Fil-C running on any x86 box is faster than any CHERI implementation that has ever existed.
That's likely to be true in embedded also, just because of the relationship between volume and performance in silicon. Fil-C runs on the high volume stuff, so it'll get better perf.
CHERI doubles the size of pointers, so it's not like it has a decisive advantage over Fil-C.
Is this your last design iteration? Benchmarks would be great and some performance justification based on the design (techniques).
Are all possible memory problems checked, which to me include those listed in https://matu3ba.github.io/articles/optimal_debugging/#practi... (OOB, null, type confusion, integer overflow, invalid stack access, UUM, data races, illegal aliasing/provenance, stack overflows, ..) ?
There’s so much perf on the table that I haven’t claimed yet.
I’m just focusing on other things most of the time, like right now I want to actually make a super easy to install memory safe sshd distro.
The perf is more than good enough for that so that’s just a thing I should ship
All of the things you list are either checked or they’re given some kind of safe semantics. Like some kinds of type confusion are just fine and need to work (like int to float bit casts)
No, and I don't need to in order to know that my claim is accurate.
Also, the fact that having access to CHERI hardware is a thing you presume I don't have should tell you a lot about how likely CHERI is to ever succeed
But seemingly on track to move from "large" to "significant" speed and memory overhead. It is already really useful especially for running tests in pipelines.
If i understand InvisiCaps Fil-C correctly, it does not allow capability restriction (as metadata are stored at the beginning of each object), while with CHERI one can take ptr/capability for an object, restrict it to a capability for a sub-object, pass that to a callee (with function call), and the callee can access only the sub-object.
This also means Fil-C seems not to be really helpful when a program uses its own allocators on top of malloc() or page allocation from OS, while with CHERI this works naturally through capability restriction.
The fact that InvisiCaps don’t support capability restriction is a choice though. I could have made them support that feature. I didn’t because I’m going for C/C++ compatibility and the only way to make meaningful use of capability restriction is to change people’s code.
Worth noting that if a program has its own allocator then you have to make more than zero changes in both Fil-C and in CHERI to get the benefit:
- In fil-C you just get rid of the custom allocator.
- In CHERI you make the allocator do capability restriction, which is actually kinda hard to get right (if the allocator’s metadata doesn’t also do capability restriction and the allocator uses inline free lists then that could easily turn into a full blown capability escape).
> Fil-C is more compatible in the sense that I can get CPython to work in Fil-C and to my knowledge it doesn't work on CHERI.
MicroPython has been ported though. What makes CPython special, so it couldn't be ported?
> Fil-C also has an actual story for use-after-free. CHERI's story is super weak
Indeed, CHERI does not always trap on use-after-free if the program is fast enough. A free'd memory object is kept until another thread has found all pointers to the object and made them invalid.
If I understood the paper right, Cornucopia-Reloaded does invalidate a capability directly when loaded if the pointed-to page is marked free. Therefore, any allocation of at least a page should have no use-after-free.
You can have a memory safe Linux userland today in stock hardware. https://fil-c.org/pizlix