-
If the
typefield of the capability is0(linear),1(non-linear),2(revocation) or3(uninitialised):
-
If the
typefield of the capability is4(sealed),5(sealed-return),6(exit):
The relation between the fields of the capability and bits of the compressed capability format is shown in the following table:
| Field | Bits | Compressed | Additional Data Structure |
|---|---|---|---|
|
|
- |
Revocation Tree |
|
|
No |
- |
|
|
No |
- |
|
|
Yes |
- |
|
|
Yes |
- |
|
|
No |
- |
Note: the compression mechanism of the format
The compression mechanism of the base and end fields is the same as the one used in the compressed capability format of the CHERI ISAv8.
| Field | Bits | Compressed | Additional Data Structure |
|---|---|---|---|
|
|
- |
Revocation Tree |
|
|
No |
- |
|
|
Yes |
- |
|
|
No |
- |
|
|
No |
- |
|
|
No |
- |
Note: the compression mechanism of the format
The compression mechanism of the cursor field is straightforward: cursor = sign_extend(offset) + base.
In Spike, an additional data structure called revocation tree is used to maintain the valid field of the capability.
The idea of the revocation tree is introduced in our USENIX Security '23 paper.
In the compressed capability format, a node-id is kept as part of the capability to indicate a node in the revocation tree.
A reference count is maintained for each node in the revocation tree to indicate the number of capabilities that are currently pointing to the node.
<t relation is maintained as a partial order on the revocation tree to indicate the revocation order of the capabilities.
An Insufficient system resources (30) exception will be raised if the allocation of a new node in the revocation tree fails.