Hardware-enforced memory safety for C (is hard)

David Chisnall

(Cambridge University)

The C specification is carefully designed to permit a variety of different implementations of memory, including those that use a fully copying garbage collector. Unfortunately, the range of behaviour permitted by the specification is of little relevance to people wishing to run the billions of lines of existing C code, much of which depends on implementation-specific (and undefined) behaviour. These include the ability to compare pointers to different objects, to cast pointers to integers, to construct pointers beyond the end of an object, and many more examples.

We originally designed the CHERI CPU (currently an FPGA-based softcore) to support coarse-grained in-process compartmentalisation with cheap sharing with a capability-oriented view on virtual memory. In this model, all memory must be access via a valid, unforgeable, reference (a memory capability). We then attempted to define a C compilation target where all pointers were represented by capabilities, as opposed to integers in most conventional C implementations. This talk will discuss the various challenges we encountered and the gap between a memory safe C implementation that conforms to the specification and works for some simple programs, and a memory-safe C implementation that can handle real-world C code.

This talk will include material first presented at ASPLOS 2015 in the paper 'Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine’.

Friday 11th March 2016, 15:00
The Board Room
Department of Computer Science