While the CHERI instruction-set architecture extensions for capabilities enable strong spatial memory safety, CHERI lacks built-in temporal safety, particularly for heap allocations. Prior attempts to augment CHERI with temporal safety fall short in terms of scalability, memory overhead, and incomplete security guarantees due to periodical sweeps of the system's memory to individually revoke stale capabilities. We address these limitations by introducing colored capabilities that add a controlled form of indirection to CHERI's capability model. This enables provenance tracking of capabilities to their respective allocations via a hardware-managed provenance-validity table, allowing bulk retraction of dangling pointers without needing to quarantine freed memory. Colored capabilities significantly reduce the frequency of capability revocation sweeps while improving security. We realize colored capabilities in PICASSO, an extension of the CHERI-RISC-V architecture on a speculative out-of-order FPGA softcore (CHERI-Toooba). We also integrate colored-capability support into the CheriBSD OS and CHERI-enabled Clang/LLVM toolchain. Our evaluation shows effective mitigation of use-after-free and double-free bugs across all heap-based temporal memory-safety vulnerabilities in NIST Juliet test cases, with only a small performance overhead on SPEC CPU benchmarks (5% g.m.), less latency, and more consistent performance in long-running SQLite, PostgreSQL, and gRPC workloads compared to prior work.

翻译：尽管CHERI指令集架构通过能力扩展实现了强大的空间内存安全性，但其缺乏内置的时间安全性，特别是针对堆分配。先前增强CHERI时间安全性的尝试在可扩展性、内存开销和安全性保障方面存在不足，这主要源于需要定期扫描系统内存以逐个撤销失效能力。我们通过引入着色能力来解决这些限制，该机制在CHERI能力模型中增加了受控的间接层。这使得能力能够通过硬件管理的能力来源有效性表追踪到其对应的分配源头，从而无需隔离已释放内存即可批量回收悬垂指针。着色能力显著降低了能力撤销扫描的频率，同时提升了安全性。我们在PICASSO中实现了着色能力，这是对基于推测乱序FPGA软核（CHERI-Toooba）的CHERI-RISC-V架构的扩展。我们还将着色能力支持集成到CheriBSD操作系统及支持CHERI的Clang/LLVM工具链中。评估结果表明，该方法能有效缓解NIST Juliet测试集中所有基于堆的时间内存安全漏洞（包括释放后使用和双重释放错误），在SPEC CPU基准测试中仅产生较小性能开销（几何平均5%），与先前工作相比，在长期运行的SQLite、PostgreSQL和gRPC工作负载中具有更低延迟和更稳定的性能表现。