This work addresses the insufficient protection against use-after-free (UAF) vulnerabilities and uninitialized memory accesses in existing CHERI systems, alongside limitations in memory management efficiency. The authors propose a novel capability-poisoning scheme based on capability bounds to enforce efficient hierarchical temporal memory safety on CHERI architectures. Their mechanism eliminates the need for shadow bitmaps, supports secure delegation of permissions across nested allocators, and automatically intercepts reads from uninitialized memory through zero-copy clearing combined with optional write-trap-on-first-read semantics. Compared to Cornucopia, this approach significantly strengthens UAF mitigation and initialization safety without imposing baseline performance overhead, while also improving cache management.

In this paper, we present PoisonCap: scalable temporal safety with strict use-after-free protection and initialisation safety for CHERI systems. Efficient memory safety is an increasing priority for programming languages, operating systems, and hardware designs, and CHERI is a leading hardware/software system that provides native spatial safety and a foundation for temporal memory safety. Cornucopia Reloaded, the current state-of-the-art CHERI temporal safety solution, provides use-after-reallocation safety instead of stronger use-after-free safety, and is not able to enforce initialisation safety. We show that a new 'poison' capability format can be used to enforce strict use-after-free and initialisation safety, and also to communicate memory state to the microarchitecture for efficient cache management of quarantined memory. We enable elegant delegation of memory poisoning privilege using capability bounds to allow nested allocators to enforce safety on their consumers without disturbing upstream allocators. PoisonCap can replace the Cornucopia shadow bitmap, and also automatically zeros memory on reallocation, or optionally traps on read-before-write to enforce initialisation safety. As a result, it incurs no fundamental overhead relative to a Cornucopia baseline that zeros before reallocation, strengthening CHERI temporal safety without performance overhead.