Hardware Support for Compartmentalisation

Add to your list(s) Download to your calendar using vCal

• Robert Norton
• Tuesday 15 September 2015, 14:00-15:00
• FW26.

If you have a question about this talk, please contact Peter Sewell.

Compartmentalisation is a technique to reduce the impact of security bugs by enforcing the ‘principle of least privilege’ within applications. Splitting programs into separate components that each operate with minimal access to resources means that a vulnerability in one part is prevented from affecting the whole. However, the performance costs and development effort of doing this have so far prevented widespread deployment of compartmentalisation, despite the increasingly apparent need for better computer security. A major obstacle to deployment is that existing compartmentalisation techniques rely either on virtual memory hardware or pure software to enforce separation, both of which have severe performance implications and complicate the task of developing compartmentalised applications.

CHERI (Capability Hardware Enhanced RISC Instructions) is a research project which aims to improve computer security by allowing software to precisely express its memory access requirements using hardware support for bounded, unforgeable pointers known as capabilities. One consequence of this approach is that a single virtual address space can be divided into many independent compartments, with very efficient transitions and data sharing between them.

In this talk I will describe the compartmentalisation features of CHERI and present the results of benchmarks comparing them to traditional techniques.

This talk is part of the REMS lunch series.

This talk is included in these lists:

• All Talks (aka the CURE list)
• Cambridge talks
• Department of Computer Science and Technology talks and seminars
• FW26
• Interested Talks
• School of Technology
• Trust & Technology Initiative - interesting events
• bld31

Note that ex-directory lists are not shown.