CHERI with a Linux on top
Ready to give LWN a try? With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription, no credit card required, so that you can see for yourself. Please, join us!
The Capability Hardware Enhanced RISC Instructions (CHERI) project is a rethinking of computer architecture in order to improve system security. Carl Shaw gave a presentation at Linux Security Summit Europe (LSS EU) about CHERI and the efforts to get Linux running on it. He introduced capabilities, which are a mechanism for access control, and outlined their history, which goes back many decades at this point, then looked more specifically at the CHERI project and what it will take to apply the security constraints of capabilities to an operating system like Linux.
Capabilities
At its core, CHERI is about extending instruction-set architectures (ISAs) to add support for capabilities. A 1966 paper, "Programming Semantics for Multiprogrammed Computations", introduced the idea of capabilities, along with many of the ideas that would later underlie Unix. The paper had a strong focus on security and ensuring that computations did not interfere with each other; it generalized some ideas from earlier computers like Atlas, Rice Computer, and various Burroughs machines into what the authors called "capabilities". " Processes need to own capabilities to be able to do something on a system. "
A capability is a reference and a set of rights; " a capability is an access-control object ". It was originally applied to memory, but the paper expanded the idea to cover I/O and other system resources. For memory, which he was focusing on for the talk, the reference is to a region of memory and the rights are permissions to read, write, and execute it. More formally, " a capability is an unforgeable, transferable token that authorizes the use of an object ", he said.
An object capability of that sort incorporates both a reference to the object and access rights for that object. The paper used a list of capabilities that a process had access to, which was called the "C-list". Each entry was a capability, with a reference to a memory segment and the permissions for it. So access to memory required an indirection through the C-list table, which turned out not to perform well.
He mentioned a few of the early hardware implementations of capabilities, starting in 1970, though he said there were some slightly earlier machines in the US. The CAP computer was from Cambridge University; the " first ever commercial capability-based system " was the Plessey System 250, which was not a general-purpose computer and was originally used by the military for message routing. It did have many of the attributes of modern computers, such as virtual memory and symmetric multiprocessing; " it was a pretty far ahead machine for its day ".
A less-successful capability-based CPU is the Intel iAPX 432 from 1975, which ended up only being used in niche applications. Its performance was poor, mainly due to the indirection required to access memory. More recently, the Arm Morello CPU in 2022 was the result of a research project between the company and the UK government; it added CHERI on top of an Arm Neoverse processor. It was developed on a short time scale of about a year, so compromises inevitably had to be made, Shaw said, but " they did a really good job on it "; it is still used for research, but newer CHERI implementations have narrowed their focus to a smaller, more commercially viable subset of capabilities than the Morello has.
There were a number of operating systems developed using capabilities, " some you've probably never heard of ", including KeyKOS, EROS, and CapROS, which were mostly " focused around high levels of reliability ". In modern times, seL4 uses capabilities and, this year, it is joined by CHERI-seL4.
... continue reading