Capability Revocation and Indirection

The Cornucopia Reloaded paper I linked earlier has a decent summary and references. The most recent paper on the topic, also with a good summary and references, is A CHERI C Memory Model for Verified Temporal Safety, https://dl.acm.org/doi/pdf/10.1145/3703595.3705878. One of the earliest papers discussing revocation is the CHERIvoke paper, https://www.cl.cam.ac.uk/~tmj32/papers/docs/xia19-micro.pdf. Most CHERI-related papers are listed at https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ch...

Also worthwhile to read the core papers on CHERI, especially papers about and subsequent to the ARM Morello implementation. Once you understand the basic architecture, in particular the hidden 129th bit that tags a word (i.e. C pointer) in memory as a valid capability and which is copied along with the visible 128-bit value (e.g. in `char *b = *a;`), it's easy to see understand the problem space regarding revocation. Most of the early work in CHERI was finding and verifying the minimum software and hardware requirements for guaranteed spatial safety that was also maximally performant in hardware and practical to incorporate into existing platforms (language standards, ABIs, kernels, etc). Temporal safety, especially performant revocation, didn't receive as much attention until later, after the shape of capability pointers (i.e. 129-bit compressed pointers) had already largely been settled. But it's still an active area of research and may yet result in some design changes or at least suggest additional hardware facilities for future implementations.