It’s worth noting that a lot has changed since this paper. I added a separate address to capabilities so that they could be used as C pointers, for example. I also replaced the complicated sealing mechanism with something much simpler. Graeme Barnes (I think) added sentry capabilities, which let you jump to a target with a lightweight sealing-like mechanism. Jon Woodruff and a few others created the 128-bit capability representation.
This paper was written when we could run an assembly micro kernel on a CHERI CPU and has just enough support in FreeBSD that we could run something in userspace if it didn’t expect to use capabilities at the kernel interface. We had just enough compiler support that you could annotate some pointers as capabilities, but then you couldn’t do subtraction on the, so you had to keep the, as separate pointers to buffers.
Now we can run programs where every pointer (including implicit ones such as vtable indexes and frame pointers) are capabilities, run the whole FreeBSD kernel in this mode and KDE on Wayland on top.
It’s worth noting that a lot has changed since this paper. I added a separate address to capabilities so that they could be used as C pointers, for example. I also replaced the complicated sealing mechanism with something much simpler. Graeme Barnes (I think) added sentry capabilities, which let you jump to a target with a lightweight sealing-like mechanism. Jon Woodruff and a few others created the 128-bit capability representation.
This paper was written when we could run an assembly micro kernel on a CHERI CPU and has just enough support in FreeBSD that we could run something in userspace if it didn’t expect to use capabilities at the kernel interface. We had just enough compiler support that you could annotate some pointers as capabilities, but then you couldn’t do subtraction on the, so you had to keep the, as separate pointers to buffers.
Now we can run programs where every pointer (including implicit ones such as vtable indexes and frame pointers) are capabilities, run the whole FreeBSD kernel in this mode and KDE on Wayland on top.
What’s a good thing to read to get an overview of the more recent stuff that you mentioned?
I’m not sure we have a good overview. Some of our Morello blogs give some context and there are a bunch of tutorial resources on chericpu.org.
Thanks for clarifying. I find the CHERI website a little hard to navigate TBH and this paper was the best short summary of the ideas I could find.
[Comment removed by author]