Efficient and provable local capability revocation using uninitialized capabilities
Research output: Contribution to journal/Conference contribution in journal/Contribution to newspaper › Journal article › Research › peer-review
DOI
- https://doi.org/10.1145/3434287
Final published version
- Aïna Linn Georges
- Armaël Guéneau
- Thomas Van Strydonck, KU Leuven ,
- Amin Timany
- Alix Trieu
- Sander Huyghebaert, Vrije Universiteit Brussel ,
- Dominique Devriese, Vrije Universiteit Brussel ,
- Lars Birkedal
Capability machines are a special form of CPUs that offer fine-grained privilege separation using a form of authority-carrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory's initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previously-proposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proof-of-concept implementation of uninitialized capabilities on the CHERI capability machine.
| Original language | English |
|---|---|
| Article number | 6 |
| Journal | Proceedings of the ACM on Programming Languages |
| Volume | 5 |
| Issue | POPL |
| Number of pages | 30 |
| DOIs | |
| Publication status | Published - Jan 2021 |
Bibliographical note
Funding Information:
We thank the anonymous reviewers for valuable comments and suggestions. This work was supported in part by a Villum Investigator grant (no. 25804), Center for Basic Research in Program Verification (CPV), from the VILLUM Foundation; by the Research Foundation - Flanders (FWO) under grant number G0G0519N; and by DFF project 6108-00363 from The Danish Council for Independent Research for the Natural Sciences (FNU). Thomas Van Strydonck holds a Research Fellowship of the Research Foundation - Flanders (FWO). Amin Timany was a postdoctoral fellow of the Flemish research fund (FWO) during parts of this project.
Publisher Copyright:
© 2021 Owner/Author.
Copyright:
Copyright 2021 Elsevier B.V., All rights reserved.
- capability machines, capability revocation, capability safety, CHERI, local capabilities, program logic, uninitialized capabilities, universal contracts
Research areas
See relations at Aarhus University Citationformats
ID: 208206710