Cornucopia: Temporal Safety for CHERI Heaps

Nathaniel Filardo, Brett F Gutstein, John Woodruff, Sam Ainsworth, Lucian Paul-Trifu, Brooks Davis, Hongyan Xia, Edward Tomasz Napierala, Alexander Richardson, John Baldwin, David Chisnall, Jessica Clark, Khilan Gudka, Alexandre Joannou, A. Theodore Markettos, Alfredo Massinghi, Robert M Norton, Michael Roe, Peter Sewell, Stacey SonTimothy M Jones, Simon W Moore, Peter G Neumann, Robert N M Watson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Use-after-free violations of temporal memory safety continue to plague software systems, underpinning many high-impact exploits. The CHERI capability system shows great promise in achieving C and C++ language spatial memory safety, preventing out-of-bounds accesses. Enforcing language-level temporal safety on CHERI requires capability revocation, traditionally achieved either via table lookups (avoided for performance in the CHERI design) or by identifying capabilities in memory to revoke them (similar to a garbage-collector sweep). CHERIvoke, a prior feasibility study, suggested that CHERI’s tagged capabilities could make this latter strategy viable, but it modeled only architectural limits and did not consider the full implementation or evaluation of the approach. Cornucopia is a lightweight capability revocation system for CHERI that implements non-probabilistic C/C++ temporal memory safety for standard heap allocations. It extends the CheriBSD virtual-memory subsystem to track capability flow through memory and provides a concurrent kernel-resident revocation service that is amenable to multi-processor and hardware acceleration. We demonstrate an average overhead of less than 2% and a worst-case of 8.8% for concurrent revocation on compatible SPEC CPU2006 benchmarks on a multi-core CHERI CPU on FPGA, and we validate Cornucopia against the Juliet test suite’s corpus of temporally unsafe programs. We test its compatibility with a large corpus of C programs by using a revoking allocator as the system allocator while booting multi-user CheriBSD. Cornucopia is a viable strategy for always-on temporal heap memory safety, suitable for production environments.
Original languageEnglish
Title of host publicationProceedings of the 41st IEEE Symposium on Security and Privacy
PublisherIEEE Computer Society
Number of pages18
ISBN (Electronic)978-1-7281-3497-0
Publication statusPublished - 20 May 2020
Event41st IEEE Symposium on Security and Privacy - The Hyatt Regency, San Francisco, United States
Duration: 18 May 202020 May 2020
Conference number: 41

Publication series

NameProceedings of the IEEE Symposium on Security and Privacy.
ISSN (Electronic)2375-1207


Conference41st IEEE Symposium on Security and Privacy
Abbreviated titleSP 2020
Country/TerritoryUnited States
CitySan Francisco
Internet address


Dive into the research topics of 'Cornucopia: Temporal Safety for CHERI Heaps'. Together they form a unique fingerprint.

Cite this