Pioneering computer processor security rolls out for industry testing

A pioneering new approach to computer processor security that started life here and is being further developed with Arm and other industry leaders will be rolled out for widescale testing this year through the UK government's £200m Digital Security by Design initiative.

At a public launch event 'What is Digital Security by Design?' on Tuesday 25 January, prototype hardware and early-stage software that has the potential to block security vulnerabilities in future computer systems will be unveiled.

This has been developed by a consortium led by Arm and including the team of researchers here in Cambridge and at SRI International who developed the CHERI ('Capability Hardware Enhanced RISC Instructions') technology.

At the launch, which is open to all, the process of recruiting firms to trial the new technology – the experimental CHERI-enabled Arm Morello processor and evaluation board – will begin.

The CHERI project started  in 2010. Arm became a collaborator in 2014 and since then, researchers working on the Arm Morello program and on the CHERI project have been focusing on new ways to design the architecture of a computer’s central processing unit – its brain – to make software less vulnerable to security breaches.

The original CHERI research, in collaboration with SRI International and supported by DARPA (the US Defense Advanced Research Projects Agency), has focused on doing this through the use of 'capabilities' – unforgeable tokens of authority to access memory, apps or programs. The resulting CHERI technology fundamentally revises the architectural interface between hardware and the software with hardware support for capabilities.

In collaboration with the researchers here, Arm has designed the prototype Morello architecture that adopts these capabilities. The Arm Morello evaluation board being launched today (20 January 2022) is a platform for the prototype architecture so that it can be investigated by industry and academia.

UK Research and Innovation (UKRI) – which leads the Digital Security by Design programme – will begin seeking appropriate firms across sectors ranging from education, healthcare and manufacturing to telecoms and transport to take part in the evaluation of the new technology.

Need for new security solutions
The need for new solutions to improve computer security arises because the computers we use today – and the programmes written for them – are rooted in the technology of the 1970s.

Conventional hardware instruction sets and the C/C++ programming languages, dating back to the 1970s, provide only coarse-grained memory protection. This turns many common coding errors into exploitable security vulnerabilities, yielding 'arbitrary code execution' – i.e. the ability for an attacker fully to control the behaviour of vulnerable software on a victim’s system.

Such vulnerabilities have led directly to cybersecurity disasters such as the 2017 WannaCry ransomware attack that disrupted many NHS hospitals and GP surgeries in England.

As Robert Watson – a Professor in Systems, Security and Architecture here and co-leader of the CHERI project – explains: "Programming languages such as C and C++ are memory-unsafe and have many, currently widely-exploited, vulnerabilities. CHERI’s memory protection features provide strong, compatible, and efficient protection against these."

Pictured left to right: CHERI project leaders Simon Moore, Robert Watson and Peter Sewell.

CHERI capabilities are a new architectural data type to replace integer pointers, tightly controlling all memory accesses to limit damage.

As a hardware-software technique, the operating system and compiler toolchain gain the ability to communicate intended limits to the hardware, whereas today those intentions are discarded when software is compiled in the development environment.

Improving memory protection
Better memory protection features would be very appealing to industry. "Microsoft's research of its own vulnerabilities from the last 10 years indicates that 70 per cent of them were memory safety bugs, over two-thirds of which could have been mitigated if CHERI had been deployed," adds Professor Simon Moore, a fellow co-leader of the CHERI project. 

Microsoft Research and the Microsoft Security Response Center have been running a CHERI-based research programme for several years and have published a detailed research agenda for their own evaluation of CHERI and Morello.

The use of capabilities also enables software compartmentalisation features that will separate operating systems and the application software that runs on it into small, discrete pieces. So even if hackers are able to exploit a vulnerability in one component on a computer system, they can't get to everything inside. They will be constrained to access only a very small amount of information, and must identify and exploit a substantially greater number of vulnerabilities to gain total control of a system.

Compartmentalization
Today, coarse-grained compartmentalization does see some use – but has been extremely difficult and expensive to implement on current hardware. "If you read mail from multiple accounts or have presentations that contain images from many different sources you want to protect them all from each other because you don’t know which bits might be malicious," says Robert Watson.

"You want to compartmentalize them, but that compartmentalization problem can’t be solved on current hardware – it’s just not designed for it, and it’s too slow."

This is where CHERI comes in. The hardware capability technology used in CHERI, and now being used in Arm’s prototype architecture, combines references to memory locations with protection metadata.  

Suitably compiled software implements pointers with capabilities – rather than simple integers, as present in current hardware – with limits on how the references can be used. (These limits relate to the address ranges and functionality that the references can be used to access.) This combined information is constructed so that it cannot be forged by software, requiring the introduction of tagged memory – an old idea in computer science that depends on novel implementation techniques to be efficient in current designs. Replacing pointers with capabilities in a program vastly improves memory safety.

Mathematically-proven security properties
Another unique aspect of the CHERI work is the mathematical verification of the prototype architecture, which depends on new modelling and proof techniques. Morello is the first industrial-scale processor for which the architecture specification has mathematically proven security properties, providing unprecedented confidence in the approach.

Professor Peter Sewell, who leads this aspect of the project, notes "The Morello architecture specification is 60000 lines of intricate detail, and a mistake in that could let attackers side-step the intended CHERI protection. Using new techniques based on our Sail architecture description language and the Isabelle proof assistant, we've been able to build a machine-checked mathematical proof that there are no such flaws of that kind, which is the first time that this has been possible, and to generate tests directly from the specification".

The launch of the new technology platform prototype, and the industrial testing it will enable, takes the CHERI research a big step forward, helping show how the new security technology performs in terms of speed and security and whether it is a candidate to be implemented in the hardware of the future.

"It's very exciting," says Robert Watson. "Our collaboration with Arm has already validated a number of critical ideas arising from our research including ideas about the development of architectural capability-system models, the security of such models against malicious code, and the ability to create memory safe versions of the C and C++ computer languages.

"Now that the first CHERI hardware is becoming available, it brings within reach the possibility of exploring many further ideas and we look forward to doing that in the future."