Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

CHERI is a research project currently. It has a number of large outstanding issues - CHERI essentially needs to do a whole-system stop-the-world garbage collection phase for precise tag revocation in order to avoid non-stochiastic temporal safety, iirc, which is alluded to in the OP as the "revoker" (google "CHERIvoke sweep") - and is still under active research. It is not something that can just be rolled out to production on one of the highest profile devices in the world. Porting code to run on CHERI, especially if you want to actually use the security features it provides, is also a large undertaking, and would be a massive userspace change. Apple is doing a lot of very good work in similar spaces, between PAC and FireBloom and related security measures, but there's a very big difference between that and CHERI.


Stop-the-world is only brief, to scan the register file of each thread and any other capabilities held in the kernel (asynchronous I/O, signal handlers, etc). Once done the entire memory sweep can be done concurrent with execution.

As for porting, it very much depends what you're doing. Operating systems and language runtimes, especially those with JITs, have intimate knowledge of the architecture and like to play cute tricks with pointers, so those are disproportionately involved to port. General user code requires very little, if any, porting. In one study, a basic KDE+X11 desktop stack was ported to CHERI, seeing 0.026% LoC changes across 6 million LoC, or 1584 lines. It's non-zero, and of course there is a lot of code out there so even a tiny fraction of it isn't insignificant, but it is very small as these things go.


> Stop-the-world is only brief, to scan the register file of each thread and any other capabilities held in the kernel (asynchronous I/O, signal handlers, etc). Once done the entire memory sweep can be done concurrent with execution.

Is there documentation of the scheme that allows this? I did some quick Googling and found CHERIvoke (which is not concurrent at all) and Cornucopia (which requires scanning some user pages while the world is stopped). Are you referring to something newer?


The Cornucopia Reloaded link in the OP is actually to the paper implementing this, I think, which I hadn't seen before.


Potentially (likely) uninformed question: Doesn't this have the potential side-effect of wrecking L1/L2 caches? If so that could get quite pathological for many workloads.

Or is there some new fancy dedicated hardware registers involved?


> CHERI essentially needs to do a whole-system stop-the-world garbage collection phase

So we really are reinventing the Lisp machine with extra steps.


there's reinvention and then there's innovation, wheels have come a long way since the bronze age


Have you read the article, it mentioned Lisp machine in the very first paragraph?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: