# Memory Virtualization - Recitation

Rishabh Iyer

28. 10. 2021

#### Lecture Recap

- o Would we need VM if we had unlimited physical mem?
  - Which entity enforces memory isolation between processes?
- o Why are page tables hierarchical in x86?
- o What is the minimum page size in x86? Why?
  - How does this impact page table organization?
- o Why must TLB hit rates be >=95%?
- o How are the L1/L2/L3 caches in Skylake indexed,? Why?

# Agenda for today's recitation

- o Recap CHERI paper
- o Design exercise based on CHERI

## Main principles underlying CHERI

- o Principle of least privilege
  - A subject should be given only those privileges needed for it to complete its task
- o De-conflating virtualization and protection
  - Paging is best-suited for translation, segmentation for protection.

## Capabilities

- o Capabilities are an unforgeable token of authority
  - \* Enable de-centralized, minimal overhead access control
- o CHERI capabilities are unforgeable fat pointers
  - ❖ Fat pointer = Base + Length + Permissions



Figure 1: Memory capability

# Memory Safety using capabilities

- o How do capabilities ensure memory safety?
- o What defines the current protection domain?

#### Design goals for a RISC capability system

- o Capability manipulation must be unprivileged
- o Capabilities can span any range in the VA space
- o Should be able to run unmodified legacy code, while still being constrained by capabilities

## Capabilities in CHERI

- o Where are they stored?
- o Assuming the right capabilities are present, how are they enforced?



Figure 2: BERI pipeline with capability coprocessor

## Support for legacy code in CHERI

- o How does legacy code fit into the capability model?
- o Does CHERI make legacy code memory safe?



### Ensuring relevant capabilities

- o What role do they OS, compiler and HW play?
- o Consider the following example:
  - ❖ I malloc an int. The kernel mmaps a page of memory with VA 0 to 4KB. libc then returns allocates the integer in the first 8 bytes.
  - ❖ I now malloc a second int. libc does not need to call mmap(), it simply allocates the integer in the next 8 bytes of the page above.
  - ❖ I now want to use these two integers, how does the hardware have the correct capabilities?

## Ensuring relevant capabilities

- o OS creates capabilities for process
  - Done when process is loaded/new memory is allocated
- o Compiler associates each load/store with the correct capability register
  - Ensures that the hardware does not need to check the entire capability table
- o Hardware ensures unforgeability of capabilities
  - Only provides support to reduce privileges
  - Ensures regular stores cannot modify capabilities using tags

#### Design Exercise: Compartmentalization

o Design an efficient application-level compartmentalization scheme within CHERI to ensure isolation of untrusted, third party code. Your scheme must allow for the isolated code to be given arbitrary (but defined) access to the virtual address space. You may assume compiler support when invoking the third party code.