InvisiCaps: The Fil-C capability model
6 days ago
- #memory-safety
- #C-programming
- #capability-model
- Fil-C ensures memory safety in C and C++ using a capability system for pointers.
- Pointer safety is achieved by dynamically tracking allowed memory accesses for each pointer.
- Memory safety rules include prohibiting out-of-bounds accesses, accesses to freed objects, and writes to readonly data.
- Fil-C aims for fanatical compatibility, supporting widespread C pointer idioms even if they are undefined behavior.
- InvisiCaps is Fil-C's latest capability model, improving on previous models like PLUT, SideCaps, and MonoCaps.
- InvisiCaps allow 64-bit pointers, reduce performance overhead, and support meaningful union usage.
- InvisiCaps are thread-safe and inspired by SoftBound and CHERI but with better compatibility.
- Flight pointers in InvisiCaps consist of a lower bound, upper bound, aux word, and pointer intval.
- Pointers at rest in memory maintain safety by storing capability metadata separately from the visible pointer value.
- Atomic pointer operations are supported with additional mechanisms to ensure thread safety.
- Special considerations are made for aligned allocations, memory mapping, function pointers, and threads.
- Freed objects trigger deterministic panics to prevent use-after-free errors.
- InvisiCaps ensure memory safety regardless of program behavior, either enforcing safe accesses or causing a panic.