Software is crammed full of bugs. This 'exciting' project could banish most of them
Chip designer Arm has released a prototype of its Morello development board for researchers at Google, Microsoft and industry to test its goal for a CPU design that wipes out a chunk of memory-related security flaws in code.
The Morello board is the product of a collaboration between Arm, Cambridge University, Microsoft and others based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture. Microsoft says the board and system on chip (SoC) is the first high-performance implementation of CHERI, which provides "fine-grained spatial memory safety at a hardware level". If it proves successful after testing with legacy software, it could pave the way for future CPU designs.
Developer
CHERI architectural extensions are designed to mitigate memory safety vulnerabilities. CHERI augments pointers – the variables in computer code that reference where data is stored in memory – with limits as to how those references can be used, the address ranges that they can use to access, and which functionality they can use. "Once baked into silicon, they cannot be forged in software," Arm explained. CHERI was developed by the University of Cambridge and SRI International after it received funding from DARPA's Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) program.
SEE: The IT skills gap is getting worse. Here are 10 ways you can avoid a crisis
The Morello architecture is based on CHERI. Arm kicked off work on hardware for the Morello program in 2019 with backing from the UK government's Digital Security by Design (DSbD) program and UK Research and Innovation (UKRI).
The Morello demonstrator board is a tweaked Arm Neoverse N1, a 2.5GHz quad-core server core CPU with support for Armv8.2a 64-bit architecture that has extra features to enable CHERI-based "compartmentalization" to counter exploits against memory-related security flaws.
"For any research project, this phase is both exciting and critical. There has never been a silicon implementation of this hardware capability technology in a high-performance CPU," said Arm.
The Morello board is a significant advancement for CHERI, which has been in development for over a decade. Saar Amar, of Microsoft's Security Research and Defense team, notes the top existing implementation of CHERI topped was Toooba, which –while a "significant achievement" – could only run in an FPGA at 50MHz in a dual-core configuration. It was "roughly equivalent in microarchitecture to a mid-'90s CPU" that wasn't good enough for testing complex software stacks at scale.
The CHERI and Morello architectures may be one way of tackling memory-related security flaws that stem from code written in programming languages like C and C++. Microsoft and Google say the majority of security bugs are memory safety issues and they're often due to coding issues written in these languages.
The volume of these bugs and patches they require has prompted major software firms like Microsoft, Google and Amazon to explore 'type safe' languages like Rust for systems programming. However, Rust is generally used to write new components because vast, existing code bases written in C or C++ are left in place, as Google is doing for Android's code base.
The Morello boards are being shared with researchers to test the hypothesis of CHERI's compartmentalization approach and whether it is a viable security architecture for businesses and consumers in the future.
As detailed in a paper about CHERI by Google researcher Ben Laurie and peers, various CHERI modes can be more effective and efficient than mitigations in conventional memory management unit (MMU) hardware, which are used to translate virtual memory addresses to physical addresses.
CHERI allows for software compartmentalization in a similar way to process isolation in software for today's operating systems, notes Laurie. It also includes an in-process memory safety mechanism that avoids the need to make major changes to source-code – a potentially major benefit for existing code bases.
"Contemporary type-safe languages prevent big classes by construction, whereas CHERI memory protection prevents the exploitation of some of these bug classes," writes Microsoft's Armar.
"There are billions of lines of C and C++ code in widespread use, and CHERI's strong source-level compatibility provides a path to achieving the goals of high-performance memory safety without requiring a ground-up rewrite."