Enforcing Integrity and Software Fault Isolation in Microkernels with CHERI

The predominant programming language to write operating system kernels in today still is C. While C is perfect in terms of performance and control over hardware, it lacks memory safety. Kernels that cater to high-assurance systems have been accepting this fact for decades now, mainly because C is neither easily replaced nor matched in terms of performance. This is a huge problem for microkernels, which command the field of system software for high-assurance systems and challenge the status quo with new requirements for safety and security. Time and experience have shown that checking, testing and linting is not enough to eliminate the memory unsafety shortcomings of C though, even on microkernels. A major reason for a lack of adoption of new ideas seems to be the absence of backwards compatible solutions that offer memory safety for projects that employ C, while also retaining a solid performance.
    Capability Hardware Enhanced RISC Extensions (CHERI) -- a hardware-software co-design project -- aims at solving exactly this issue. CHERI adds memory safety to C-language based systems and claims to keep a solid performance while being easily adaptable -- at least for application software. Microkernels would heavily benefit from such promises. Hence, my research investigates whether CHERI's claims of being easily adoptable hold up for the microkernel developed at Huawei Dresden Research Center and which performance impacts a transition to CHERI currently has on this system.

We will see that the transition to CHERI involves non-trivial changes, with certain areas of the kernel being disproportionally affected. Furthermore, we perform micro-benchmarks to evaluate the system's performance on real hardware, with particular workloads showing a non-negligible performance degradation. Our results are then contrasted against the fact that the kernel has become memory safe.

(Master Defense)