We describe an extension to the CHERI capability architecture to provide blinded capabilities that allow data-oblivious computation to be carried out by userspace tasks. We also present BLACKOUT, our realization of blinded capabilities on a FPGA softcore based on the speculative out-of-order CHERI-Toooba processor and extend the CHERI-enabled Clang/LLVM compiler and the CheriBSD operating system with support for blinded capabilities. BLACKOUT makes writing side-channel-resistant code easier by making nondata-oblivious operations via blinded capabilities explicitly fault. Through rigorous evaluation we show that BLACKOUT ensures memory operated on through blinded capabilities is securely allocated, used, and reclaimed and demonstrate that, in benchmarks comparable to those used by previous work, BLACKOUT imposes only a small performance degradation (1.5% geometric mean) compared to the baseline CHERI-Toooba processor.
Available from ACM Digital Library
Authors
Hossam ElAtali - University of Waterloo, Canada, and Merve Gülmez – Ericsson Research, Sweden
Thomas Nyman – Ericsson Product Security
N. Asokan – University of Waterloo, Canada
Presented at the ACM Conference on Computer and Communications Security (CCS ’25), October 13–17, 2025, Taipei, Taiwan
© 2025 Copyright held by the owner/author(s).
The work was licensed under a Creative Commons Attribution 4.0 International License