Comment by zajio1am
If i understand InvisiCaps Fil-C correctly, it does not allow capability restriction (as metadata are stored at the beginning of each object), while with CHERI one can take ptr/capability for an object, restrict it to a capability for a sub-object, pass that to a callee (with function call), and the callee can access only the sub-object.
This also means Fil-C seems not to be really helpful when a program uses its own allocators on top of malloc() or page allocation from OS, while with CHERI this works naturally through capability restriction.
Yeah this is a benefit of CHERI.
The fact that InvisiCaps don’t support capability restriction is a choice though. I could have made them support that feature. I didn’t because I’m going for C/C++ compatibility and the only way to make meaningful use of capability restriction is to change people’s code.
Worth noting that if a program has its own allocator then you have to make more than zero changes in both Fil-C and in CHERI to get the benefit:
- In fil-C you just get rid of the custom allocator.
- In CHERI you make the allocator do capability restriction, which is actually kinda hard to get right (if the allocator’s metadata doesn’t also do capability restriction and the allocator uses inline free lists then that could easily turn into a full blown capability escape).