{"id":1010307,"date":"2024-02-28T05:10:24","date_gmt":"2024-02-28T13:10:24","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?post_type=msr-research-item&#038;p=1010307"},"modified":"2024-02-28T10:09:27","modified_gmt":"2024-02-28T18:09:27","slug":"cornucopia-reloaded-load-barriers-cheri-heap-temporal-safety","status":"publish","type":"msr-research-item","link":"https:\/\/www.microsoft.com\/en-us\/research\/publication\/cornucopia-reloaded-load-barriers-cheri-heap-temporal-safety\/","title":{"rendered":"Cornucopia Reloaded: Load Barriers for CHERI Heap Temporal Safety"},"content":{"rendered":"<p>Violations of temporal memory safety (\u201cuse after free\u201d, \u201cUAF\u201d) continue to pose a significant threat to software security.\u00a0 The CHERI capability architecture has shown promise as a technology for C and C++ language reference integrity and spatial memory safety. Building atop CHERI, prior works \u2013 CHERIvoke and Cornucopia \u2013 have explored adding heap temporal safety. The most pressing limitation of Cornucopia was its impractical \u201cstop-the-world\u201d pause times.<\/p>\n<p>We present Cornucopia Reloaded, a re-designed drop-in replacement implementation of CHERI temporal safety, using a novel architectural feature \u2013 a per-page capability load barrier, added in Arm\u2019s Morello prototype CPU and CHERI RISC-V \u2013 to nearly eliminate application pauses. We analyze the performance of Reloaded as well as Cornucopia and CHERIvoke on Morello, using the CHERI-compatible SPEC CPU2006 INT workloads to assess its impact on batch workloads and using pgbench and gRPC QPS as surrogate interactive workloads. Under Reloaded, applications no longer experience significant revocation-induced stop-the-world periods, without additional wall- or CPU-time cost over Cornucopia and with median 87% of Cornucopia\u2019s DRAM traffic overheads across SPEC CPU2006 and < 50% for pgbench.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Violations of temporal memory safety (\u201cuse after free\u201d, \u201cUAF\u201d) continue to pose a significant threat to software security.\u00a0 The CHERI capability architecture has shown promise as a technology for C and C++ language reference integrity and spatial memory safety. Building atop CHERI, prior works \u2013 CHERIvoke and Cornucopia \u2013 have explored adding heap temporal safety. [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"msr-content-type":[3],"msr-research-highlight":[],"research-area":[13552,13558,13547],"msr-publication-type":[193716],"msr-product-type":[],"msr-focus-area":[],"msr-platform":[],"msr-download-source":[],"msr-locale":[268875],"msr-post-option":[],"msr-field-of-study":[246691],"msr-conference":[],"msr-journal":[],"msr-impact-theme":[],"msr-pillar":[],"class_list":["post-1010307","msr-research-item","type-msr-research-item","status-publish","hentry","msr-research-area-hardware-devices","msr-research-area-security-privacy-cryptography","msr-research-area-systems-and-networking","msr-locale-en_us","msr-field-of-study-computer-science"],"msr_publishername":"","msr_edition":"","msr_affiliation":"","msr_published_date":"2024-4-27","msr_host":"","msr_duration":"","msr_version":"","msr_speaker":"","msr_other_contributors":"","msr_booktitle":"","msr_pages_string":"","msr_chapter":"","msr_isbn":"","msr_journal":"","msr_volume":"","msr_number":"","msr_editors":"","msr_series":"","msr_issue":"","msr_organization":"","msr_how_published":"","msr_notes":"","msr_highlight_text":"","msr_release_tracker_id":"","msr_original_fields_of_study":"","msr_download_urls":"","msr_external_url":"","msr_secondary_video_url":"","msr_longbiography":"","msr_microsoftintellectualproperty":1,"msr_main_download":"","msr_publicationurl":"","msr_doi":"","msr_publication_uploader":[{"type":"file","viewUrl":"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2024\/02\/revocation3-paper.pdf","id":"1010310","title":"revocation3-paper","label_id":"243132","label":0},{"type":"doi","viewUrl":"false","id":"false","title":"https:\/\/doi.org\/10.1145\/3620665.3640416","label_id":"243106","label":0},{"type":"url","viewUrl":"false","id":"false","title":"https:\/\/www.repository.cam.ac.uk\/items\/16823172-d2b8-426e-944e-ca956fb205f8","label_id":"243109","label":0}],"msr_related_uploader":"","msr_attachments":[{"id":1010310,"url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-content\/uploads\/2024\/02\/revocation3-paper.pdf"}],"msr-author-ordering":[{"type":"user_nicename","value":"Nathaniel Filardo","user_id":39390,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=Nathaniel Filardo"},{"type":"text","value":"Brett F. Gutstein","user_id":0,"rest_url":false},{"type":"text","value":"Jonathan Woodruff","user_id":0,"rest_url":false},{"type":"text","value":"Jessica Clarke","user_id":0,"rest_url":false},{"type":"text","value":"Peter Rugg","user_id":0,"rest_url":false},{"type":"text","value":"Brooks Davis","user_id":0,"rest_url":false},{"type":"text","value":"Mark Johnston","user_id":0,"rest_url":false},{"type":"user_nicename","value":"Robert Norton-Wright","user_id":39045,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=Robert Norton-Wright"},{"type":"user_nicename","value":"David Chisnall","user_id":38034,"rest_url":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/microsoft-research\/v1\/researchers?person=David Chisnall"},{"type":"text","value":"Simon W. Moore","user_id":0,"rest_url":false},{"type":"text","value":"Peter G. Neumann","user_id":0,"rest_url":false},{"type":"text","value":"Robert N. M. Watson","user_id":0,"rest_url":false}],"msr_impact_theme":[],"msr_research_lab":[199561],"msr_event":[],"msr_group":[559983],"msr_project":[663459],"publication":[],"video":[],"download":[],"msr_publication_type":"inproceedings","related_content":{"projects":[{"ID":663459,"post_title":"Portmeirion","post_name":"portmeirion","post_type":"msr-project","post_date":"2020-07-13 02:21:21","post_modified":"2023-02-15 01:10:50","post_status":"publish","permalink":"https:\/\/www.microsoft.com\/en-us\/research\/project\/portmeirion\/","post_excerpt":"Project Portmeirion aims to explore hardware-software co-design for security in the Azure general-purpose compute stack. We are working with major CPU vendors and academic collaborators to design new security features at both the architectural and microarchitectural level. This includes hardware-enforced memory safety for systems programming languages, fine-grained sandboxing, scalable enclave technologies, and infrastructure programming languages that can take advantage of all of these features.","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-project\/663459"}]}}]},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/1010307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/msr-research-item"}],"version-history":[{"count":3,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/1010307\/revisions"}],"predecessor-version":[{"id":1010418,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-item\/1010307\/revisions\/1010418"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=1010307"}],"wp:term":[{"taxonomy":"msr-content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-content-type?post=1010307"},{"taxonomy":"msr-research-highlight","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-research-highlight?post=1010307"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=1010307"},{"taxonomy":"msr-publication-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-publication-type?post=1010307"},{"taxonomy":"msr-product-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-product-type?post=1010307"},{"taxonomy":"msr-focus-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-focus-area?post=1010307"},{"taxonomy":"msr-platform","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-platform?post=1010307"},{"taxonomy":"msr-download-source","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-download-source?post=1010307"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=1010307"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=1010307"},{"taxonomy":"msr-field-of-study","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-field-of-study?post=1010307"},{"taxonomy":"msr-conference","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-conference?post=1010307"},{"taxonomy":"msr-journal","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-journal?post=1010307"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=1010307"},{"taxonomy":"msr-pillar","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-pillar?post=1010307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}