For the last ten years, SRI International and the University of Cambridge have been working to develop CHERI (Capability Hardware Enhanced RISC Instructions), a DARPA-sponsored processor architecture security technology implementing efficient fine-grained memory protection and scalable software compartmentalization. You can learn more about CHERI in our Introduction to CHERI technical report, which describes the architectural, microarchitectural, formal modelling, and software approaches we have created.
For the last six of those years, we have been collaborating closely with Arm to create an adaptation of CHERI to the ARMv8-A architecture, which is slated to appear in Arm’s prototype Morello processor, System-on-Chip (SoC), and board in Q1 2022. Richard Grisenthwaite, Arm’s Principal Architect, announced this joint work at the UKRI Digital Security by Design (DSbD) workshop in September 2019. DSbD is a UKRI / Industrial Strategy Challenge Fund (ISCF) research programme contributing to the creation of the Morello board, and CHERI is the Digital Security by Design Technology that underlies the programme. Our collaboration with Arm has been an enormously exciting experience, involving daily engagement Arm’s architects, microarchitects, and software designers. This included hosting several members of Arm’s team at our lab in Cambridge over multiple years, as we brought together our long-term research on architectural and software security with their experience in industrial architecture, processor designs, and transition.
Today, Richard Grisenthwaite announced that Arm is releasing their first simulator for the Morello architecture, the Morello FVP (Fixed Virtual Platform), and also an open-source software stack that includes their adaptation of our CHERI Clang/LLVM to Morello and early work on Morello support for Android. These build on the Morello architecture specification, released in late September 2020. SRI and Cambridge are releasing a first developer preview release of the CHERI reference software stack ported to Morello – intended to show a rich integration of CHERI into a contemporary OS design, as well as demonstration applications. This stack includes CheriBSD, a BSD-licensed reference design and open-source applications adapted to CHERI including OpenSSH, nginx, and WebKit.
For this first developer preview release, we have focused on bringing CHERI C/C++ memory protection to Morello. Our CheriABI process environment, which allows the full UNIX userspace to run with fine-grained spatial memory safety, is fully functional on Morello. This work has been the recent subject of a report from the Microsoft Security Response Center (MSRC), Microsoft’s internal red team and security response organization, describing how CHERI has to potential to deterministically prevent over 2/3 of critical Microsoft software security vulnerabilities. CheriBSD/Morello brings that work over from our research CHERI-MIPS and CHERI-RISC-V platforms to Arm’s Morello. We demonstrated CheriBSD/Morello mitigating several memory-safety vulnerabilities in the EPSRC Digital Security by Design (DSbD) workshop yesterday, talking to 9 UK universities that have been funded to do research building on CHERI and Morello.
We have an aggressive planned quarterly release schedule through the end of 2021 when a full release will ship alongside the Morello board, adapting various CheriBSD security features to Morello:
Date | Release | Key features |
October 2020 | Developer Preview | CheriABI pure-capability userspace implementing spatial memory safety. |
December 2020 | Update 1 | Pure-capability kernel implementing spatial memory safety. |
March 2021 | Update 2 | Userspace heap temporal memory safety based on Cornucopia (in collaboration with Microsoft Research). |
June 2021 | Update 3 | Userspace software compartmentalization based on the CHERI co-process model. |
October 2021 | Update 4 | Userspace software compartmentalization based on a run-time linker model. |
Late 2021 | Full release | Any updates required to operate well on the shipping Morello board. |
Getting started with CheriBSD/Morello is easy (if you have a tolerance for experimental architectural simulators, experimental operating systems, and experimental compilers!). Visit our CHERI Morello software web page to learn more about this work, and then our CheriBSD/Morello distribution page to download our build environment. You can automatically install Arm’s FVP, cross-develop in our docker-based SDK on macOS or Linux, and SSH into the simulated host to try things out.
CHERI is the work of a large research team at SRI International and the University of Cambridge, as well as numerous industrial collaborators at Arm, Google, Microsoft, and elsewhere. My co-investigators, Peter G. Neumann (SRI), Simon W. Moore (Cambridge), Peter Sewell (Cambridge), and I are immensely grateful for their contributions: CHERI would simply not have been possible without your collective effort – thank you! We are also grateful to our sponsors over an extended period, including DARPA, UKRI, Google, and Arm.
ktn bid forbids us partners for its cheri lvm work how do we question this
Hi Dave:
The current Innovate funding call is one of a series of funding opportunities. I don’t have specific insight to offer into eligibility for the various calls, but suggest you get in contact with UKRI / Innovate directly to discuss the current call, and also potential eligibility for future calls. If you’d like to drop me an email directly, we could chat about this further. And, of course, there is also the possibility of collaboration outside of the DSbD framework. While access to Morello hardware will be fairly limited, Arm’s ISA model is freely available, and you can also try out our full CHERI-RISC-V stack, which includes open-source hardware, Qemu, and the full CHERI software stack. CHERI-RISC-V is where we are doing most of our research currently (and are gradually completing our migration from the earlier MIPS prototype).
Thanks,
Robert
Pity I was going to use a founder for OWASP at SRI with Peter’s blessing only ‘scalable systems that are beyond the scope of traditional testing or simulation’ are my thing creating trust over untrusted chans creating a reliable source…Problem is this will get assess against the originator of the EM stack by the orginaotr of the EM stack with a view that is the opposite…My first TSR code was from common core on a PDP 11 – principles are similar