CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Abstract—CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA soft-core processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement inscalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.

cl.cam.ac.uk/~dc552/papers/201

Imgur is over capacity!

Sorry! We're busy running around with our hair on fire because Imgur is over capacity! This can happen when the site is under a very heavy load, or while we're doing maintenance.

Please try again in a few minutes.

SiFive updated their development board, in case you missed the first round.

crowdsupply.com/sifive/hifive1

Now it includes onboard WiFi and Bluetooth, among other updates like support for more peripherals.

When devising a system intervention of any kind, consider that the power for lasting change increases as you move to the right in this figure.

In order of increasing leverage:

12) Constants, parameters, numbers
11) The sizes of buffers and other stabilizing stocks
10) The structure of material stocks and flows
9) The lengths of delays, relative to the rate of system change
8) The strength of negative feedback loops
7) The gain around driving positive feedback loops
6) The structure of information flows (who does and doesn't have access to information)
5) The rules of the system (such as incentives, punishments, constraints)
4) The power to add, change, evolve, or self-organize system structure
3) The goals of the system
2) The mindset or paradigm out of which the system arises
1) The power to transcend paradigms

Source: Thinking In Systems: A Primer by Donella Meadows

The NASA/SpaceX Dragon crew just splashed down in the Atlantic Ocean off the coast of Florida - right on time. :_stars:

hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.