Comment by pizlonator 6 hours ago
> Fil-C is basically CHERI in software
It's not, actually.
Fil-C is more compatible with C/C++ than CHERI, because Fil-C doesn't change `sizeof(void*)`.
Fil-C is more compatible in the sense that I can get CPython to work in Fil-C and to my knowledge it doesn't work on CHERI.
Fil-C also has an actual story for use-after-free. CHERI's story is super weak
Yeah this is a benefit of CHERI.
The fact that InvisiCaps don’t support capability restriction is a choice though. I could have made them support that feature. I didn’t because I’m going for C/C++ compatibility and the only way to make meaningful use of capability restriction is to change people’s code.
Worth noting that if a program has its own allocator then you have to make more than zero changes in both Fil-C and in CHERI to get the benefit:
- In fil-C you just get rid of the custom allocator.
- In CHERI you make the allocator do capability restriction, which is actually kinda hard to get right (if the allocator’s metadata doesn’t also do capability restriction and the allocator uses inline free lists then that could easily turn into a full blown capability escape).
> Fil-C is more compatible in the sense that I can get CPython to work in Fil-C and to my knowledge it doesn't work on CHERI.
MicroPython has been ported though. What makes CPython special, so it couldn't be ported?
> Fil-C also has an actual story for use-after-free. CHERI's story is super weak
Indeed, CHERI does not always trap on use-after-free if the program is fast enough. A free'd memory object is kept until another thread has found all pointers to the object and made them invalid.
If I understood the paper right, Cornucopia-Reloaded does invalidate a capability directly when loaded if the pointed-to page is marked free. Therefore, any allocation of at least a page should have no use-after-free.
> What makes CPython special, so it couldn't be ported?
I don't know, but I'm guessing it's the pointer shenanigans that happen in the CPython bytecode.
If i understand InvisiCaps Fil-C correctly, it does not allow capability restriction (as metadata are stored at the beginning of each object), while with CHERI one can take ptr/capability for an object, restrict it to a capability for a sub-object, pass that to a callee (with function call), and the callee can access only the sub-object.
This also means Fil-C seems not to be really helpful when a program uses its own allocators on top of malloc() or page allocation from OS, while with CHERI this works naturally through capability restriction.