Capability-based memory isolation is a promising new architectural primitive. Software can access low-level memory only via capability handles rather than raw pointers, which provides a natural interface to enforce security restrictions. Existing architectural capability designs such as CHERI provide spatial safety, but fail to extend to other memory models that security-sensitive software designs may desire. In this paper, we propose Capstone, a more expressive architectural capability design that supports multiple existing memory isolation models in a trustless setup, i.e., without relying on trusted software components. We show how Capstone is well-suited for environments where privilege boundaries are fluid (dynamically extensible), memory sharing/delegation are desired both temporally and spatially, and where such needs are to be balanced with availability concerns. Capstone can also be implemented efficiently. We present an implementation sketch and through evaluation show that its overhead is below 50% in common use cases. We also prototype a functional emulator for Capstone and use it to demonstrate the runnable implementations of six real-world memory models without trusted software components: three types of enclave-based TEEs, a thread scheduler, a memory allocator, and Rust-style memory safety -- all within the interface of Capstone.

翻译：摘要：基于能力模型的内存隔离是一种富有前景的新型架构原语。软件仅能通过能力句柄（而非原始指针）访问低层级内存，这为实施安全限制提供了自然接口。现有架构级能力设计（如CHERI）虽能提供空间安全性，却无法延伸至安全敏感型软件设计可能需要的其他内存模型。本文提出Capstone——一种更具表现力的架构级能力设计方案，可在无信任环境（即不依赖可信软件组件）下支持多种现有内存隔离模型。我们展示了Capstone如何完美适配以下场景：权限边界具有流动性（可动态扩展）、需要时空维度的内存共享/委托、以及此类需求需与可用性考量相平衡。Capstone亦能高效实现。我们给出了实现架构概览，并通过评估证明其在常见用例中的开销低于50%。我们同时构建了Capstone的功能模拟器原型，并借助该原型展示了六种真实世界内存模型在无可信软件组件条件下的可运行实现：三类基于飞地的可信执行环境、线程调度器、内存分配器及Rust式内存安全——所有实现均基于Capstone接口。