- CHERI C/C++ Programming Guide
- 1. Introduction
- 1.1. Definitions
- 2. Background
- 2.1. CHERI capabilities
- 2.2. Architectural rules for capability use
- 3. CHERI C/C++
- 3.1. The CHERI C/C++ run-time environment
- 3.2. Referential, spatial, and temporal safety
- 4. Impact on the C/C++ programming model
- 4.1. Capability-related faults
- 4.2. Pointer provenance validity
- 4.2.1. Recommended use of C-language types
- 4.2.2. Capability alignment in memory
- 4.2.3. Single-origin provenance
- 4.3. Bounds
- 4.3.1. Bounds from the compiler and linker
- 4.3.2. Bounds from the heap allocator
- 4.3.3. Subobject bounds
- 4.4. Other sources of bounds
- 4.4.1. Out-of-bounds pointers
- 4.5. Pointer comparison
- 4.6. Implications of capability revocation for temporal safety
- 4.7. Bitwise operations on capability types
- 4.8. Function prototypes and calling conventions
- 4.9. Data-structure and memory-allocation alignment
- 4.9.1. Restrictions in capability locations in memory
- 5. The CheriABI POSIX process environment
- 5.1. POSIX API changes
- 5.2. Handling capability-related signals
- 6. CHERI compiler warnings and errors
- 6.1. Loss of provenance
- 6.2. Ambiguous provenance
- 6.3. Underaligned capabilities
- 7. C APIs to get and set capability properties
- 7.1. CHERI-related header files
- 7.2. Retrieving capability properties
- 7.3. Modifying or restricting capability properties
- 7.4. Capability permissions
- 7.5. Bounds alignment due to compression
- 7.6. Implications for memory-allocator design
- 8. Further reading
- 9. Acknowledgements