home | problem | opportunity | solution |
market | past-systems | competition | team | intellectual-property | contact


Solution & Product: Dewdrop

Software is built in layers. When the abstractions at one layer fail, all the abstractions layers above it also fail. Therefore, the most important layers to ensure are the ones at the bottom. Our goal is not to just make things better, our goal is to raise the abstraction floor below which the program cannot fall.

Our solution is Dewdrop: absolute hardware enforcement of the C language abstraction & more (including memory safety), at a modest cost.

Dewdrop is (1) an augmentation to a CPU, right now RISCV64 (though other 64-bit RISC ISAs could work), and (2) modest changes to the compiler toolchain and libc. We do not use secrets, crypto, shadow stacks, nor require garbage collection; further, we do not increase the size of a pointer. Dewdrop enforces the following constraints on a running program:

  • Dewdrop enforces memory safety in both space and time for both heap (including global) and stack; sub-object space bounds are also enforced, with two exceptions for heap/global objects: too many sub-objects larger than a page and a union of too many non-naturally aligned sub-objects (both are a compile time error); stack objects of at least 128 bytes must be heapified; the bounds on time enforce both (1) no use-before-init and (2) no use-after-free;

  • Dewdrop enforces the entire C abstraction layer, even if inline assembly is used: we also provide control flow integrity, function call safety (caller and callee cannot hurt each other), software-configurable exception/long-jump safety, type safety (at the object granularity for heap/global objects), and immutability (including making a pointer-to-const to a mutable object);

  • Dewdrop enforces three kinds of locality-of-causality: (1) static modularity, (2) dynamic capabilities, including our novel ephemeral capabilities, which solves the revocability problem, and (3) both mutex and optimistic transactions (designed and patented but not yet implemented).

All enforcement is lightweight, comprehensive, and absolute. The cumulative effect is so profound that Dewdrop effectively changes what a computer is.

Our system is working in simulation, including a 6-stage pipeline (but running without stages interleaved) and a caching model. Caching adds about 50+% to the L1 cache size and adds about 10% meta-data traffic on the far side of the cache in addition to normal (code+data) cache traffic. Currently our system increases total instructions executed by 75%, but little effort has yet gone into optimizing this metric.

We can demonstrate complex classic C programs like bzip2, bc, and sed running under Dewdrop: we challenge you to insert a violation of any of the above properties, such as memory safety, into any of those programs, or any other C program (which runs on our simple proxy kernel), and Dewdrop will find it.