PICASSO: Scaling CHERI Use-After-Free Protection to Millions of Allocations using Colored Capabilities

TL;DR

PICASSO introduces colored capabilities to CHERI, enabling scalable and efficient use-after-free protection for millions of allocations with minimal performance impact, by tracking provenance and allowing bulk revocation of dangling pointers.

Contribution

The paper presents colored capabilities as a novel extension to CHERI, significantly improving scalability and security in temporal memory safety without high overhead.

Findings

Effective mitigation of use-after-free and double-free bugs.

Small performance overhead (~5%) on SPEC CPU benchmarks.

More consistent performance in long-running database and gRPC workloads.

Abstract

While the CHERI instruction-set architecture extensions for capabilities enable strong spatial memory safety, CHERI lacks built-in temporal safety, particularly for heap allocations. Prior attempts to augment CHERI with temporal safety fall short in terms of scalability, memory overhead, and incomplete security guarantees due to periodical sweeps of the system's memory to individually revoke stale capabilities. We address these limitations by introducing colored capabilities that add a controlled form of indirection to CHERI's capability model. This enables provenance tracking of capabilities to their respective allocations via a hardware-managed provenance-validity table, allowing bulk retraction of dangling pointers without needing to quarantine freed memory. Colored capabilities significantly reduce the frequency of capability revocation sweeps while improving security. We realize colored capabilities in PICASSO, an extension of the CHERI-RISC-V architecture on a speculative out-of-order FPGA softcore (CHERI-Toooba). We also integrate colored-capability support into the CheriBSD OS and CHERI-enabled Clang/LLVM toolchain. Our evaluation shows effective mitigation of use-after-free and double-free bugs across all heap-based temporal memory-safety vulnerabilities in NIST Juliet test cases, with only a small performance overhead on SPEC CPU benchmarks (5% g.m.), less latency, and more consistent performance in long-running SQLite, PostgreSQL, and gRPC workloads compared to prior work.