Abstract
This talk will describe how CHERI achieves memory safety for existing code with just a recompile and how that non-bypassable memory safety can be used as a building block for higher-level security abstractions.
CPUs with CHERI support are starting to appear in commercial products now. CHERI began as a DARPA-funded research project at the University of Cambridge and SRI International in 2010 to add support for fine-grained compartmentalisation (providing strong security boundaries around software components within a program) to modern CPU instruction sets. This included support for object-granularity memory safety, which allows usable abstractions for compartmentalisation, where programmers share objects, not pages. CHERI has subsequently been the subject of over £200M of total research, including Arm producing a high-performance test chip (Morello).
Most CHERI work has focused on incremental adoption. Morello, for example, can run versions of Linux and FreeBSD that can run unmodified binaries, and allows individual processes to adopt CHERI features either for isolated sandboxes or for a fully memory-safe process environment. The latter, on CheriBSD (the FreeBSD CHERI variant) includes a complete Wayland and KDE userspace stack.
Any memory-safety bug in any of this software track becomes a recoverable error (trapping before any memory corruption). A small team was able to run well over a hundred million lines of C and C++ in a fully memory safe environment. Rewriting in a safe language such as Rust would have cost orders of magnitude more.
CHERIoT aimed to showcase what will be possible once you can assume CHERI everywhere and design the software model to support this. The CHERIoT Platform is a fully open hardware-software stack for embedded systems that assumes CHERI from the ground up, with a mere 350 instructions that are trusted for the core isolation guarantees (contrast with around 50 KLoC in an embedded microkernel such as Zephyr or millions of lines of code in Linux). Every part of the system is built using CHERI-enabled compartmentalisation and .
The talk will discuss how fine-grained compartmentalisation can be not just possible, but easy on a CHERI system.
Speaker
David Chisnall
Director of System Architecture @SCI Semiconductor, OS, Compiler, and Computer-Architecture Expert, Maintainer of the CHERIoT Platform
David Chisnall is Co-Founder and Director of Systems Architecture at SCI Semiconductor, a company founded to make CHERI processors. He is also a Visiting Researcher at the University of Cambridge. His background spans compilers, operating systems, security, and hardware. He has been an LLVM contributor since 2008 and implemented two language runtimes that have each chipped on over a hundred million devices. He was elected to the FreeBSD Core Team for two terms. He joined the CHERI project at the University of Cambridge in 2012 to drive the languages and compilers track of a research project that aimed to change the entire hardware/software stack to improve security. In 2018 he moved to Microsoft, where he led their involvement with the UK Government’s Digital Security by Design programme, a £170M effort to drive CHERI adoption in the industry. As part of this, he created the CHERIoT project, an attempt to scale the ideas from the CHERI research down to tiny low-cost devices, giving better security and easy programming models to connected embedded devices. His team at Microsoft open sourced this project in 2023. David is also the author of five books including the Definitive Guide to the Xen Hypervisor.
Date
Tuesday Mar 17 / 05:05PM GMT ( 50 minutes )
Location
Mountbatten (6th Fl.)
