Uninitialized Capabilities

TL;DR

This paper introduces a new capability type for capability machines, enhancing security by controlling memory access without revealing initial contents, applicable to secure calling conventions and beyond.

Contribution

It proposes a novel capability type that grants access rights without exposing initial memory contents, extending capability machine security features.

Findings

New capability type enables access control without revealing data

Applicable to secure calling conventions and other security mechanisms

Implementation demonstrated on CHERI, adaptable to other capability machines

Abstract

This technical report describes a new extension to capability machines. Capability machines are a special type of processors that include better security primitives at the hardware level. In capability machines, every word has an associated tag bit that indicates whether the value it contains is a capability or a regular data value. Capabilities enable fine-grained control of the authority over memory that program components have. Conceptually, capabilities can be viewed as being an unforgeable token carrying authority over a resource. CHERI is a recently developed capability machine that aims to provide fine-grained memory protection, software compartmentalization and backwards compatibility. While our ideas are implemented on CHERI, they are not limited to it and should be applicable to other capability machines as well. In this technical report we propose a new type of capabilities, which represent the authority to access (read and write to) a block of memory but not view its initial contents. Our main goal is to use this new type of capability as part of a secure calling convention, but other applications may be possible too.