-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathapp-versions-7-0-alpha4.tex
105 lines (84 loc) · 5.13 KB
/
app-versions-7-0-alpha4.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
This version of the \textit{CHERI Instruction-Set Architecture} is an interim
version distributed for review by DARPA and our collaborators:
\begin{itemize}
\item We have added new instructions \insnref{CSetAddr} (Set capability
address to value from register), \insnnoref{CAndAddr} (Mask address of
capability -- experimental), and \insnnoref{CGetAndAddr} (Move capability
address to an integer register, with mask -- experimental), which optimize
common virtual-address-related operations in language runtimes such as
WebKit's Javascript engine.
These instructions cater better to a language mapping from C's
\ccode{intptr_t} type to the virtual address, rather than offset, of a
capability, which has been our focus previously.
These complement the previously added \insnnoref{CGetAddr} that allows
easier compiler access to a capability's virtual address.
\item We have added two new experimental instructions, \insnref{CRAM}
(Retrieve Mask to Align Capabilities to Precisely Representable Address) and
\insnref{CRRL} (Round to Next Precisely Representable Value), which
allow software to retrieve alignment information for the base and length for
a proposed set of bounds.
\item \insnref{CMove}, which was previously an assembler pseudo-operation
for \insnref{CIncOffset}, is now a stand-alone instruction.
This avoids the need to special case sealed capabilities when
\insnref{CIncOffset} is used solely to move, not to modify, a
capability.
\item The names of the instructions \insnnoref{CSetBoundsImmediate} and
\insnnoref{CIncOffsetImmediate} have been shortened to
\insnref{CSetBoundsImm} and \insnref{CIncOffsetImm}.
\item The instructions \insnnoref{CCheckType} and \insnnoref{CCheckPerm}
have been deprecated, as they have not proven to be particularly useful in
implementing multi-protection-domain systems.
\item We have added a new pseudo-operation,
\insnnoref{CAssertInBounds} which allows an exception
to be thrown if the address of a capability is not within bounds.
\item The instruction \insnnoref{CCheckTag} has now been assigned an opcode.
\item We have revised the encodings of many instructions in our draft
CHERI-RISC-V specification in Appendix~\ref{app:isaquick-riscv}.
\item We more clearly specify that when a special register write occurs to
\EPC{}, the result is similar to \insnref{CSetOffset} but with the tag
bit stripped, in the event of a failure, rather than an exception being
thrown.
\item We have added a reference to our TaPP 2018 paper, \textit{Pointer
Provenance in a Capability Architecture}, which describes how architectural
traces of pointer behavior, visible through the CHERI instruction set, can
be analyzed to understand software and structure.
\item We have added a reference to our ICCD 2018 paper, \textit{CheriRTOS:
A Capability Model for Embedded Devices}, which describes an embedded
variant of CHERI using 64-bit capabilities for 32-bit addresses, and how
embedded real-time operating systems might utilize CHERI features.
\item We have revised our description of conventions for capability values,
including when used as pointers, to hold integers, and for NULL value, to
more clearly describe their use.
We more clearly describe the requirements for the in-memory
representation of capabilities, such as a zeroed NULL capability so that
BSS behaves as desired.
We provide more clear architecture-neutral explanations of pointer
dereferencing, capability
permissions and their composition, the namespaces protected by capability
permissions, exception handling, exception priorities, virtual memory, and
system reset.
These definitions appear in Chapter~\ref{chap:architecture}.
The CHERI-MIPS chapter has been
shortened as a variety of content has been made architectural neutral.
\item More detailed rationale is provided for our composition of CHERI with
the MIPS exception-handling model.
\item We are more careful to use the term ``pointer'' to refer to the
C-language type, verses integer or capability values that maybe used by the
compiler to implement pointers.
\item With the advent of ISA variations utilizing a merged register file, we
are more careful to differentiate integer registers from general-purpose
registers, as general-purpose registers may also hold capabilities.
\item We more clearly define the terms ``upper bound'' and ``lower bound''.
\item We now more clearly describe the effects of our \textit{principle of
intentionality} on capa\-bility-aware instruction design in
Section~\ref{sec:capability-aware-instructions}.
\item We better describe the rationale for tagged capabilities in registers
and memory, in contrast to cryptographic and probabilistic protections, in
Section~\ref{sec:probablistic_capability_protection}.
\item We have made a number of improvements to the CHERI-x86-64 sketch,
described in Chapter~\ref{chap:cheri-x86-64}, to improve realism around trap
handling and instruction design.
\item We have rewritten our description of the interaction between CHERI and
Direct Memory Access (DMA) in Section~\ref{sec:dma}. to more clearly
describe tag-stripping and capability-aware DMA options.
\end{itemize}