Government to fund more businesses to test CHERI digital security solutions

The UK government is making more funding available this spring to encourage companies to test out in the 'real world' new digital security solutions developed by this Department as part of the CHERI project. 

The Industrial Strategy Challenge Fund Digital Security by Design is offering up to £6 million to businesses, via Innovate UK, to evaluate and demonstrate the economic and social benefits of new computer security features that have been developed here as part of CHERI.

Firms have until 26 May to put forward expressions of interest for the funding. These will be considered and two or three successful applicants will then receive backing to take forward their proposals.

The government is particularly interested in seeing the new security features tested out in industries that require secure system operations or that hold high-value data assets where – if they were compromised in a cyber-attack – it could cause serious economic or personal harm.

CHERI is a large, multi-disciplinary project that has been running for over a decade, aimed at making our phones and computers much more secure and efficient. (See an early prototype, right.) It set out in 2010 to address the fundamental question: "If you were starting from scratch, what would you need to do to both hardware and software to make computers more secure?"

This is necessary because the computers we use today – and the programmes written for them – are rooted in the technology of the 1970s when security was much less of a consideration. As Professor Peter Sewell says: "Back then, most people didn’t know how to design more securely and, even if they did, they had no clue that they needed to."

It’s a very different picture today. Cyber-attacks are on the rise and are able to exploit well-known vulnerabilities in programming languages and in computer architecture and systems. Researchers on the CHERI project set out to combat this by going back to the drawing board and looking at the radical changes that would be needed in both hardware and software in order to improve security.

Today, CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable much more finely-grained memory protection and highly scalable software compartmentalization.

As Dr Robert Watson (pictured right) explains, "Programming languages such as C and C++ are memory-unsafe and have many, currently widely-exploited, vulnerabilities. CHERI’s memory protection features provide strong, compatible, and efficient protection against these."

This would be very appealing to industry. "Microsoft's research of its own vulnerabilities from the last 10 years indicates that 70 per cent of them were memory safety bugs, the majority of which could have been mitigated if CHERI had been deployed," says Robert’s CHERI colleague Professor Simon Moore.

Software compartmentalisation 
Another aspect is the software compartmentalisation features that will separate the codes of operating systems and the applications that run on them into small, discrete pieces. "So even if hackers are able to break into a computer system, they can't get to everything inside. They will be constrained to access only a very small amount of information."

The possibilities of this are very exciting and a number of corporate collaborators have already come on board to help turn the findings of the research into industrial prototypes.

In 2019 the UK government backed a Digital Security by Design Challenge, which awarded £70 million in funding to the prototyping effort (now named Morello).

The £70 million was matched by a further £117 million from Arm and other industry partners including Microsoft and Google, enabling the development of Morello – which has been described by Arm chief architect Richard Grisenthwaite as "a ground-breaking and unprecedented industrial-scale prototype of the CHERI concepts in the context of the Arm architecture."

Last year, £8 million of the Digital Security by Design programme’s funds went to support projects at eight UK universities (including Cambridge) to carry out Morello-related research over the next four years.

And now there is an additional £6 million being offered as matched funding to companies that would like to develop demonstrator products showcasing the use and adoption of the new security technologies.

"To test out our ideas we need to build prototypes and demonstrations of use," says Robert Watson. "This is a big science experiment – but a very applied one." He welcomes queries from potential applicants seeking funding to discuss the CHERI technology and its potential applications.