This work addresses the lack of efficient and scalable temporal memory safety mechanisms in the CHERI architecture. It proposes “colored capabilities,” which introduce a hardware-managed provenance validity table into the CHERI capability model to establish a controlled indirection layer, enabling bulk revocation of dangling pointers without relying on memory isolation. This approach substantially reduces revocation frequency while enhancing both security and performance. Implemented on CHERI-RISC-V using the CHERI-Toooba FPGA softcore and CheriBSD operating system, and integrated into the CHERI-enhanced Clang/LLVM toolchain, the mechanism fully mitigates heap-based use-after-free and double-free vulnerabilities in the NIST Juliet test suite. Evaluation shows a geometric mean performance overhead of only 5% on SPEC CPU benchmarks and demonstrates lower latency and more stable performance under long-running workloads such as SQLite, PostgreSQL, and gRPC.

While the CHERI instruction-set architecture extensions for capabilities enable strong spatial memory safety, CHERI lacks built-in temporal safety, particularly for heap allocations. Prior attempts to augment CHERI with temporal safety fall short in terms of scalability, memory overhead, and incomplete security guarantees due to periodical sweeps of the system's memory to individually revoke stale capabilities. We address these limitations by introducing colored capabilities that add a controlled form of indirection to CHERI's capability model. This enables provenance tracking of capabilities to their respective allocations via a hardware-managed provenance-validity table, allowing bulk retraction of dangling pointers without needing to quarantine freed memory. Colored capabilities significantly reduce the frequency of capability revocation sweeps while improving security. We realize colored capabilities in PICASSO, an extension of the CHERI-RISC-V architecture on a speculative out-of-order FPGA softcore (CHERI-Toooba). We also integrate colored-capability support into the CheriBSD OS and CHERI-enabled Clang/LLVM toolchain. Our evaluation shows effective mitigation of use-after-free and double-free bugs across all heap-based temporal memory-safety vulnerabilities in NIST Juliet test cases, with only a small performance overhead on SPEC CPU benchmarks (5% g.m.), less latency, and more consistent performance in long-running SQLite, PostgreSQL, and gRPC workloads compared to prior work.