon, D. Demange, C. Hriţcu, D. Pichardie, B. C. Pierce, R. Pollack, and A. Tolmach, "A verified information-flow architecture," in *Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages*, ser. POPL '14. New York, NY, USA: ACM, 2014, pp. 165–178. [Online]. Available: http://doi.acm.org/10.1145/2535838.2535839
- [49] U. Dhawan, C. Hriţcu, R. Rubin, N. Vasilakis, S. Chiricescu, J. M. Smith, T. F. Knight Jr, B. C. Pierce, and A. DeHon, "Architectural support for software-defined metadata processing," in ACM SIGARCH Computer Architecture News, vol. 43, no. 1. ACM, 2015, pp. 487–502.
- [50] U. Dhawan, N. Vasilakis, R. Rubin, S. Chiricescu, J. M. Smith, T. F. Knight Jr, B. C. Pierce, and A. DeHon, "PUMP: a programmable unit for metadata processing," in *Proceedings of the Third Workshop on Hardware and Architectural Support for* Security and Privacy. ACM, 2014, p. 8.
- [51] R. Sinha, S. Rajamani, S. Seshia, and K. Vaswani, "Moat: Verifying confidentiality of enclave programs," in *Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security*. ACM, 2015, pp. 1169–1184.

- [52] D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz, "BAP: A binary analysis platform," in Computer Aided Verification - 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14-20, 2011. Proceedings, 2011, pp. 463–469. [Online]. Available: https://doi.org/10.1007/978-3-642-22110-1\_37
- [53] M. Barnett, B. E. Chang, R. DeLine, B. Jacobs, and K. R. M. Leino, "Boogie: A modular reusable verifier for object-oriented programs," in *Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005, Amsterdam, The Netherlands, November 1-4, 2005, Revised Lectures,* 2005, pp. 364–387. [Online]. Available: https://doi.org/10.1007/11804192\_17
- [54] A. Ferraiuolo, M. Zhao, A. C. Myers, and G. E. Suh, "Hyperflow: A processor architecture for nonmalleable, timing-safe information-flow security," in 25th ACM Conf. on Computer and Communications Security (CCS), October 2018. [Online]. Available: http://www.cs.cornell.edu/andru/papers/hyperflow
- [55] D. Zagieboylo, G. E. Suh, and A. C. Myers, "Using information flow to design an isa that controls timing channels," in 32nd IEEE Computer Security Foundations Symp. (CSF), June 2019. [Online]. Available: http: //www.cs.cornell.edu/andru/papers/hyperisa
- [56] M. S. Doerrie, "Confidence in confinement: An axiom-free, mechanized verification of confinement in capability-based systems," Ph.D. dissertation, Johns Hopkins University, 2015.
- [57] J. S. Shapiro and S. Weber, "Verifying the EROS confinement mechanism," in Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000. IEEE, 2000, pp. 166–176.
- [58] T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein, "sel4: From general purpose to a proof of information flow enforcement," in 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013, 2013, pp. 415–429. [Online]. Available: https://doi.org/10.1109/SP.2013.35
- [59] S. Goel *et al.*, "Formal verification of application and system programs based on a validated x86 ISA model," Ph.D. dissertation, The University of Texas at Austin, 2016.
- [60] W. A. Hunt, M. Kaufmann, J. S. Moore, and A. Slobodova, "Industrial hardware and software verification with ACL2," *Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences*, vol. 375, 2017.
- [61] J. Choi, M. Vijayaraghavan, B. Sherman, A. Chlipala, and Arvind, "Kami: a platform for high-level parametric hardware specification and its modular verification," *PACMPL*, vol. 1, no. ICFP, pp. 24:1–24:30, 2017. [Online]. Available: https://doi.org/10.1145/3110268
- [62] C. Wolf, "End-to-end formal ISA verification of RISC-V processors with riscv-formal," In 7th RISC-V Workshop Proceedings, Nov. 2017, http://www.clifford.at/papers/ 2017/riscv-formal/.