Uninitialized Capabilities by Huyghebaert, Sander et al.
UNINITIALIZED CAPABILITIES
TECHNICAL REPORT
Sander Huyghebaert
Thomas Van Strydonck
Dr. Steven Keuchel
Prof. Dr. Dominique Devriese
2019-2020
Sciences and Bio-Engineering Sciences
ar
X
iv
:2
00
6.
01
60
8v
1 
 [c
s.P
L]
  2
 Ju
n 2
02
0
Contents
1 Introduction 2
2 Capability Machines 2
3 Uninitialized Capabilities 3
3.1 CHERI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2 Uninitialized Capabilities Implementation . . . . . . . . . . . . . . . . . . . . . . 5
4 Secure Calling Convention 6
5 Conclusion 7
1
1 Introduction
This technical report describes a new extension to capability machines. Capability machines
are a special type of processors that include better security primitives at the hardware level. In
capability machines, every word has an associated tag bit that indicates whether the value it
contains is a capability or a regular data value. Capabilities enable fine-grained control of the
authority over memory that program components have. Conceptually, capabilities can be viewed
as being an unforgeable token carrying authority over a resource.
CHERI [5] is a recently developed capability machine that aims to provide fine-grained mem-
ory protection, software compartmentalization and backwards compatibility. While our ideas are
implemented on CHERI, they are not limited to it and should be applicable to other capability
machines as well.
In this technical report we propose a new type of capabilities, which represent the authority
to access (read and write to) a block of memory but not view its initial contents. Our main goal
is to use this new type of capability as part of a secure calling convention, but other applications
may be possible too.
2 Capability Machines
Capability machines are a special type of processor that replaces pointers with capabilities.
Conceptually, capabilities are tokens that carry authority to access memory or an object. When
capabilities represent software defined authority like invoking objects or closures, they are referred
to as object capabilities. This technical report will focus on primitive capabilities for accessing
memory. The permissions to access memory can be read only, read and write to, execute, . . .
The idea of capabilities was first formally defined by Dennis and Van Horn [1] and has been
further explored in the decades after.
The first capability machine dates back from 1959 with the Rice University Computer and
the development and research interest of capability machines slowed down significantly after the
iAPX 432 from Intel in 1981 [3]. In 2014, researchers of the University of Cambridge developed a
new capability machine: CHERI, on which we will provide an implementation of our contribution
to capability machines.
It is important that capabilities cannot be forged, as forging them with certain permissions,
memory bounds, etc. would defeat their purpose. One of the solutions to ensure the unforge-
ability of capabilities is to provide specialized instructions to work with capabilities. Capabilities
might however need to be stored in primary memory or secondary memory instead of just the
registers on the processor and one of the most used techniques to ensure valid capabilities is the
use of tagged memory [2]. Every possible capability location will have a tag denoting if that
location contains a capability or not. Capabilities for which the tag is not set cannot be used to
dereference memory.
Some common permissions found on capability machines are:
• R: read-only;
• RW: read-write;
• RX: read-execute;
• RWX: read-write-execute.
For this technical report we will represent capabilities formally as a 4-tuple similar to the
representation used by Skorstengaard et al. [4], (permissions, base, end, cursor), this tuple
2
contains the permissions of the capability, the range to which these permissions apply [base, end]
and a cursor in that range.
3 Uninitialized Capabilities
Uninitialized capabilities are a new type of capabilities. They are memory capabilities which
represent read-write authority to a range of memory, except that they do not allow reading the
initial contents of the memory. The memory first needs to be overwritten before it can be read.
This type of capability requires a new permission to be added to capabilities (U: uninitialized)
and prevents the holder of the capability from reading memory that they have not first initialized.
Figure 1 clarifies this concept a bit more.
Figure 1: Uninitialized Capabilities Concept
Formally, uninitialized capabilities grant the following authority:
• permission to read in [cursor, end];
• permission to write in [base, end];
• when writing immediately below the cursor, the cursor will be decremented so that the
holder of the uninitialized capability is able to read from the location it has just written
to.
Uninitialized capabilities can thus be used to give access to arrays that contain uninitialized
data without the need for clearing that uninitialized data first.
The full set of permissions becomes:
• R: read-only;
• RW: read-write;
3
• RX: read-execute;
• RWX: read-write-execute.
• U: read between [cursor, end], write between [base, end];
We have chosen not to include combinations of theU permission andX permission. Executing
an uninitialized capabilities would require incrementing the program counter (and thus the cursor
of the uninitialized capability), which means that the non-readable range of the capability would
grow.
Another option is to allow the combination of the U permission with the X permission, but
when jumping to an uninitialized capability transform it into a normal capability for the range
[cursor, end] before placing it in the program counter capability register.
We propose a concrete design of uninitialized capabilities for the CHERI capability machine,
particularly the CHERI-MIPS ISA. However, the general concept is not limited to CHERI-MIPS.
We see the concept of uninitialized capabilities as an addition to capability machines in general,
and particularly the CHERI protection model, regardless of the architecture it is run on.
3.1 CHERI
CHERI (CapabilityHardware EnhancedRISC Instructions) is an ISA extension that introduces
capabilities. The main goals of CHERI are fine-grained memory protection, software compart-
mentalization and backwards compatibility [5].
The CHERI ISA extension proposes a 64-bit, 128-bit and 256-bit capability representation
format [5], we instantiate our ideas for the 256-bit capability format but it should be possible to
add the uninitialized permission bit to other formats as well.
In Figure 2 we see the current 256-bit capability format:
Figure 2: 256-bit Capability Representation Format
The important fields of a capability for our proposal are the permissions, cursor, base and
length fields. In our formal representation of capabilities we have an end field instead of length
but it should be straightforward to see that end = base+ length.
In the next section, we instantiate uninitialized capabilities as a set of modifications/additions
to the CHERI-MIPS ISA. We have implemented these for CHERI-MIPS in software (using a
simulator).
4
3.2 Uninitialized Capabilities Implementation
3.2.1 Uninitialized Permission Bit
The first modification that needs to be made to CHERI capabilities is the addition of a new
permission, the uninitialized permission. In the 256-bit capability format there are a few unused
bits (padding bits) available so we have opted to use one of those bits for the uninitialized
permission, as can be seen in Figure 3.
Figure 3: Modified 256-bit representation of a capability
3.2.2 Instruction Modifications
A few instruction were modified to take the uninitialized permission into account. What follows
is a list of the instructions modified and a description of what that modification entails:
Load via Capability Register (CL[BHWD][U]/CLC): When load instructions are given a
capability with the uninitialized permission set, it is not allowed to load from an address lower
than the cursor.
Set/Increment Offset Or Address (CSetOffset/CIncOffset/CIncOffsetImm/CSetAd-
dr/CAndAddr): Instructions that modify the cursor of an uninitialized capability are not al-
lowed to set the cursor lower than it originally was. The only way to lower the cursor is by using
the uninitialized store instructions.
3.2.3 New Instructions
We propose new instructions for the implementation of uninitialized capabilities:
Get Uninitialized Bit of a Capability (CGetUninit): This instructions has 2 parameters,
the general-purpose register to store the uninitialized bit of the capability into and the capability
of which the uninitialized bit is requested.
Uninitialize a Capability (CUninit): An instruction to make a capability uninitialized. This
instruction takes a source capability register and a destination capability register that will contain
5
the capability from the source register but with the uninitialized permission set. An error will
be generated if the original capability did not have read-write authority.
Uninitialized Store (UCS[BHWD]/UCSC): These instructions are modified versions of
their not-uninitialized counterparts (CS[BHWD], CSC). They behave similarly to the normal
store instructions, except when the given offset is −1 and the capability used for the store is
uninitialized. In that case, the capability written to the destination capability register will have
the cursor of the source capability decremented by the number of bytes written (i.e. 1 for a byte,
2 for a half word, 4 for a word, 8 for a double word and 32 for capabilities when using the 256-bit
capability format). Specifying an offset of −1 is the only way to decrement the cursor. This
instruction takes 4 arguments, a destination capability register (which will contain the source
capability but possibly with its cursor modified if the offset was −1), a source register for the
data to write, an offset and a source capability register.
The original store instructions for capabilities are not modified (CSC, CSW, . . . ), but instead
we propose to add new instructions to handle the uninitialized permission. The new instructions
write to a capability register the possibly modified capability (if it has the U permission set and
the given offset is −1), while the original instructions do not write to a register but instead allow
specifying a register containing another offset to be added to the cursor of the capability.
One additional instruction is required to modify the bounds of uninitialized capabilities:
Shrink a Capability (CShrink[Imm]): CShrink is an instruction with 3 parameters, the des-
tination capability register, the source capability register and a general-purpose register (GPR),
or alternatively an unsigned immediate for CShrinkImm. The capability from the source reg-
ister will be modified by setting end = cursor and base = value in GPR for CShrink. For
CShrinkImm end = cursor and base = base+ immediate. CShrink[Imm] will raise an exception
if the end < cursor (the original end and cursor of the capability) or if newBase < base, these
conditions prevent expanding the range of authority of the capability.
In the CHERI-MIPS ISA a similar instruction is already available, CSetBounds, but this
instruction did not meet the needs of uninitialized capabilities. It adjusts the bounds by setting
base = cursor and end = cursor + immediate, where immediate is either the value from the
general-purpose register specified in the instruction or an unsigned immediate value.
The issue with using this instruction in combination with uninitialized capabilities arises
when trying to lower the end of the uninitialized capability, but maintain the same base. Using
CSetBounds this would require first setting cursor = base, calculate the offset for the new end,
perform the CSetBounds instruction and then setting the cursor back to its value before it was
set to base. This obviously means lowering the cursor (cursor = base) which is not permitted
for uninitialized capabilities.
4 Secure Calling Convention
In the paper "Reasoning About a Machine with Local Capabilities" [4], a novel calling conven-
tion is proposed by using local capabilities. This calling convention ensures local stack frame
encapsulation and well bracketed control flow on a single shared stack. We propose to continue
using this calling convention with the slight modification that the stack capability should be
made uninitialized on function invocation.
The calling convention [4] mentions as a point of improvement to the calling convention the
need for an instruction for efficiently clearing a large part of memory. Uninitialized capabilities
6
can be used to prevent this overhead of clearing (by making the stack capability uninitialized).
Note that it is still necessary that a callee clears its used stack frame.
Having an uninitialized stack capability prevents adversaries from reading from the stack
unless they first overwrite the uninitialized data (this could be garbage but also sensitive data or
capabilities that they should not get access to). See Figure 4 for a conceptual diagram of having
an uninitialized stack capability.
Figure 4: Stack with Uninitialized Capability
5 Conclusion
We have proposed a new permission of capabilities, the uninitialized permission. This per-
mission only allows reading those parts of memory denoted by the bounds of the capability to
which it has first written to. This prevents using the capability to read uninitialized data (be it
garbage or sensitive data). We also provided a brief discussion of how to implement this on the
CHERI capability machine. Finally we showed how uninitialized capabilities can contribute to
secure calling conventions.
7
References
[1] Jack B Dennis and Earl C Van Horn. “Programming semantics for multiprogrammed com-
putations”. In: Communications of the ACM 9.3 (1966), pp. 143–155.
[2] Robert S. Fabry. “Capability-based addressing”. In: Communications of the ACM 17.7
(1974), pp. 403–412.
[3] Henry M Levy. Capability-based computer systems. Digital Press, 2014.
[4] Lau Skorstengaard, Dominique Devriese, and Lars Birkedal. “Reasoning about a machine
with local capabilities”. In: European Symposium on Programming. Springer. 2018, pp. 475–
501.
[5] Robert NMWatson et al. Capability Hardware Enhanced RISC Instructions: Cheri Instruction-
Set Architecture (Version 7). Tech. rep. University of Cambridge, Computer Laboratory,
2019.
8
