The new CHERI-enabled Morello boards — entirely new hardware making it harder for bad actors to access our data

cybersecurity image
sri-spin-out-accuknox-secures-4-6m-in-seed-funding-to-meet-growing-demand-for-zero-trust-kubernetes-security-solutions-feat-img

How SRI is helping transform cybersecurity


Cybersecurity is the defining challenge facing computing right now. Every aspect of society is becoming digital, with technology continually finding new ways to integrate further into our daily lives.

Technology now tracks our health through wearable devices, controls our home devices and security with IoT, allows us to make payments, and controls much of the vital infrastructure around us.

New and more convenient ways of integrating technology into our lives mean we need new and more holistic approaches to data security. CHERI (Capability Hardware Enhanced RISC Instructions) aims to be just that.

A collaboration between SRI International, the University of Cambridge, Arm, and others, CHERI looks to redesign the hardware we use for computer memory and redefine how software gains access to it.

CHERI translates new architectural extensions into:

· Fine-grained memory protection that removes vulnerabilities present in historically memory-unsafe programming languages (C/C++)
· Scalable compartmentalization that isolates critical code to limit the effects of security vulnerabilities

CHERI fundamentally changes how software accesses memory. These changes are inherent to the hardware and the design of the silicon itself — protecting against even the most elegant attempt at a software workaround.

Research by Microsoft shows that of the vulnerabilities addressed by security updates each year, 70% are due to memory safety. CHERI aims to prevent these threats, and last month, the project saw a significant milestone.

SRI International’s collaborator, Arm, shipped the first Morello boards using a prototype CHERI architecture for testing across various use cases. With more prototype silicon available, the project is now looking to experiment further with:

  • Software performance
  • Microarchitectural choices
  • Compartmentalization
  • Source-level compatibility
  • Security evaluations

History of the CHERI project

CHERI was born out of work by Robert Watson at the University of Cambridge. Watson had developed software compartmentalization at the process level. It became apparent that compartmentalization, although beneficial for security, is extremely expensive. A new project, CHERI, was formed to develop an entire hardware and software stack to make compartmentalization cheaper and implement memory safety that overcomes the common memory-related bugs seen in languages such as C and C++.

CHERI began in 2010 as a joint research project between SRI International and the University of Cambridge, supported by the DARPA CRASH (Clean-slate design of Resilient, Adaptive and Secure Hosts) program. The idea asked researchers to imagine there was a clean slate; how could computing architecture be redesigned to advance and transform security?

DARPA continued to support the project through two further research programs: MRC (Mission-oriented Resilient Clouds) and SSITH (System Security Integration Through Hardware and Firmware), with support also coming from the UK’s Engineering and Physical Sciences Research Council (EPSRC) and ERC.

When the CRASH program ended in 2015, the CHERI project had successfully produced a Field Programmable Gate Array (FPGA) prototype that showed promise by efficiently running memory-safe C and C++ code. The possibility of more secure software architectures is one thing, but the project needed to show it had the potential for integration into industrial-scale processor design.

Under the DARPA SSITH program in 2017, SRI and the University of Cambridge brought CHERI technology to the RISC-V architecture. Originally developed at UC Berkeley, RISC-V is a new, openly designed central processing unit (CPU) architecture that is the architecture of choice for today’s CPU research. These efforts demonstrated the portability of CHERI ideas beyond the single architecture used in CRASH.

Behind the scenes, Arm joined the project in 2014 to bring CHERI technology to the Armv8-A instruction set, which is widely used in mobile phones and increasingly in servers. In October 2019, a five-year program known as Morello began with the aim of developing Arm’s experimental CHERI-enabled processor and system on a chip (SoC).

CHERI-picking memory access

So, what makes CHERI different from typical architectures, and how does it improve security? Programming languages, and therefore software, access data (or memory) using a variable known as a pointer. Pointers are effectively an address telling the software where to look in the computer’s memory to find the data it needs. Hackers exploit memory-safety vulnerabilities by using pointers to access information they shouldn’t.

CHERI replaces the conventional integer address implementation of pointers with an architectural capability defined at the hardware level. This capability includes the address, bounds, permissions and a tag to ensure validity. Every time a piece of software loads, stores or accesses memory, it has to be authorized by the capability. This limits what memory is accessible and how it can be used.

Replacing integer pointers with capabilities for memory addresses improves the safety of software, especially code written using C or C++. Our current systems are not great at restricting access. Once inside, malicious software has free rein to access what it wants. Capabilities remove this threat by controlling access to each specific memory address.

Because all memory is accessed via CHERI capabilities, compartmentalization can be implemented within a single address space, allowing exponentially more compartmentalization than traditional process-based approaches. Isolating various critical codes prevents a single breach from taking over the entire system and can protect against accidental bugs and even deliberate attacks on the supply chain. CHERI’s compartmentalization architecture has the potential to remove whole classes of security issues, drastically increasing protection while decreasing costs compared to current partitioning approaches. All this with minimal effects on performance.

Implementing CHERI at scale

A vital goal of CHERI is to permit the continued use of C and C++ code. Replacing the billions of lines of code written in these languages is not a practical solution to eliminate memory-safety issues. With this in mind, CHERI is a hybrid capability architecture extension designed to integrate with conventional memory management unit (MMU) based architectures and software stacks built using virtual memory and C/C++. This approach also facilitates incremental implementation in existing systems with minimal disruption.

As the lead partner in the UK Research and Innovation’s (UKRI) Digitial Security by Design (DSbD) program, Arm released the first Morello demonstrator boards on schedule in January 2022. Hundreds of CHERI-powered Morello boards are being sent this year to companies, universities and public research institutions for evaluation. Research agendas are now in place to test the new architecture. This includes conducting experiments in a broad range of applications across different programming languages and operating systems.

Testing includes staff working on graphics drivers to allow more exciting demonstrations, general software porting, optimization work, and research into aspects of temporal memory safety not directly supported by CHERI.


Resources:

https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf
https://msrc-blog.microsoft.com/2022/01/20/an_armful_of_cheris/
https://www.lightbluetouchpaper.org/2022/01/20/arm-releases-experimental-cheri-enabled-morello-board-as-part-of-187m-ukri-digital-security-by-design-programme/
https://www.arm.com/company/news/2022/01/morello-research-program-hits-major-milestone-with-hardware-now-available-for-testing
https://www.arm.com/architecture/cpu/morello
https://www.arm.com/blogs/blueprint/morello


Read more from SRI