-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathglossary.tex
855 lines (793 loc) · 37.9 KB
/
glossary.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
\newglossaryentry{abstract capability}
{
name=abstract capability,
description={
% Abstract capabilities maintain the appearance of capability
% lifespan across operations that violate architectural \gls{capability
% provenance}.
% For example, abstract capabilities remain valid despite an OS kernel
% swapping them to and from disk, which requires that any architectural
% \gls{capability} in the swapped memory have its \gls{capability tag}
% restored through re-derivation
Abstract capabilities are a conceptual abstraction that overlays the
concrete capabilities of the architecture to describe the intended
maintenance of capability lifespan across operations that violate
architectural \gls{capability provenance}.
For example, if an OS kernel
swaps a page containing a capability to and from disk,
it will have to have its \gls{capability tag}
restored through re-derivation, so there is no longer an
architectural provenance relationship between the two, but for
application-level reasoning it is sometimes useful to regard there
to be one}
}
\newglossaryentry{address}
{
name=address,
description={An integer address suitable for dereference within an address
space.
In \gls{CHERI-RISC-V}, \glspl{capability} may be interpreted as
\glspl{virtual address} -- or \glspl{physical address} when operating in
Machine Mode}
}
\longnewglossaryentry{capability}
{
name=capability,
plural=capabilities,
}
{
A capability contains an \gls{address}, \gls{capability bounds}
describing a range of bytes within which addresses may be
\glslink{dereference}{dereferenced}, \gls{capability permissions}
controlling the forms of dereference that may be permitted (e.g., load or
store), a \gls{capability tag} protecting \gls{capability validity}
(integrity and \gls{capability provenance}), and a \gls{capability object type}
indicating whether it is a \gls{sealed capability}
(and, if so, under which \gls{capability object type} they are sealed)
or \gls{unsealed capability}.
The address embedded within a capability may be a \gls{virtual address} or
a \glspl{physical address} depending on the current addressing mode; when
used to authorize (un)sealing, the address is instead a
\gls{capability object type}.
In CHERI, capabilities are used to implement \glspl{pointer} with additional
protections in aid of \gls{fine-grained memory protection},
\gls{control-flow robustness}, and other higher-level protection models such
as \gls{software compartmentalization}.
Unlike a \gls{fat pointer}, capabilities are subject to
\gls{capability provenance}, ensuring that they are derived from a prior
valid capability only via valid manipulations, and \gls{capability
monotonicity}, which ensures that manipulation can lead only to
non-increasing rights.
CHERI capabilities provide strong compatibility with C-language pointers and
Memory Management Unit (MMU)-based system-software designs, by virtue of
its \gls{hybrid capability model}.
Architecturally, a capability can be viewed as an \gls{address} equal to the
sum of the \gls{capability base} and \gls{capability offset}, as well as
associated metadata.
%\psnote{Perhaps this base/offset view should now be de-emphasised? It's
%arguably implementation detail in any case}
Dereferencing a capability is done relative to that address.
% The implementation may choose to store the pre-computed address
% combining the base and offset, to avoid an implied addition on each memory
% access, and to similarly store the base and length as pre-computed
% addresses.
The size of an in-memory capability may be smaller than the sum of its
architectural fields (such as base, offset, and permissions) if a
\gls{compressed capability} mechanism, such as \gls{CHERI Concentrate}, is
used.
In the ISA, capabilities may be used explicitly via \gls{capability-based
instructions}, an application of the \gls{principle of intentional use},
but also implicitly using \glslink{legacy instructions}{legacy load
and store instructions} via the \gls{default data capability}, and
instruction fetch via the \gls{program-counter capability}.
A capability is either sealed or unsealed, controlling whether it has
software-defined or instruction-set-defined behavior, and whether or not its
fields are immutable.
Capabilities may be held in a \gls{capability register} or a
suitably-aligned word of \gls{tagged memory}.
}
\newglossaryentry{capability base}
{
name=capability base,
description={The lower of the two \gls{capability bounds}, from which
the \gls{address} of a \gls{capability} can be calculated by using
the \gls{capability offset}}
}
\newglossaryentry{capability bounds}
{
name=capability bounds,
description={Upper and lower bounds, associated with each
\gls{capability}, describing a range of \glspl{address} that may
be \glslink{dereference}{dereferenced} via the capability.
Architecturally, bounds are with respect to the \gls{capability base},
which provides the lower bound, and \gls{capability length}, which
provides the upper bound when added to the base.
The bounds may be empty, connoting no right to dereference at any
address.
The address of a capability may float outside of the
dereferenceable bounds; with a \gls{compressed capability}, it may not
be possible to represent all possible \glslink{out of
bounds}{out-of-bounds} addresses.
Bounds may be manipulated subject to \gls{capability monotonicity}
using \gls{capability-based instructions}}
}
\newglossaryentry{capability length}
{
name=capability length,
description={The distance between the lower and upper \gls{capability
bounds}}
}
\newglossaryentry{capability monotonicity}
{
name=capability monotonicity,
description={Capability monotonicity is a property of the instruction set
that any requested manipulation of a \gls{capability}, whether in a
\gls{capability register} or in memory, either leads to strictly
non-increasing rights, clearing of the \gls{capability tag}, or a
hardware exception.
\knnote{I presume that the ``rights'' of a capability are
determined by its permissions and its bounds, but not by its
sealedness. In other words, increasing the permissions or bounds
of a capability would increase its rights, but unsealing a
capability would not increase its right. If this is correct,
perhaps it could help to explicitly state this here.}
Controlled violation of monotonicity can be achieved via the exception
delivery mechanism, which grants rights to additional capability
register, and also by the \gls{CInvoke} instruction, which may
unseal (and jump to) suitably checked \glspl{sealed
capability}.
\knnote{The exception delivery mechanism and the CCall instruction
do not violate monotonicity, since they do not increase the rights of
any capability. They do violate the monotonicity of the set of
reachable rights (see \ref{sec:model-monotonicity}), because an
exception makes a capability reachable that might not have been
reachable before (namely the KCC) and the CCall instruction
unseals capabilities without needing a capability that has the
authority to unseal them. Perhaps it would be worth creating a
glossary entry for the set of reachable rights, and mention that
this set is monotonic as long as no exceptions are raised or
CCalls are executed.}}
}
\newglossaryentry{capability object type}
{
name=capability object type,
description={In addition to \glslink{fat pointer}{fat-pointer} metadata such
as \gls{capability bounds} and \gls{capability permissions}, \glspl{capability} also contain an integer object type.
The object type space is partitioned into a range of non-reserved and
\gls{reserved capability object type} types.
The \glspl{reserved capability object type} are hardware-interpreted and
include \glspl{unsealed capability} or \glspl{sealed entry capability}.
If the object type is one of the non-\glspl{reserved capability object type},
the capability is a \gls{sealed capability with an object type}.
For \glspl{sealed capability with an object type}, the object type is set during a
sealing operation to the \gls{address} of the \gls{sealing capability}.
Object types can be used to link a sealed \gls{code capability} and a
sealed \gls{data capability} when used with \gls{CInvoke} to implement a
software object model or to implement software-defined tokens of authority}
}
\newglossaryentry{capability offset}
{
name=capability offset,
description={The distance between \gls{capability base} and the
\gls{address} accessed when the \gls{capability} is used as a \gls{pointer}}
}
\newglossaryentry{capability permissions}
{
name=capability permissions,
description={A bitmask, associated with each \gls{capability},
describing a set of ISA- or software-defined operations that may be
performed via the capability.
ISA-defined permissions include load data, store data, instruction fetch,
load capability, and store capability.
Permissions may be manipulated subject to \gls{capability monotonicity}
using \gls{capability-based instructions}}
}
\newglossaryentry{capability provenance}
{
name=capability provenance,
description={
% The property that, following manipulation, a \gls{capability}
% remains valid for use only if it is derived from another valid capability
% using a valid capability operation.
% Provenance is implemented using a \gls{capability tag} combined with
% \gls{capability monotonicity}, and will be preserved whether a
% capability is held in a \gls{capability register} or \gls{tagged memory},
% subject to suitable use of \gls{capability-based instructions}
The property that a valid-for-use \gls{capability} can only be
constructed by deriving it from another valid capability
using a valid capability operation.
% PS: not totally clear what a ``valid capability operation'' is. An
% execution of a capability instruction that doesn't raise an exception?
Provenance is implemented using a \gls{capability tag} combined with
\gls{capability monotonicity},
% PS: the text (both previous version and mine) defines provenance as
% a property of the architecture, not ``the provenance of a
% capability'' as the source capability or derivation chain, so we
% can't say ``will be preserved'' like the text did.
% Maybe we should define that more explicit notion of provenance, and
% replace this glossary entry with one for ``capability provenance
% preservation'', but I've not for now.
irrespective of
%
whether a
capability is held in a \gls{capability register} or \gls{tagged memory}}
% PS: surely ``capability provenance'' should hold universally, not only
% ``subject to suitable use of \gls{capability-based instructions''?
}
\newglossaryentry{capability register}
{
name=capability register,
description={A capability register is an architectural register able to hold
a \gls{capability} including its \gls{capability tag}, \gls{address},
other \glslink{fat pointer}{fat-pointer} metadata such as
its \gls{capability bounds} and \gls{capability permissions}, and optional
\gls{capability object type}.
A capability register might be a dedicated register intended primarily for
capability-related operations (e.g., the \gls{default data capability}), or a general-purpose integer
register that has been extended with capability metadata (such as the
\gls{program-counter capability}.
Capability registers must be used to retain tag bits on capabilities
transiting through memory, as only \gls{capability-based instructions}
enforce \gls{capability provenance} and \gls{capability monotonicity}}
}
\newglossaryentry{capability tag}
{
name=capability tag,
description={A capability tag is a 1-bit integrity tag associated with each
\gls{capability register}, and also with each capability-sized,
capability-aligned location in memory.
If the tag is set, the \gls{capability} is valid and can be
\glslink{dereference}{dereferenced} via the ISA.
If the tag is clear, then the capability is invalid and cannot be
dereferenced via the ISA.
Tags are preserved
by ISA
operations that conform to \gls{capability
provenance} and \gls{capability monotonicity} rules -- for example,
that any attempted modification of \gls{capability bounds} leads to
non-increasing bounds,
%was ``writes'', not ``bounds'' - presume just a typo?
and that in-memory capabilities are written only
via capability stores, not data stores -- otherwise, tags are cleared}
%
% Subject to these constraints, tags will be preserved by
% \gls{capability-based instructions}
}
\newglossaryentry{capability validity}
{
name=capability validity,
description={A \gls{capability} is valid if its \gls{capability tag}
is set, which permits use of the capability subject to its
\gls{capability bounds}, \gls{capability permissions}, and so on.
Attempts to \gls{dereference} a capability without a tag set will lead
to a hardware exception}
}
\newglossaryentry{capability-based instructions}
{
name=capability-based instructions,
description={These instructions accept capabilities as operands, allowing
capabilities to be loaded from and stored memory, manipulated subject to
\gls{capability provenance} and \gls{capability monotonicity} rules,
and used for a variety of operations such as loading and storing data and
capabilities, as branch targets, and to retrieve and manipulate capability
fields -- subject to \gls{capability permissions}}
}
\longnewglossaryentry{CInvoke}
{
name=CInvoke
}
{
The \insnref{CInvoke} instruction is a source of controlled
non-monotonicity in the \gls{CHERI-RISC-V} and \gls{CHERI-x86-64} ISAs.
\psnote{See Kyndylan's note for capability monotonicity}
It can directly enter any userspace domain described by a pair
of sealed capabilities with the \emph{Permit\_Invoke} permission set.
In particular, it can
safely enter userspace domain-transition code
described by the sealed \gls{code capability} while also unsealing
the sealed \gls{data capability}.
The sealed operand \glspl{capability register}
are checked for suitable properties and correspondence, and the userspace
domain-transition routine can store any return information, perform further error
checking, and so on.
}
\newglossaryentry{CHERI Concentrate}
{
name=CHERI Concentrate,
description={CHERI Concentrate is a specific \gls{compressed capability}
format that represents a 64-bit \gls{address} with full precision, and
\gls{capability bounds} relative to that address with reduced precision.
Bounds have a floating-point representation, requiring that as the size of
a bounded object increases, greater alignment of its \gls{capability base}
and \gls{capability length} are required.
CHERI Concentrate is the successor compression format to \gls{CHERI-128}}
}
\newglossaryentry{CHERI-128}
{
name=CHERI-128,
description={CHERI-128 is a specific \gls{compressed capability} format that
represents a 64-bit \gls{address} with full precision, and
\gls{capability bounds} relative to that address with reduced precision.
Bounds have a floating-point representation, requiring that as the size of
a bounded object increases, greater alignment of its \gls{capability base}
and \gls{capability length} are required.
CHERI-128 has been replaced with \gls{CHERI Concentrate}}
}
\newglossaryentry{CHERI-MIPS}
{
name=CHERI-MIPS,
description={An application of the CHERI protection model to the 64-bit MIPS
ISA}
}
\newglossaryentry{CHERI-RISC-V}
{
name=CHERI-RISC-V,
description={An application of the CHERI protection model to the RISC-V ISA}
}
\newglossaryentry{CHERI-x86-64}
{
name=CHERI-x86-64,
description={An application of the CHERI protection model to the x86-64 ISA}
}
\newglossaryentry{code capability}
{
name=code capability,
plural=code capabilities,
description={A \gls{capability} whose \gls{capability permissions} have been
configured to permit instruction fetch (i.e., execute) rights; typically,
write permission will not be granted via an executable capability, in
contrast to a \gls{data capability}.
Code capabilities are used to implement \gls{control-flow robustness} by
constraining the available branch and jump targets}
}
\newglossaryentry{compressed capability}
{
name=compressed capability,
plural=compressed capabilities,
description={A \gls{capability} whose \gls{capability bounds} are
compressed with respect to its \gls{address}, allowing its
in-memory footprint to be reduced -- e.g., to 128 bits, rather than the
roughly
architectural 256 bits visible to the instruction set when a capability
is loaded into a register file.
Certain architecturally valid \glslink{out of bounds}{out-of-bounds}
addresses may not be \glslink{representable
capability}{representable} with capability compression; operations leading
to \glslink{unrepresentable capability}{unrepresentable capabilities}
will clear the \gls{capability tag} or throw an exception in order to
ensure continuing \gls{capability monotonicity}.
\gls{CHERI-128} and \gls{CHERI Concentrate} are specific compressed
capability models that select particular points in the tradeoff space
around in-memory capability size, bounds alignment requirements, and
representability}
}
\newglossaryentry{control-flow robustness}
{
name=control-flow robustness,
description={The use of \glspl{code capability} to constrain the set of
available branch and jump targets for executing code, such that the
potential for attacker manipulation of the \gls{program-counter
capability} to simulate injection of arbitrary code is severely
constrained; a form of \gls{vulnerability mitigation} implemented via
the \gls{principle of least privilege}}
}
\newglossaryentry{data capability}
{
name=data capability,
plural=data capabilities,
description={A \gls{capability} whose \gls{capability permissions} have been
configured to permit data load and store, but not instruction fetch (i.e.,
execute) rights; in contrast to a \gls{code capability}}
}
\newglossaryentry{default data capability}
{
name=default data capability (\DDC{}),
description={A \gls{special capability register} constraining
\glslink{legacy instructions}{legacy} non-\gls{capability-based
instructions} that load and store data without awareness of the capability
model.
Any attempts to load and store will be relocated relative to the default
data capability's \gls{capability base} and \gls{capability offset}, and
controlled by its \gls{capability bounds} and \gls{capability
permissions}.
Use of the default data capability violates the \gls{principle of
intentional use}, but permits compatibility with legacy software.
A suitably configured default data capability will prevent the use of
non-capability-based load and store instructions}
}
\newglossaryentry{dereference}
{
name=dereference,
description={Dereferencing a \gls{address} means that it is the
target address for a load, store, or instruction fetch.
A \gls{capability} may be dereferenced only subject to it being valid
-- i.e., that its \gls{capability tag} is present -- and is also subject
to appropriate checks of its \gls{capability bounds}, \gls{capability permissions}, and
so on.
Dereference may occur as a result of explicit use of a capability via
\gls{capability-based instructions}, or implicitly as a result of the
\gls{program-counter capability} or \gls{default data capability}}
}
\newglossaryentry{exception code capability}
{
name=exception code capability,
description={An architecture-defined capability which holds a
privileged \gls{code capability} for use by the kernel during exception
handling.
This value will be installed in the \gls{program-counter capability} on
exception entry, with the previous value of the program-counter
capability stored in the \gls{exception program-counter capability}}
}
\newglossaryentry{exception data capability}
{
name=exception data capability,
description={An architecture-defined capability which holds a
privileged \gls{data capability} for use by the kernel during exception
handling.
Typically, this will refer either to the data segment for a microkernel
intended to field exceptions, or for the full kernel.
Kernels compiled to primarily use \gls{legacy instructions} might install
this in the \gls{default data capability} for the duration of kernel
execution.}
}
\newglossaryentry{exception program-counter capability}
{
name=exception program-counter capability,
description={An architecture-specific location into which the running
\gls{program-counter capability} is stored on an exception, and
whose value is loaded into the program-counter capability on
exception return}
}
\newglossaryentry{fat pointer}
{
name=fat pointer,
description={A \gls{pointer} (\gls{address}) that has been extended
with additional metadata such as \gls{capability bounds} and
\gls{capability permissions}.
In conventional fat-pointer designs, fat pointers to not have a notion of
sealing (i.g., as in \glspl{sealed capability} and \glspl{unsealed
capability}), nor rules implementing \gls{capability provenance} and
\gls{capability monotonicity}}
}
\newglossaryentry{fine-grained memory protection}
{
name=fine-grained memory protection,
description={The granular description of available code and data in which
\gls{capability bounds} and \gls{capability permissions} are made as
small as possible, in order to limit the potential effects of software
bugs and vulnerabilities.
This approach applies both to \glspl{code capability} and \glspl{data
capability}, offering effective \gls{vulnerability mitigation} via
techniques such as \gls{control-flow robustness}, as well as supporting
higher-level mitigation techniques such as \gls{software
compartmentalization}.
Fine-grained memory protection will typically be driven by the goal of
implementing the \gls{principle of least privilege}}
}
\newglossaryentry{hybrid capability model}
{
name=hybrid capability model,
description={A \gls{capability} model in which not all interfaces to use or
manipulate capabilities conform to the \gls{principle of intentional
use}, such that legacy software is able to execute around, or within,
capability-constrained environments, as well as other features required
to improve compatibility with conventional software designs permitting
easier incremental adoption of a capability-system model.
In CHERI, composition of the capability-system model with the conventional
Memory Management Unit (MMU), the support for \gls{legacy instructions}
via the \gls{program-counter capability} and \gls{default data
capability}, and strong compatibility with the C-language \gls{pointer}
model, all constitute hybrid aspects of its design, in comparison to a
more pure capability-system model that might elide those behaviors at a
cost to compatibility and adoptability}
}
\newglossaryentry{principle of intentional use}
{
name=principle of intentional use,
description={A design principle in capability systems in which rights are
always explicitly, rather than implicitly exercised.
This arises in the CHERI instruction set through explicit \gls{capability}
operands to \gls{capability-based instructions}, which contributes to the
effectiveness of \gls{fine-grained memory protection} and
\gls{control-flow robustness}.
When applied, the principle limits not just the rights available in the
presence of a software vulnerability, but the extent to which software can
be manipulated into using rights in an unintended (and exploitable)
manner}
}
\newglossaryentry{invoked data capability}
{
name=invoked data capability (\IDC{}),
plural=invoked data capabilities,
description={A capability register reserved by convention to hold the
unsealed \gls{data capability} on the callee side of \gls{CInvoke}.
Typically, for the caller side, this will point at a frame on the caller
stack sufficient to safely restore any caller state.
On the callee side, the invoked data capability will be a data capability
describing the object's internal state}
}
\newglossaryentry{legacy instructions}
{
name=legacy instructions,
description={Legacy instructions are those that accept integer addresses,
rather than capabilities, as their operands, requiring use of the
\gls{default data capability} for loads and stores, or that explicitly set
the program counter to a address, rather than doing setting the
\gls{program-counter capability}.
These instructions allow legacy binaries (those compiled without CHERI
awareness) to execute, but only without the benefits of
\gls{fine-grained memory protection}, granular \gls{control-flow
robustness}, or more efficient \gls{software compartmentalization}.
While still constrained, these instructions do not conform to the
\gls{principle of intentional use}}
}
\newglossaryentry{Morello}
{
name=Morello,
description={An application of the CHERI protection model to the ARMv8-A architecture}
}
\newglossaryentry{out of bounds}
{
name=out of bounds,
description={When a \gls{capability}'s \gls{capability offset} falls outside
of its \gls{capability bounds}, it is out of bounds, and cannot be
\glslink{dereference}{dereferenced}.
Even if a capability's offset is in bounds, the width of a data access may
cause a load, store, or instruction fetch to fall out of bounds, or the
further offset introduced via a register index or immediate operand to an
instruction.
If an instruction shifts the offset
too far out of bounds, this may result in an \gls{unrepresentable
capability}, leading to the \gls{capability tag} being cleared, or an
exception being thrown}
}
\newglossaryentry{physical address}
{
name=physical address,
plural=physical addresses,
description={An \gls{address} that is passed directly to the memory
hierarchy without \glslink{virtual address}{virtual-address} translation.
In \gls{CHERI-RISC-V}, \glspl{capability} addresses may be interpreted as
physical addresses in Machine Mode}
}
\newglossaryentry{pointer}
{
name=pointer,
description={A pointer is a language-level reference to a memory object.
In conventional ISAs, a pointer is typically represented as an
\gls{address}.
In CHERI, pointers can be represented either as an address
indirected via the \gls{default data capability} or \gls{program-counter
capability}, or as a \gls{capability}.
In the latter cases, its integrity and \gls{capability provenance} are
protected by the \gls{capability tag}, and its use is limited by
\gls{capability bounds} and \gls{capability permissions}.
\Gls{capability-based instructions} preserve the tag as required across
both \glspl{capability register} and \gls{tagged memory}, and also
enforce \gls{capability monotonicity}: legitimate operations on the
pointer cannot broaden the set of rights described by the capability}
}
\newglossaryentry{principle of least privilege}
{
name=principle of least privilege,
description={A principle of software design in which the set of rights
available to running code is minimized to only those required for it to
function, often with the aim of \gls{vulnerability mitigation}.
In CHERI, this concept applies via fine-grained memory protection for
both data and code, and also higher-level \gls{software
compartmentalization}}
}
\newglossaryentry{program-counter capability}
{
name=program-counter capability (\PCC{}),
description={A \gls{capability register} that extends the existing
program counter to include
\gls{capability} metadata such as a \gls{capability tag}, \gls{capability
bounds}, and \gls{capability permissions}.
The program-counter capability ensures that instruction fetch occurs only
subject to capability protections.
When an exception fires, the value of the program-counter capability will
be saved in the \gls{exception program-counter capability}, and the value
of the \gls{exception code capability} moved into the program-counter
capability.
On exception return, the value of the exception program-counter capability
will be restored to the program-counter capability}
}
\newglossaryentry{representable capability}
{
name=representable capability,
plural=representable capabilities,
description={A \gls{compressed capability} whose \gls{capability offset}
is representable with respect to its \gls{capability bounds}; this
does not imply that the offset is ``within bounds'', but does require
that it be within some broader window around the bounds}
}
\newglossaryentry{reserved capability object type}
{
name=reserved capability object type,
plural=reserved capability object types,
description={Certain \glspl{capability object type} are not available for software use and instead have hardware-defined semantics.
On \gls{CHERI-RISC-V} and \gls{CHERI-x86-64}, all negative \glspl{capability object type} are
reserved: \glspl{unsealed capability} use the value $2^{64}-1$ and \glspl{sealed entry capability}
have an object type of $2^{64}-2$.
The remaining \glspl{capability object type} are used for \glspl{sealed capability with an object type}}
}
\newglossaryentry{return capability}
{
name=return capability,
plural=return capabilities,
description={A \gls{capability} designated as the destination for the
return address when using a capability jump-and-link instruction.
A degree of \gls{control-flow robustness} is provided due to
\gls{capability bounds}, \gls{capability permissions}, and the
\gls{capability tag} on the resulting capability, which limits sites that
may be jumped back to using the return capability}
}
\newglossaryentry{sealed capability}
{
name=sealed capability,
plural=sealed capabilities,
description={A sealed \gls{capability} is one whose \gls{capability object type}
is not equal to the unsealed object type ($2^{64}-1$ for \gls{CHERI-RISC-V} and \gls{CHERI-x86-64}).
A sealed capability's \gls{address}, \gls{capability bounds},
\gls{capability permissions}, and other fields are immutable -- i.e.,
cannot be modified using \gls{capability-based instructions}.
A sealed capability cannot be directly \glslink{dereference}{dereferenced}
using the instruction set, and must be unsealed before it can be used.
This can be used to implement non-monotonic domain transition, as a
sealed capability may carry rights not otherwise present in the
\glspl{capability register}.
Two types exist: \glspl{sealed capability with an object type} and
\glspl{sealed entry capability}.
They have different properties catering to different use cases}
}
\newglossaryentry{sealed capability with an object type}
{
name=sealed capability with an object type,
plural=sealed capabilities with object types,
description={A \gls{sealed capability} whose \gls{capability object type}
is not one of the \glspl{reserved capability object type}.
These sealed capability have a \gls{capability object type} derived
from their \glspl{sealing capability}'s \gls{address}.
CHERI's sealing feature allows capabilities to be used to describe
software-defined objects, permitting implementation of encapsulation.
Unsealing can be performed using the \gls{CInvoke} instruction, or
using the \insnref{CUnseal} instruction combined with a suitable
\gls{sealing capability}.
Sealed capabilities with object types provide the necessary architectural
encapsulation support to efficiently implement fine-grained
compartmentalization using an object-oriented model}
}
\newglossaryentry{sealed entry capability}
{
name=sealed entry capability,
plural=sealed entry capabilities,
description={A sealed entry \gls{capability} (also known as
\gls{sentry capability}) is a \gls{sealed capability}
whose \gls{capability object type} is set to the sentry \gls{reserved capability object type} ($2^{64}-2$ for \gls{CHERI-RISC-V} and \gls{CHERI-x86-64}).
Sealed entry capabilities are commonly referred to as \glspl{sentry
capability}.
Sealed entry capabilities are do not support linking sealed code and
data capabilities, unlike \glspl{sealed capability with an object type}.
A sealed entry capability is unsealed by jumping to it using a regular
capability jump instruction}
}
\newglossaryentry{sealing capability}
{
name=sealing capability,
plural=sealing capabilities,
description={A sealing capability is one with the \cappermSeal
permission, allowing it to be used to create \glspl{sealed capability}
using a \gls{capability object type} set to the sealing capability's
\gls{address}, and subject to its bounds}
}
\newglossaryentry{sentry capability}
{
name=sentry capability,
plural=sentry capabilities,
description={Sentry capability is a convenient shorthand for a
\gls{sealed entry capability}}
}
\newglossaryentry{software compartmentalization}
{
name=software compartmentalization,
description={The configuration of \glspl{code capability} and \glspl{data
capability} available via accessible \glspl{capability
register}, and \gls{tagged memory} such that software components can be
isolated from one another, enabling \gls{vulnerability mitigation} via the
application of the \gls{principle of least privilege} at the application
layer.
One approach to implementing software compartmentalization on CHERI is to
use \gls{CInvoke} to jump into sealed code
and data capabilities describing a trusted intermediary and destination
protection domain}
}
\newglossaryentry{stack capability}
{
name=stack capability,
plural=stack capabilities,
description={A \gls{capability} referring to the current stack, whose
\gls{capability bounds} are suitably configured to allow access only to
the remaining stack available to allocate at a given point in execution}
}
\newglossaryentry{special capability register}
{
name=special capability register,
description={Special capability registers have special architectural
meanings, and include the \gls{default data capability} as well
as additional architecture-specific capability registers.
Not all registers are accessible at all times; for example, some may be
available only in certain rings, or when \PCC{} has
\cappermASR{}}
}
\newglossaryentry{tagged memory}
{
name=tagged memory,
description={Tagged memory associates a 1-bit \gls{capability tag} with
each \gls{capability}-aligned, capability-sized word in memory.
\Gls{capability-based instructions} that load and store capabilities
maintain the tag as the capability transits between memory and the
\glspl{capability register}, tracking \gls{capability provenance}.
When data stores (i.e., stores of non-capabilities), the tag on the
memory location will be atomically cleared, ensuring the integrity of
in-memory capabilities}
}
\newglossaryentry{trusted computing base}
{
name=Trusted Computing Base (TCB),
description={The subset of hardware and software that is critical to the
security of a system;
in secure system designs, there is often a goal to minimize the size of
the TCB in order to minimize the opportunity for exploitable software
vulnerabilities}
}
\newglossaryentry{unrepresentable capability}
{
name=unrepresentable capability,
plural=unrepresentable capabilities,
description={A \gls{compressed capability} whose \gls{capability offset} is
sufficiently outside of its \gls{capability bounds} that the combined
\gls{pointer} value and bounds cannot be represented in the compressed format;
constructing an unrepresentable capability will lead to the tag being
cleared (and information loss) or an exception, rather than a violation
of \gls{capability provenance} or \gls{capability monotonicity}}
}
\newglossaryentry{unsealed capability}
{
name=unsealed capability,
plural=unsealed capabilities,
description={An unsealed \gls{capability} is one whose \gls{capability object type}
is the unsealed object type ($2^{64}-1$ for \gls{CHERI-MIPS} and \gls{CHERI-RISC-V}).
Its remaining capability fields are mutable, subject to \gls{capability
provenance} and \gls{capability monotonicity} rules.
These capabilities have hardware-defined behaviors -- i.e., subject to
\gls{capability bounds}, \gls{capability permissions}, and so on,
can be \glslink{dereference}{dereferenced}}
}
\newglossaryentry{virtual address}
{
name=virtual address,
plural=virtual addresses,
description={An integer \gls{address} translated by the Memory Management
Unit (MMU) into a \gls{physical address} for the purposes of load, store,
and instruction fetch.
\Glspl{capability} embed an address, as well as \gls{capability bounds}
relative to the address.
The integer addresses passed to \glslink{legacy instructions}{legacy load
and store instructions} are checked with CHERI using the
\gls{default data capability}. The interpretation -- physical or virtual
addresses -- is not changed by CHERI.
Similarly, the integer addresses passed to legacy branch and jump
instructions are checked using the \gls{program-counter capability}}
}
\newglossaryentry{vulnerability mitigation}
{
name=vulnerability mitigation,
description={A set of techniques limiting the effectiveness of the attacker
to exploit a software vulnerability, typically achieved through use of
the \gls{principle of least privilege} to constrain injection of
arbitrary code, control of the \gls{program-counter capability} via
\gls{control-flow robustness} using \glspl{code capability}, minimization of
data rights granted via available \glspl{data capability}, and higher-level
\gls{software compartmentalization}}
}