Over the last seven years, the CTSRD Project at SRI International and the University of Cambridge has been performing intensive hardware-software co-design to redesign core computer architecture around improved security. This talk will introduce Capability Hardware Enhanced RISC Instructions (CHERI), which extend a conventional RISC processor architecture with support for capabilities – a long-discussed but rarely deployed security approach focused on efficiently implementing the Principle of Least Privilege. CHERI is a hybrid capability architecture, in that it blends these historic ideas with contemporary hardware and software design, yielding vastly improved security with strong software compatibility yet acceptable performance overhead for fine-grained memory protection and mitigation – and orders-of-magnitude performance improvement for compartmentalised software designs. These techniques directly support vulnerability mitigation for the C and C++ programming languages, interfering with exploit techniques from buffer overflows to ROP and JOP, as well as protecting against future unknown attack techniques via scalable application-level privilege reduction. Prototyped via hardware-software co-design, and evaluated on FPGA with support from DARPA, the CHERI processor prototype is able to run adapted versions of the FreeBSD operating system (CheriBSD) and open-source application stack, and is targeted by an extended version of the Clang/LLVM compiler. This talk introduces the CHERI architecture and potential applications, and will also describe current research directions.
Dr Robert N. M. Watson is a University Senior Lecturer (Associate Professor) at the University of Cambridge Computer Laboratory, where he works across the areas of security, operating systems, and computer architecture. As Principal Investigator of the CTSRD project, he led work on the CHERI architecture from the “ISA up”, designing the hardware-software security model, and has led the CHERI software development team working on OS support, compiler support, and applications. He also has research interests in network-stack design, OS tracing and profiling tools, and capability-based operating systems including the Capsicum security model now deployed in FreeBSD. In prior industrial research, he developed the MAC Framework employed for OS kernel access-control extensibility and sandboxing in FreeBSD, Mac OS X, iOS, and Junos. He is an author of the Design and Implementation of the FreeBSD Operating System (Second Edition).