Capability-based memory isolation is a promising new architectural primitive. Software can access low-level memory only via capability handles rather than raw pointers, which provides a natural interface to enforce security restrictions. Existing architectural capability designs such as CHERI provide spatial safety, but fail to extend to other memory models that security-sensitive software designs may desire. In this paper, we propose Capstone, a more expressive architectural capability design that supports multiple existing memory isolation models in a trustless setup, i.e., without relying on trusted software components. We show how Capstone is well-suited for environments where privilege boundaries are fluid (dynamically extensible), memory sharing/delegation are desired both temporally and spatially, and where such needs are to be balanced with availability concerns. Capstone can also be implemented efficiently. We present an implementation sketch and through evaluation show that its overhead is below 50% in common use cases. We also prototype a functional emulator for Capstone and use it to demonstrate the runnable implementations of six real-world memory models without trusted software components: three types of enclave-based TEEs, a thread scheduler, a memory allocator, and Rust-style memory safety -- all within the interface of Capstone.
翻译:基于能力的记忆隔离是一种充满希望的新建筑原始。软件只能通过能力控管而不是原始指针获取低水平的记忆,而原始指针是执行安全限制的天然界面。现有的建筑能力设计,如CHERI提供空间安全,但未能扩展到安全敏感软件设计可能希望的其他记忆模型。在本文中,我们提出Capstone,这是一个更显眼的建筑能力设计,支持多种现有记忆隔离模型的不可信结构,即不依赖可信任的软件组件。我们展示了Capstone如何非常适合特权边界具有流动性(动态可扩展性)的环境,在时间和空间上都希望有记忆共享/表示,而且这种需要与可用性问题平衡。Capstone也可以高效地实施。我们提出了一个执行草图,并通过评价显示,在通用情况下,其间接费用低于50%。我们还为Capstone制作了一个功能模拟器,并使用它来演示六个真实世界记忆模型的可操作性实施,而没有可信赖的软件组件:三种基于飞地的TEE,一个螺丝式的缩图,一个所有存储器的存储器中方格。</s>