CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities

Moritz Waser; Lukas Lamster; David Schrammel; Martin Unterguggenberger; Stefan Mangard

doi:10.1007/978-3-032-00627-1_8

CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities

Moritz Waser^*
, Lukas Lamster
, David Schrammel
, Martin Unterguggenberger
, Stefan Mangard

^*Corresponding author for this work

Institute of Information Security (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

The CHERI capability architecture is designed to implement the principle of least privilege at the hardware level, enabling fine-grain compartmentalization of resources in memory.
Besides memory, capability-enhanced processors like the ARM Morello SoC rely on traditional ring-based isolation for instruction and register control.
However, previous works have demonstrated that exploiting access to system registers or privileged instructions can allow attackers to break or bypass the memory isolation.
Furthermore, ring-based isolation is too coarse-grain for software isolation that aims to enforce least privilege.
This paper presents CHERI Unchained, a novel CHERI ISA extension that allows explicit management of (non-memory) hardware resources through software-controlled capabilities.
Specifically, we introduce the new concept of control capabilities, which enforce the principle of least privilege by restricting access to instructions and registers while following CHERI’s overarching design goals of provenance, integrity, and monotonicity.
Our design enables fine-grain resource management for both, pure-capability and legacy software.
Furthermore, CHERI Unchained has the potential to replace traditional ring-based protection entirely, thus reducing complexity while providing a higher degree of privilege control flexibility.
To demonstrate the feasibility of our design, we present a functional prototype based on the CHERI-QEMU simulator and evaluate the performance on the ARM Morello platform.
Extending generic software running on Morello with fine-grain hardware resource management incurs a worst-case performance overhead of 2.76%.
Additionally, we extensively analyze the security of all privilege-related mechanisms in our design, highlighting the flexibility of our generic approach.

Original language	English
Title of host publication	Availability, Reliability and Security
Subtitle of host publication	20th International Conference, ARES 2025, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II
Editors	Mila Dalla Preda, Sebastian Schrittwieser, Vincent Naessens, Bjorn De Sutter
Publisher	Springer, Cham
Pages	149–170
Number of pages	22
ISBN (Electronic)	978-3-032-00627-1
ISBN (Print)	978-3-032-00626-4
DOIs	https://doi.org/10.1007/978-3-032-00627-1_8
Publication status	Published - 10 Aug 2025
Event	20th International Conference on Availability, Reliability and Security, ARES 2025 - Ghent, Belgium Duration: 11 Aug 2025 → 14 Aug 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	15993 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th International Conference on Availability, Reliability and Security, ARES 2025
Abbreviated title	ARES 2025
Country/Territory	Belgium
City	Ghent
Period	11/08/25 → 14/08/25

Keywords

Capability Architecture
Compartmentalization
Memory Safety

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Fields of Expertise

Information, Communication & Computing

Access to Document

10.1007/978-3-032-00627-1_8

Cite this

Waser, M., Lamster, L., Schrammel, D., Unterguggenberger, M., & Mangard, S. (2025). CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities. In M. Dalla Preda, S. Schrittwieser, V. Naessens, & B. De Sutter (Eds.), Availability, Reliability and Security: 20th International Conference, ARES 2025, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II (pp. 149–170). (Lecture Notes in Computer Science; Vol. 15993 LNCS). Springer, Cham. https://doi.org/10.1007/978-3-032-00627-1_8

CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities. / Waser, Moritz ; Lamster, Lukas; Schrammel, David et al.
Availability, Reliability and Security: 20th International Conference, ARES 2025, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. ed. / Mila Dalla Preda; Sebastian Schrittwieser; Vincent Naessens; Bjorn De Sutter. Springer, Cham, 2025. p. 149–170 (Lecture Notes in Computer Science; Vol. 15993 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Waser, M , Lamster, L, Schrammel, D, Unterguggenberger, M & Mangard, S 2025, CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities. in M Dalla Preda, S Schrittwieser, V Naessens & B De Sutter (eds), Availability, Reliability and Security: 20th International Conference, ARES 2025, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. Lecture Notes in Computer Science, vol. 15993 LNCS, Springer, Cham, pp. 149–170, 20th International Conference on Availability, Reliability and Security, ARES 2025, Ghent, Belgium, 11/08/25. https://doi.org/10.1007/978-3-032-00627-1_8

Waser M , Lamster L, Schrammel D, Unterguggenberger M , Mangard S. CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities. In Dalla Preda M, Schrittwieser S, Naessens V, De Sutter B, editors, Availability, Reliability and Security: 20th International Conference, ARES 2025, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. Springer, Cham. 2025. p. 149–170. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-00627-1_8

Waser, Moritz ; Lamster, Lukas ; Schrammel, David et al. / CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities. Availability, Reliability and Security: 20th International Conference, ARES 2025, Ghent, Belgium, August 11–14, 2025, Proceedings, Part II. editor / Mila Dalla Preda ; Sebastian Schrittwieser ; Vincent Naessens ; Bjorn De Sutter. Springer, Cham, 2025. pp. 149–170 (Lecture Notes in Computer Science).

@inproceedings{2ca20ed3ba684b31892da3c97ad27c17,

title = "CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities",

abstract = "The CHERI capability architecture is designed to implement the principle of least privilege at the hardware level, enabling fine-grain compartmentalization of resources in memory. Besides memory, capability-enhanced processors like the ARM Morello SoC rely on traditional ring-based isolation for instruction and register control. However, previous works have demonstrated that exploiting access to system registers or privileged instructions can allow attackers to break or bypass the memory isolation. Furthermore, ring-based isolation is too coarse-grain for software isolation that aims to enforce least privilege. This paper presents CHERI Unchained, a novel CHERI ISA extension that allows explicit management of (non-memory) hardware resources through software-controlled capabilities. Specifically, we introduce the new concept of control capabilities, which enforce the principle of least privilege by restricting access to instructions and registers while following CHERI{\textquoteright}s overarching design goals of provenance, integrity, and monotonicity. Our design enables fine-grain resource management for both, pure-capability and legacy software. Furthermore, CHERI Unchained has the potential to replace traditional ring-based protection entirely, thus reducing complexity while providing a higher degree of privilege control flexibility. To demonstrate the feasibility of our design, we present a functional prototype based on the CHERI-QEMU simulator and evaluate the performance on the ARM Morello platform. Extending generic software running on Morello with fine-grain hardware resource management incurs a worst-case performance overhead of 2.76\%. Additionally, we extensively analyze the security of all privilege-related mechanisms in our design, highlighting the flexibility of our generic approach.",

keywords = "Capability Architecture, Compartmentalization, Memory Safety",

author = "Moritz Waser and Lukas Lamster and David Schrammel and Martin Unterguggenberger and Stefan Mangard",

year = "2025",

month = aug,

day = "10",

doi = "10.1007/978-3-032-00627-1\_8",

language = "English",

isbn = "978-3-032-00626-4 ",

series = "Lecture Notes in Computer Science",

publisher = "Springer, Cham",

pages = "149–170",

editor = "\{Dalla Preda\}, \{Mila \} and Schrittwieser, \{Sebastian \} and Naessens, \{Vincent \} and \{De Sutter\}, \{Bjorn \}",

booktitle = "Availability, Reliability and Security",

note = "20th International Conference on Availability, Reliability and Security, ARES 2025, ARES 2025 ; Conference date: 11-08-2025 Through 14-08-2025",

}

TY - GEN

T1 - CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities

AU - Waser, Moritz

AU - Lamster, Lukas

AU - Schrammel, David

AU - Unterguggenberger, Martin

AU - Mangard, Stefan

PY - 2025/8/10

Y1 - 2025/8/10

N2 - The CHERI capability architecture is designed to implement the principle of least privilege at the hardware level, enabling fine-grain compartmentalization of resources in memory. Besides memory, capability-enhanced processors like the ARM Morello SoC rely on traditional ring-based isolation for instruction and register control. However, previous works have demonstrated that exploiting access to system registers or privileged instructions can allow attackers to break or bypass the memory isolation. Furthermore, ring-based isolation is too coarse-grain for software isolation that aims to enforce least privilege. This paper presents CHERI Unchained, a novel CHERI ISA extension that allows explicit management of (non-memory) hardware resources through software-controlled capabilities. Specifically, we introduce the new concept of control capabilities, which enforce the principle of least privilege by restricting access to instructions and registers while following CHERI’s overarching design goals of provenance, integrity, and monotonicity. Our design enables fine-grain resource management for both, pure-capability and legacy software. Furthermore, CHERI Unchained has the potential to replace traditional ring-based protection entirely, thus reducing complexity while providing a higher degree of privilege control flexibility. To demonstrate the feasibility of our design, we present a functional prototype based on the CHERI-QEMU simulator and evaluate the performance on the ARM Morello platform. Extending generic software running on Morello with fine-grain hardware resource management incurs a worst-case performance overhead of 2.76%. Additionally, we extensively analyze the security of all privilege-related mechanisms in our design, highlighting the flexibility of our generic approach.

AB - The CHERI capability architecture is designed to implement the principle of least privilege at the hardware level, enabling fine-grain compartmentalization of resources in memory. Besides memory, capability-enhanced processors like the ARM Morello SoC rely on traditional ring-based isolation for instruction and register control. However, previous works have demonstrated that exploiting access to system registers or privileged instructions can allow attackers to break or bypass the memory isolation. Furthermore, ring-based isolation is too coarse-grain for software isolation that aims to enforce least privilege. This paper presents CHERI Unchained, a novel CHERI ISA extension that allows explicit management of (non-memory) hardware resources through software-controlled capabilities. Specifically, we introduce the new concept of control capabilities, which enforce the principle of least privilege by restricting access to instructions and registers while following CHERI’s overarching design goals of provenance, integrity, and monotonicity. Our design enables fine-grain resource management for both, pure-capability and legacy software. Furthermore, CHERI Unchained has the potential to replace traditional ring-based protection entirely, thus reducing complexity while providing a higher degree of privilege control flexibility. To demonstrate the feasibility of our design, we present a functional prototype based on the CHERI-QEMU simulator and evaluate the performance on the ARM Morello platform. Extending generic software running on Morello with fine-grain hardware resource management incurs a worst-case performance overhead of 2.76%. Additionally, we extensively analyze the security of all privilege-related mechanisms in our design, highlighting the flexibility of our generic approach.

KW - Capability Architecture

KW - Compartmentalization

KW - Memory Safety

UR - https://www.scopus.com/pages/publications/105014161951

U2 - 10.1007/978-3-032-00627-1_8

DO - 10.1007/978-3-032-00627-1_8

M3 - Conference paper

SN - 978-3-032-00626-4

T3 - Lecture Notes in Computer Science

SP - 149

EP - 170

BT - Availability, Reliability and Security

A2 - Dalla Preda, Mila

A2 - Schrittwieser, Sebastian

A2 - Naessens, Vincent

A2 - De Sutter, Bjorn

PB - Springer, Cham

T2 - 20th International Conference on Availability, Reliability and Security, ARES 2025

Y2 - 11 August 2025 through 14 August 2025

ER -

CHERI UNCHAINED: Generic Instruction and Register Control for CHERI Capabilities

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Fields of Expertise

Access to Document

Other files and links

Fingerprint

AWARE - Hardware-Ensured Software Security