CHERI-Lite for Memory Safety Exploit Mitigation

This paper proposes adopting the CHERI concept of tagging pointers and only allowing tagged pointers to be used to specify the address of load, store, and instruction-fetch operations. However, we propose keeping the pointers at 64 bits and thus, need to forgo the bounds checking on pointers. The top 8 bits of pointers are still used to store permission information, and more high order bits in the address space could be used to carve memory into partitions. The security value of CHERI-Lite is to prevent memory safety attackers from directly fabricating pointers at will. Instead, with CHERI-Lite enabled, the memory safety attacker would need to find gadgets that add corrupted integer values into pointers and then try to use those pointers. Furthermore, these gadgets must be naturally callable by the attacker since the attacker would need to modify code pointers to perform ROP and JOP to call into unnaturally entry points, and the attacker is still in the process of finding a way to modify pointers, so cannot use ROP or JOP yet. We believe that over time, we can remove the presence of most (if not all) of these naturally callable gadgets such that it becomes extremely hard for attackers to maliciously modify pointers on a machine with CHERI-Lite active. If we can achieve this, then we believe that we will have made the end-to-end exploitation of computer systems through memory safety bugs orders of magnitude harder than they currently are. Unlike full CHERI, the architecture change for CHERI-Lite is designed to be compatible with existing binary code and could enable large numbers of existing applications to gain some memory safety benefits without the need to even recompile.