Brussels / 4 & 5 February 2023


A Rusty CHERI - The path to hardware capabilities in Rust

A status report on ongoing efforts to support CHERI architectures in Rust

CHERI defines hardware extensions to encode access constraints on pointers, enabling hardware enforcement of such restructions based on metadata stored alongside pointers. There is an ongoing drive to support compiling Rust code in a way that can make use of these extensions.

Doing this provides another layer of protection. We can encode knowledge about provenance validity, bounds and other access restrictions that the compiler (and OS/etc.) knows about in a way the hardware can enforce at runtime. The Rust memory model is famous for being able to enforce these types of restrictions at compile time, but not for unsafe Rust code. Unsafe Rust code needs to be written sometimes, which presents situations which can only be verified at run time. Some other nice benefits could come from this work. For example, runtime bounds checking can now be done by hardware rather than software, and since provenance information is necessary for operations on capabilities, closing gaps where it is not currently preserved forms a part of this work.

This talk is a discussion on what is required for this support, and gives an overview of the state of the various attempts to implement this support.


Lewis Revill