The core of the CHERI architecture is a form of “fat pointer” (capabilities)
that captures the value of a pointer, lower and upper bounds on what addresses
can be dereferenced at offsets from that pointer, permission flags and
type flags.
The original architecture design had 1+256-bit fat pointers; this paper slims
this down to 1+128-bits.
(The 1+
part is because an unforgeable tag bit is added to prevent spoofing
of capabilities.)
The paper reviews alternative approaches to creating low-fat pointers and walks through a series of limitations and optimizations. The final design has the following features.
-
Uses tricks from floating point representations like the leading-one omission in normalized FP values and the split into a mantissa and exponent.
-
Allows out-of-bounds pointers where the pointer points outside the low-high boundary (but will have an offset added to them before the pointer is dereferenced).
The representable region is at least twice the size of the dereferencable region.
-
An efficient approximate representability check is performed during (fat) pointer arithmetic operations to check that the new pointer value is safely within the representable region. An approximate check is performed to avoid making pointer arithmetic too slow,
(They check that this does not impact timing on their FPGA implementation of CHERI.)