Formal Mechanised Semantics of CHERI C: Capabilities, Provenance, and Undefined Behaviour

Vadim Zaliva, Kayvan Memarian, Ricardo De Oliveira Almeida, Jessica Clarke, Brooks Davis, Alexander Richardson, David Chisnall, Brian Campbell, Ian Stark, Robert N. M. Watson, Peter Sewell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Memory safety issues are a persistent source of security vulnerabilities, with conventional architectures and the C codebase chronically prone to exploitable errors. The CHERI research project has shown how one can provide radically improved security for that existing codebase with minimal modification, using unforgeable hardware capabilities in place of machine-word pointers in CHERI dialects of C, implemented as adaptions of Clang/LLVM and GCC. CHERI was first prototyped as extensions of MIPS and RISC-V; it is currently being evaluated by Arm and others with the Arm Morello experimental architecture, processor, and platform, to explore its potential for mass-market adoption, and by Microsoft in their CHERIoT design for embedded cores. There is thus considerable practical experience with CHERI C implementation and use, but exactly what CHERI C’s semantics is (or should be) remains an open question. In this paper, we present the first attempt to rigorously and comprehensively define CHERI C semantics, discuss key semantics design questions relating to capabilities, provenance, and undefined behaviour, and clarify them with semantics in multiple complementary forms: in prose, as an executable semantics adapting the Cerberus C semantics, and mechanised in Coq. This establishes a solid foundation for CHERI C, for those porting code to it, for compiler implementers, and for future semantics and verification.
Original languageEnglish
Title of host publicationASPLOS 2024: Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
PublisherACM
Pages1-16
Number of pages16
Publication statusAccepted/In press - 19 Sept 2023
Event29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems - San Diego, United States
Duration: 27 Apr 20241 May 2024
Conference number: 29
https://www.asplos-conference.org/asplos2024/cfp/

Conference

Conference29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Abbreviated titleASPLOS 2024
Country/TerritoryUnited States
CitySan Diego
Period27/04/241/05/24
Internet address

Fingerprint

Dive into the research topics of 'Formal Mechanised Semantics of CHERI C: Capabilities, Provenance, and Undefined Behaviour'. Together they form a unique fingerprint.

Cite this