Investigating the Usage and Protection of CHERI Capabilities with Shared Memory-based IPC

Many bugs, security vulnerabilities and exploits can be traced back to memory safety and the unintentional misuse of pointers. As such, various software solutions to mitigate this problem have been developed, like memory-safe programming languages such as Rust, or compiler tools like AddressSanitizer. Most of these solutions carry major drawbacks, from requiring a complete rewrite of existing software to significant performance impacts. Thus, CHERI hsa been proposed as a hardware solution to this problem that is supposed to require minimal (if any) modification to existing software.

CHERI is an instruction set architecture extension developed by the University of Cambridge, with the goal of significantly increasing memory safety by introducing architectural support for so-called capabilities. Using these capabilities, regular C/C++ pointers can be implemented such that they include bounds as well as permissions (read, write and execute). Any usage of a pointer outside its specified permissions raises a hardware exception, automatically terminating any unintended behavior. New capability pointers can only be derived as subsets of already existing capabilities, guaranteeing that no part of any process can access memory that it does not already hold a capability for.

When combined with the classic POSIX process model, capabilities are issued for virtual addresses. A problem arises when processes may share pointers via inter-process communication, for example, to pass data to and from any child processes after a call to fork(). Capabilities that are harmless and validly issued in one process can have completely different semantics in the other process'es address space. To prevent this forgery of capabilities, a violation of one of CHERI's fundamental principles, writing and reading pointers from shared memory is currently completely disallowed in CheriBSD.

This could present problems for programs that uses shared memory to store pointers, or other data structures containing pointers. While pointers are usually not trivially transferable between processes, some programs may still share pointers after forking or carefully aligning their address spaces. Thus, the goal of this thesis is to investigate to what extent this blanket ban affects real-world software, as well as to evaluate potential, more fine-grained, approaches to mitigate this problem.