Static analysis to make the most of CHERI C/C plus plus for existing code: improving memory safety at scale

We describe and evaluate custom static analyses to support transitioning existing C/C++ codebases to CHERI hardware. CHERI is a novel architectural extension, implemented for RISC-V and AArch64, that uses capabilities to provide fine-grained memory protection and scalable software compartmentalization. While the existing CHERI toolchain can recompile large code collections for the platform with only a few source changes, those changes are nonetheless critical: we demonstrate that static analysis can help to identify where they are needed and what must be done to avoid later runtime faults. We provide custom checkers for the Clang Static Analyzer to handle capability alignment, copying through memory, and manipulation as integers. Beyond simply picking up problems in existing code, we also have checkers that identify where code can take advantage of capabilities to better enforce least privilege and improve spatial memory safety. We evaluate all implemented checkers on a sample of packages from the CheriBSD ports library (408 packages, analyzed) and confirm by analyzing true-positive warning rates that the reports produced are sufficiently high quality for practical use.