Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PICASSO: Scaling CHERI Use-After-Free Protection to Millions of Allocations using Colored Capabilities

Merve Gülmez, Ruben Sturm, Hossam ElAtali, Håkan Englund, Jonathan Woodruff, N. Asokan, Thomas Nyman

TL;DR

PICASSO presents colored capabilities to scale CHERI temporal safety for heap allocations by introducing provenance tracking via a hardware-managed Provenance Validity Table. This limited indirection enables bulk retraction of all capabilities linked to a given allocation, removing the need for quarantine and dramatically reducing revocation sweeps. Implemented on CHERI-RISC-V (Toooba) and integrated into CheriBSD and the CHERI-LLVM toolchain, PICASSO demonstrates detection of use-after-free/double-free in thousands of Juliet test cases with modest performance overhead on SPECint benchmarks and improved latency characteristics in SQLite, PostgreSQL, and gRPC workloads. The results indicate practical viability for large-scale memory-safety enforcement with deterministic guarantees and reduced runtime disruption, signaling a significant step toward scalable temporal safety in capability-based architectures.

Abstract

While the CHERI instruction-set architecture extensions for capabilities enable strong spatial memory safety, CHERI lacks built-in temporal safety, particularly for heap allocations. Prior attempts to augment CHERI with temporal safety fall short in terms of scalability, memory overhead, and incomplete security guarantees due to periodical sweeps of the system's memory to individually revoke stale capabilities. We address these limitations by introducing colored capabilities that add a controlled form of indirection to CHERI's capability model. This enables provenance tracking of capabilities to their respective allocations via a hardware-managed provenance-validity table, allowing bulk retraction of dangling pointers without needing to quarantine freed memory. Colored capabilities significantly reduce the frequency of capability revocation sweeps while improving security. We realize colored capabilities in PICASSO, an extension of the CHERI-RISC-V architecture on a speculative out-of-order FPGA softcore (CHERI-Toooba). We also integrate colored-capability support into the CheriBSD OS and CHERI-enabled Clang/LLVM toolchain. Our evaluation shows effective mitigation of use-after-free and double-free bugs across all heap-based temporal memory-safety vulnerabilities in NIST Juliet test cases, with only a small performance overhead on SPEC CPU benchmarks (5% g.m.), less latency, and more consistent performance in long-running SQLite, PostgreSQL, and gRPC workloads compared to prior work.

PICASSO: Scaling CHERI Use-After-Free Protection to Millions of Allocations using Colored Capabilities

TL;DR

PICASSO presents colored capabilities to scale CHERI temporal safety for heap allocations by introducing provenance tracking via a hardware-managed Provenance Validity Table. This limited indirection enables bulk retraction of all capabilities linked to a given allocation, removing the need for quarantine and dramatically reducing revocation sweeps. Implemented on CHERI-RISC-V (Toooba) and integrated into CheriBSD and the CHERI-LLVM toolchain, PICASSO demonstrates detection of use-after-free/double-free in thousands of Juliet test cases with modest performance overhead on SPECint benchmarks and improved latency characteristics in SQLite, PostgreSQL, and gRPC workloads. The results indicate practical viability for large-scale memory-safety enforcement with deterministic guarantees and reduced runtime disruption, signaling a significant step toward scalable temporal safety in capability-based architectures.

Abstract

While the CHERI instruction-set architecture extensions for capabilities enable strong spatial memory safety, CHERI lacks built-in temporal safety, particularly for heap allocations. Prior attempts to augment CHERI with temporal safety fall short in terms of scalability, memory overhead, and incomplete security guarantees due to periodical sweeps of the system's memory to individually revoke stale capabilities. We address these limitations by introducing colored capabilities that add a controlled form of indirection to CHERI's capability model. This enables provenance tracking of capabilities to their respective allocations via a hardware-managed provenance-validity table, allowing bulk retraction of dangling pointers without needing to quarantine freed memory. Colored capabilities significantly reduce the frequency of capability revocation sweeps while improving security. We realize colored capabilities in PICASSO, an extension of the CHERI-RISC-V architecture on a speculative out-of-order FPGA softcore (CHERI-Toooba). We also integrate colored-capability support into the CheriBSD OS and CHERI-enabled Clang/LLVM toolchain. Our evaluation shows effective mitigation of use-after-free and double-free bugs across all heap-based temporal memory-safety vulnerabilities in NIST Juliet test cases, with only a small performance overhead on SPEC CPU benchmarks (5% g.m.), less latency, and more consistent performance in long-running SQLite, PostgreSQL, and gRPC workloads compared to prior work.
Paper Structure (66 sections, 1 equation, 19 figures, 8 tables)

This paper contains 66 sections, 1 equation, 19 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Temporal Safety
  4. The Capability Architecture
  5. Capability revocation.
  6. Capability sealing.
  7. -enabled software stack.
  8. Temporal Safety
  9. Cornucopia.
  10. Cornucopia Reloaded.
  11. Composing and Memory Versioning.
  12. System and Threat Model
  13. System Model.
  14. Threat Model.
  15. Goals and Challenges
  16. ...and 51 more sections

Figures (19)

  • Figure 1: In-memory representation of capabilities adapted from Watson et al. Watson19
  • Figure 2: Memory allocation lifecycle in Cornucopia.
  • Figure 3: Allocation lifecycle in + Memory Tagging.
  • Figure 4: cc allocation lifecycle.
  • Figure 5: cc overview
  • ...and 14 more figures