Recent work has demonstrated that CHERI-based capability machines provide good support for low-overhead enforcement of spatial memory safety and compartment isolation. However, supporting cross-compartment calls with spatial and temporal stack memory safety and well-bracketed control flow guarantees remains difficult: existing systems require per-compartment stacks and/or a trusted intermediary compartment switcher. Proposed solutions (sometimes based on further architectural extensions) have been validated theoretically but ignore practical concerns (e.g. capability compression), and have not been implemented or evaluated in practice.

In this paper, we evaluate two such proposals (and a variation of them) on CHERI-RISC-V, contributing a CHERI-LLVM implementation, a refined design that supports features like a frame capability and capability compression, and a thorough evaluation of cost w.r.t. performance (correcting for memory caching), memory usage (code size and stack usage) and compatibility.