Capability-based addressing, such as the University of Cambridge’s CHERI, mitigates many memory defects, including spatial and temporal safety violations at an architectural level. CHERI, however, does not handle undefined behavior from uninitialized variables. We extend the CHERI capability model to include “conditional capabilities,” enabling memory-access policies based on prior operations. This allows enforcement of policies that satisfy memory-safety objectives such as “no reads to memory without at least one prior write” (Write-before-Read). We present our architecture extension, compiler support, and detailed evaluation of our approach on the QEMU full-system simulator and a modified FPGA-based CHERI-RISCV softcore. Our evaluation shows that conditional capabilities are practical, with high detection accuracy while adding a small (≈ 3.5%) overhead which is comparable to the cost of baseline CHERI capabilities.
Conditional capabilities enable enforcement of write-before-read memory policies with minimal overhead.
Full abstract in IEEEXplore DOI: 10.1109/SP61157.2025.00133
Authors
Merve Gülmez – Ericsson Research, Sweden, and DistriNet Research Unit, KU Leuven, Belgium
Håkan Englund – Ericsson Research, Sweden
Jan Tobias Mühlberg – Université Libre de Bruxelles, Belgium
Thomas Nyman – Ericsson Product Security, Sweden
Published in Proceedings of 2025 IEEE Symposium on Security and Privacy (SP), May, 2025
©2025 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse.