CHERI concentrate: Practical compressed capabilities

Jonathan Woodruff, Alexandre Joannou, Hongyan Xia, Anthony Fox, Robert M. Norton, David Chisnall, Brooks Davis, Khilan Gudka, Nathaniel W. Filardo, A. Theodore Markettos, Michael Roe, Peter G. Neumann, Robert N. M. Watson, Simon W. Moore
[doi] [Google Scholar] [DBLP] [Citeseer]
Read: 14 July 2021

IEEE Transactions on Computers 68(10)
Pages 1455-1469
Oct 2019
Note(s): CHERI architecture, capabilities
Papers: woodruff:isca:2014

The core of the CHERI architecture is a form of “fat pointer” (capabilities) that captures the value of a pointer, lower and upper bounds on what addresses can be dereferenced at offsets from that pointer, permission flags and type flags. The original architecture design had 1+256-bit fat pointers; this paper slims this down to 1+128-bits. (The 1+ part is because an unforgeable tag bit is added to prevent spoofing of capabilities.)

The paper reviews alternative approaches to creating low-fat pointers and walks through a series of limitations and optimizations. The final design has the following features.

  • Uses tricks from floating point representations like the leading-one omission in normalized FP values and the split into a mantissa and exponent.

  • Allows out-of-bounds pointers where the pointer points outside the low-high boundary (but will have an offset added to them before the pointer is dereferenced).

    The representable region is at least twice the size of the dereferencable region.

  • An efficient approximate representability check is performed during (fat) pointer arithmetic operations to check that the new pointer value is safely within the representable region. An approximate check is performed to avoid making pointer arithmetic too slow,

    (They check that this does not impact timing on their FPGA implementation of CHERI.)