Earlier this month, a U.K. government initiative called Digital Security by Design (DSbD) held a showcase in London to enable companies with pioneering technologies to demonstrate their products, technologies and solutions that could tackle a perceived market failure in integrating fundamental hardware security and, ultimately, reduce the economic impact of cyber major security breaches caused by memory safety vulnerabilities.

A key to addressing this is a technology called CHERI (Capability Hardware Enhanced RISC Instructions), for which the story starts around 2010. The DSbD initiative was then put in place in 2019 because of £70 million (about $88.4 million) U.K. government funding earlier that year to figure out how industry could implement memory safe technologies like CHERI, build prototypes and look at bringing it to market in a commercially viable way.

John Goodacre, a professor and technologist who spearheaded the DSbD initiative, said in his opening remarks at the showcase that CHERI and memory safety were key to implementing security, and that it was essential now to achieve real-world adoption of CHERI at scale.

Ollie Whitehouse, CTO of the U.K.’s National Cyber Security Centre, added, “Addressing memory safety at source, and the standardization of technologies like CHERI and RISC-V present a unique opportunity to adopt security technology.” However, he said that refactoring code into being memory safe is not practical. Hence, he said the industry needed to figure out how to prioritize cyber security in the system development phase and embrace open standards to ultimately create market demand.

At the London event, Arm fellow and chief architect Richard Grisenthwaite added more detail about the context and the significance of addressing memory safety. “Security is not just one thing. The cleverness of cybercriminals is immense, and memory safety remains a fundamental problem,” Grisenthwaite said. “CHERI provides a way of compartmentalization so that when there is a breach, damage can be minimized. Functions stay in their little boxes.”

He said that before 2018, people would ask, “Is CHERI deployable in the real world?” That is a key part of what DSbD’s task was: to show how it could be deployed to effectively get proofs of concept, develop prototypes and find early adopters of potential solutions. “Of course there are deployment challenges – for example, with millions of lines of code out there already, how can some of the software ecosystems be addressed,” Grisenthwaite said.

At the showcase, speakers highlighted that as a result of the DSbD program, some 160 companies and over 1,000 people were looking at using CHERI.

Professor Rober Watson on the origins of CHERI

EE Times was able to spend some time earlier this month in Cambridge, U.K., with the professor of systems, security and architecture at the University of Cambridge Computer Laboratory, Robert Watson, to explain the origins of CHERI and where it is now.

Watson was also one of the authors of a paper published this month by the U.K.’s University of Cambridge Computer Laboratory in the ACM journal, explaining some of the challenges for memory safety, as well as initiated a call for the computing industry to consider standardizing practices for addressing memory safety vulnerabilities. It said this issue is the foundation of many zero-day exploits observed in open source and proprietary systems software trusted computer bases, including Windows, Linux, Android, iOS, Chromium, OpenJDK, VxWorks, FreeRTOS and others.

The paper highlights why memory safety vulnerabilities are important: when combined with network communications or other malignant data, they can enable an attacker to escalate (via a multistep exploit chain) to arbitrary code execution, operating outside the confines of the programming language. These vulnerabilities have proven impossible to completely prevent with conventional engineering and are especially dangerous because a single error (perhaps one line in a multimillion line-of-code system) is sufficient to achieve total control of a vulnerable system.

It does not help that an existing multi-billion line-of-code C/C++ code corpus makes it difficult (and probably impossible in practice) to entirely replace due to its scale. An industry estimate suggests it would cost around $1 trillion dollars to rewrite one billion lines of code. Of particular importance within this are the language runtimes of many type-safe and/or memory-safe programming languages, such as Java, JavaScript and Python, which are often implemented in (or depend heavily on) C and C++.

The authors argue that memory-safety standardization is an essential step to promoting universal strong memory safety in government and industry and, in turn, ensure access to more secure software for all. Over the last two decades, a set of four research technologies for strong memory safety—memory-safe systems languages, hardware and software memory protection, formal approaches and software compartmentalization—have reached sufficient maturity to see early deployment in security-critical use cases.

However, there is concern that there is very little shared technology-neutral terminology or frameworks with which to specify memory-safety requirements.

Industry lacks incentive to address memory safety

In addition, the lack of incentive to address fundamental security flaws has fostered a large and profitable after-market security industry, according to the paper. It states:

“This situation is reminiscent of the automotive industry’s reliance on after-market kits necessary to fix flawed car designs before adequate safety regulations were in place. In that era, just as in the software industry today, there was little economic motivation for manufacturers to proactively address safety issues. Instead, a secondary market emerged to patch the problems, often ineffectively. Similarly, in the software world, we see a proliferation of security add-ons and services that attempt to mitigate the risks of memory-unsafe code, rather than eliminating the root cause. These after-market solutions, while sometimes necessary, add complexity, increase costs, and expose us to additional significant safety risks themselves. While this sector demonstrates that there is money to be made in addressing security vulnerabilities, it primarily focuses on reactive, after-the-fact solutions, rather than incentivizing proactive, secure-by-design development that would prevent these vulnerabilities from arising in the first place.”

Enter CHERI and government incentive to enable adoption

CHERI began as a joint research project of SRI International and the University of Cambridge. This was supported by DARPA CRASH, MRC and SSITH programs since 2010, as well as other DARPA research and transition funding. Its aim was to revisit fundamental design choices in hardware and software to dramatically improve system security.

CHERI extends conventional hardware ISAs with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization. The CHERI memory-protection features allow historically memory-unsafe programming languages, such as C and C++, to be adapted to provide strong, compatible and efficient protection against many currently widely exploited vulnerabilities. The CHERI scalable compartmentalization features enable the fine-grained decomposition of OSes and application code to limit the effects of security vulnerabilities in ways that are not supported by current architectures.

It is a hybrid capability architecture in that it is able to blend architectural capabilities with conventional MMU-based architectures and microarchitectures, and with conventional software stacks based on virtual memory and C/C++. This approach allows incremental deployment within existing software ecosystems, which researchers have demonstrated through extensive hardware and software prototyping.

In 2019, it was championed by the U.K. government, and as part of its U.K. Industrial Strategy Challenge Fund it supported programs looking at the integration of new, fundamental hardware security through a £70 million (about $88.4 million) investment, matched by over £100 million (about $126 million) from industry including from Microsoft and Google. As a result, this also saw the development of Arm’s CHERI-enabled Morello processor, SoC and board.

The U.K. innovation agency UKRI then created the DSbD and its technology access program developed to build a pipeline and community of developers and technology companies to trial and experiment with these technologies. Program participants were given access to prototype hardware, technical guidance and funding to support an experimentation period with memory-safe technologies, such as CHERI, within their own organizations.

By: DocMemory
Copyright © 2023 CST, Inc. All Rights Reserved