Safe Speculation for Cheri

We present an architectural Capability Speculation Contract (CSC) for CHERI implementations, test for violations in the CHERI-Toooba microarchitecture, and develop and evaluate a conforming implementation. The CHERI capability instruction-set extension promises proven architectural guarantees for me...

Full description

Saved in:
Bibliographic Details
Main Authors: Fuchs, Franz A., Woodruff, Jonathan, Rugg, Peter, Joannou, Alexandre, Clarke, Jessica, Baldwin, John, Davis, Brooks, Neumann, Peter G., Watson, Robert N. M., Moore, Simon W.
Format: Conference Proceeding
Language:English
Subjects:
CHERI
Computer architecture
Contracts
Forgery
guarantees
instruction-set architectures
Microarchitecture
Optimization
Out of order
Program processors
Protection
Semantics
Side-channel attacks
testing
transient-execution attacks
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:We present an architectural Capability Speculation Contract (CSC) for CHERI implementations, test for violations in the CHERI-Toooba microarchitecture, and develop and evaluate a conforming implementation. The CHERI capability instruction-set extension promises proven architectural guarantees for memory safety and pointer provenance. However, superscalar and out-of-order CHERI implementations will need to contend with microarchitectural transient-execution side-channel attacks. To ensure the safety of all CHERI implementations, we articulate CSC: a universal architectural speculation contract for the CHERI architecture that maintains key capability invariants in speculation. We then develop tests against sub-classes of CSC, and discover violations in CHERI-Toooba that lead to a new class of transient-execution attacks, Meltdown-CF (Capability Forgery) for which we develop a user-mode exploit that allows reads of secret data. We then develop strategies to fully enforce CSC in CHERI-Toooba. We find that simplistic, strong enforcement in-curs a low performance overhead of only 3.43% in SPECint2006 benchmarks, with promise for more optimal designs in the future. Our architectural recommendations to mitigate Meltdown-CF have been accepted by the upstream CHERI architecture and are included in current CHERI-RISC-V drafts for ratification.
ISSN:2576-6996
DOI:10.1109/ICCD63220.2024.00063