Slides from the Digital Security by Design Software Ecosystem Competition Briefing from 5 October 2021. This new competition, from the Digital Security by Design challenge, in partnership with Innovate UK and the Engineering and Physical Sciences Research Council (EPSRC), both part of UK Research and Innovation, is investing up to £8 million in research and development projects.
Digital Security by Design Software Ecosystem Competition
1. ISCF Digital Security by Design (DSbD):
Software Ecosystem Development
Joint Innovate UK and EPSRC Competition
Applicant briefing – Virtual event
5th October 2021
2. Prof. John Goodacre
Challenge Director DSbD
▪ Programme update, availability of Morello board
▪ Importance and relevance of the competition
▪ Thank you to Innovate UK and EPSRC
4. Part 1
Competition scope, eligibility criteria
Part 2
The Innovation Funding Service, application finances, academic partners
Part 3
Submitting your application, assessment, project setup for successful applicants
Agenda
6. The aim of this competition is to fund a range of projects, including:
• both single applicant & collaborative
• both business-led & research organisation-led
that work to enrich and expand the Digital Security by Design (DSbD) software
ecosystem prior to the availability of commercial hardware
Projects will leverage the DSbD Technology Hardware Prototype (aka ‘Morello
Board’) to work on a focused area within a selected and specified software
stack or Operating System (OS) or developer toolchain used by a digital system
Competition Way-in
up to £8 million for R&D projects to work on the development of the DSbD software
ecosystem. Project funding from £200k to £1.4M with duration between 12-30 months
7. Proposals MUST focus on either of the following:
• enriching the evolving Morello Stacks
• expanding overall support and make available additional DSbD enabled software stacks,
toolchains and components
All projects are required to evaluate the performance impact of using DSbD technologies based on
specified performance requirements and objectives:
• To take into account the expected maturity of the specified software stack or Operating
System or developer toolchain
• To take a flexible approach in their workplans as appropriate
Proposals MUST:
• specify the use and need for the Morello boards within the project
• include scenario analysis between the requirement for availability of on-premise boards in a
limited number and cloud-based virtualised access to potentially a larger number of boards
• Quantities and virtual access considerations for each respective scenario must be specified
Competition Scope (1/2)
8. Proposals MUST:
• show how the project will deliver value and benefit to application developers and the
growth of the DSbD software ecosystem
• describe the availability of project outputs, along with how and whether you will be
making them available to others using a Morello board
• describe your route to impact on how project results can be exploited on the availability
of commercial hardware
We are looking to fund projects that will realise the benefits of DSbD technologies for
software development within:
• OS and developer toolchains, for example, compilers, linkers, debuggers, verifiers
• shared libraries and dependent packages
• language runtimes
• developer frameworks or middleware
• other platform services across Linux-based or other open-source operating systems
Competition Scope (2/2)
9. We are NOT funding projects that are:
• developments which do not deliver benefit to a software developer
• not making use of, enable software targeting or benefitting from capability enabled
hardware as made available by the Morello board
• requiring enhancement of additional hardware capabilities, for example,
accelerators
• developments that do not clearly require a platform level processor, for example, it
supports a memory management unit
• dependent on export performance, for example giving a subsidy to a baker on the
condition that it exports a certain quantity of bread to another country
• dependent on domestic inputs usage, for example giving a subsidy to a baker on
the condition that it uses 50% UK flour in their product
Mind the scope! (and Subsidy Control)
11. Why does the ecosystem need what you are proposing?
Describe or explain:
• a clear description of what you are proposing and its security challenge
• the motivation for playing your part in the DSbD software ecosystem’s enablement
• the benefits of addressing the security challenge within a clearly specified software stack
• how your proposal innovates beyond how it is being addressed today and the limitations of
the current approach
Question 2: Why and what?
Max 800 words
12. What approach will you take and where will the focus of the innovation in the context
of the DSbD software ecosystem be?
Describe or explain what your contribution is in terms of enriching the Morello Stacks or
expanding overall support including:
• how you plan to manage the dependencies of your approach with respect to the Morello Stacks
existing and evolving functionality
• why and how the targeted software stack and components will benefit the DSbD software
ecosystem, if you aim to expand overall support
Describe or explain:
• how the proposed work will align with the identified need and challenge
• the project objectives and how you will evaluate those, including performance requirements
Max 800 words
Appendix optional (e.g., diagram to the proposed technical approach)
Question 3: Technical approach &
innovation
13. Who is the project team, what are their roles and responsibilities?
Describe or explain:
• the role and responsibility of all members of the project team (both named and to be hired)
and how they contribute to delivery of the project
• justify the use of any external parties, including sub-contractors
• justification for the requested quantity of Morello prototype hardware boards both on premise
or remotely accessed
Max 400 words
Appendix optional / mandatory for non-grant claiming partners
Question 4: Team and resources
14. What are your routes to impact of your contribution?
Describe or explain:
• your project’s research and development outputs; how and where will your outputs be made
available both prior to and on the availability of commercial hardware
• how will these outputs impact the growth of the DSbD software ecosystem
• how will you manage any dependencies, including any intellectual property (IP) constraints,
related to achieving the impact of your outputs
• how the consortium expects to interact with relevant groups developing DSbD technologies
and engage with the DSbD networking workshops organised by the ‘Discribe’ Social Science
Hub+ project
Question 5: Impact
Max 800 words
15. How will you manage and execute the project effectively?
Describe or explain:
• an outline of each work package of the project, indicating the lead partner assigned to each
and allocation of budget and resources
• your management structure and reporting
Appendix:
• a project plan and risk register
• must include a Gantt chart with measurable milestones and technical deliverables, in enough
detail to identify any links or dependencies between work packages and track associated tasks
Question 6: Project & risk management
Max 400 words
Appendix mandatory
16. How much will the project cost and how does it represent value for money for the team
and the taxpayer?
(in terms of the project goals) Describe or explain:
• the total eligible project costs and why they are required to meet the objectives of the proposal
• the total grant you are requesting and how each partner will finance their contributions to the
project
• the balance of costs and grant across the project partners
• how this project represents value for money for you and the taxpayer
• how it compares to what you would spend your money on otherwise
• any sub-contractor grant costs and why they are critical to the project. A strong justification is
required if the sub-contractor is non-UK based
Question 7: Justification of resources
Max 600 words
18. Previously submitted application Not a previously submitted application
A previously submitted application is:
an application UKRI judges as not materially
different from one you've submitted before (but it
can be updated based on the assessors'
feedback)
A brand-new application/project/idea that you have not
previously submitted into an Innovate UK competition
OR
A previously submitted or ineligible application which:
✓ has been updated based on assessor feedback
✓ and is materially different from the application
submitted before
✓ and fits with the scope of this competition
Previously submitted applications
You cannot use any application previously submitted to UKRI to apply for this competition.
19. Project eligibility
✓ Lead must be a UK registered business OR a UK research organisation
✓ Single or collaborative
✓ Start on or after 01 April 2022
✓ End by 31 December 2024
✓ Exploit the results from / in the UK
Project grant From £200,000 to £1,400,000
Project duration between 12 to 30 months
Eligibility criteria
20. • Business – Small/Micro, Medium or Large registered in the UK
• Research Organisation (RO):
• Universities (HEIs)
• Non profit distributing Research & Technology Organisation (RTO) including Catapults
• Public Sector Research Establishments (PSRE)
• Research Council Institutes (RCI)
• Public sector organisations and charities doing research activity
• If you are 100% owned by a large parent company as a small subsidiary this means you are classed as a
large company and will only be entitled to the relevant grant. For more information on company sizes, please
refer to the Company accounts guidance.
Types of organisations we fund
21. To help you understand whether you are eligible to apply we have created an eligibility tree.
Am I eligible to apply
22. Compliance with the UK Subsidy Control Regime
On 1 January 2021, the UK left the EU and is no longer subject to EU laws on State aid. We draw your attention to the guidance issued by
BEIS: Complying with the UK’s international obligations on subsidy control: guidance for public authorities. Please be aware this is a living
document and may be updated by BEIS as time progresses.
The set rules (typically GBER) which we previously relied on for the limits of what we could award, have now been replaced by internal
decisions based on the new BEIS Subsidy Control Regime, and on policy, which will in turn set out bespoke eligibility requirements for each
funding opportunity.
Innovate UK is offering funding for this competition in line with the UK's obligations and commitments to Subsidy Control. To ensure that
Innovate UK remains compliant with the UK’s international Subsidy Control duties in respect of:
• The EU-UK Trade and Cooperation Agreement;
• Article 10 of the Northern Ireland Protocol: (successful applicants which are affected by the Northern Ireland Protocol will
be funded in line with EU State aid regulations)
• Article 138 of the Withdrawal Agreement (some Union law applicable after 31 December 2020 in relation to the UK’s
participation in Union programmes and activities)
• The Subsidies and Countervailing measures within the WTO (ASCM);
• Any other Free Trade Agreements active at the time of award.
All awards will be conditional on compliance at all times with the UK Subsidy Control Regime
– this will be reflected in the terms and conditions of any award
23. Due diligence for UK Subsidy Control Regime
Under the Subsidy Control Regime, we will carry out financial health checks and going concern assurances on your
organisation.
Certify you are eligible
When submitting an application, you must certify that you are eligible for funding. If you are unsure, please take independent legal advice
before applying. Should you be successful, we will complete these financial checks and assurances before confirming the grant offer.
For more information on company sizes, please refer to the Company accounts guidance.
Further information is available on our website in the general guidance
24. Eligibility Criteria - EU State Aid Regulations – Northern
Ireland Protocol
If you are an applicant who is conducting activities that will affect trade of goods and/or electricity between Northern Ireland and the EU as
envisaged by Article 10 of the Northern Ireland protocol, then you must apply under European Commission State aid rules.
Undertaking in Difficulty
For applicants subject to the European Commission State aid rules, you will be required to prove that they were not an “Undertaking in Difficulty”
(UiD) on the date of 31 December 2019 but became a UID between 1 January 2020 and 30 June 2021. We will ask for evidence of this.
This test applies to:
• companies that are more than 3 years old
• companies where more than half of its subscribed share capital has disappeared as a result of accumulated losses.
• your parent or holding company
Certify you are eligible
When submitting an application, you must certify that you are eligible for State aid. If you are unsure, please take legal advice before applying.
Should you be successful, we will apply this test as part of our viability checks before confirming the grant offer.
Further information is available on our website in the general guidance under state aid
If you are applying for an award funded under State aid Regulations, the definitions are set out in the European Commission Recommendation of
6 May 2003.
25. Eligibility Criteria: Funding Opportunities
Industry Led Projects
For industry led projects, you could get funding for your eligible project costs of:
• up to 80% if you are a micro or small organisation
• up to 80% if you are a medium-sized organisation
• up to 50% if you are a large organisation
The research organisations undertaking non-economic activity as part of the project can share up to 50% of the total eligible
project costs. If your consortium contains more than one research organisation undertaking non-economic activity, this
maximum is shared between them.
Of that 50% you could get funding for your eligible project costs of up to:
• 80% of full economic costs (FEC) if you are a Je-s registered institution such as an academic
• 100% of your eligible project costs if you are a Research Technology Organisation, charity, non-profit organisation, public
sector organisation or research organisation
Research Organisation Led Projects
For Academic led projects, 100% of project costs can be claimed at 80% FEC.
For general guidance on what our research categories are please visit:
https://www.gov.uk/guidance/innovation-apply-for-a-funding-award#categories-of-research-and-development
26. Making more than one application
• Any eligible business can lead on one application but may be a collaborator in any number of
applications
• For Research Organisations this applies to the level of a named individual Principal Investigator (PI)
leading the application. Research organisations are able to submit multiple applications as lead,
provided they are led by different named individuals.
• An eligible organisation taking part as a collaborator in multiple applications must show and specify that
they are working on different topics and ecosystem areas.
• Research organisations can be a partner in any number of applications
27. Other UKRI projects
We will not award you funding if you have:
• have an outstanding final claim and/or Independent Accountant Report (IAR) on a live Innovate
UK project, you will not be eligible to apply for grant funding in this competition, as a lead or a
partner organisation
• applied to a previous competition as the lead or sole company and were awarded funding by
Innovate UK, but did not make a substantial effort to exploit that award, we will award no more
funding to you
• applied to a previous competition as the lead or sole company and failed to comply with grant
terms and conditions
• an open, outstanding ResearchFish sanction
28. Timeline Dates
Competition Opens 04 October 2021
Briefing Event 05 October 2021
Submission Deadline 08 December 2021
Applicants informed 04 February 2022
Projects to start on or after 01 April 2022
Projects to end by 31 December 2024
Key Dates
30. Search for a funding competition and review criteria
31. Lead Applicant: create an
account
The Lead applicant must create an account:
UK registered businesses - Use Companies House
lookup as it speeds up our checks by providing your
company number. You are unable to enter this at a
later date
Research organisations, academics &
Universities - Enter your information manually so
you’re not listed as a business on IFS and ensure you
receive the correct funding
32. Project Details
Application Team – Collaborators can invite organisations who you are working with on the project. Contributors can invite
colleagues from your own organisation to help you complete your application
Application Details - Title, Timescales, Research Category, Innovation Area & previously submitted application (y/n)
Subsidy basis – Will the project, including any related activities, you want Innovate UK to fund, affect trade between Northern Ireland
and the EU? All participants must complete this section.
Equality, Diversity and Inclusion - external survey to complete
Project Summary - Short summary and objectives of the project including what is innovative about it
Public Description - Description of your project which will be published if you are successful
Scope - How does your project align with the scope of this competition? - If your project is not in scope, it will be ineligible for
funding
33. Application Questions
Detailed guidance available on IFS
Application form Appendix?
Question 1 Applicant location (not scored) No
Question 2
Why and what
No
Question 3 Technical approach and innovation Yes - optional
Question 4 Team and resources Yes – optional / mandatory for non-grant claiming partners
Question 5 Impact No
Question 6 Project and risk management Yes - mandatory
Question 7 Justification of resources No
35. To claim funding:
Your business does not have to be UK registered with Companies House when you apply but it must be
registered before you can receive funding.
You are unable to claim funding if:
• You are an overseas organisation, so your company number begins with FC
• Your organisation is setup as a branch, so your company number begins with BR
• Your company is based in Jersey, so your company number begins with JE
36. Eligible:
• Staff working directly on
project
• Paid by PAYE
• NI, pension, non-discretionary
costs
Ineligible:
• Dividends
• Bonuses
• Non productive time
• Overtime
Labour
37. Overheads
Innovate UK’s definition: additional costs and
operational expenses incurred directly as a result of
the project. These could include additional costs for
administrative staff, general IT, rent and utilities
Indirect (administration) overheads
• please ensure they are additional and
directly attributable to the delivery of the
project
Direct overheads
• E.g. office utilities, IT infrastructure, laptop
provision not covered by capital usage
• must be directly attributable to the project
• Provide detailed breakdown together with
methodology/basis of apportionment
38. Material costs
Please be clear on what the
materials are, just putting
consumables doesn’t provide
enough detail.
If insufficient information is
provided, we will request more
information should you be
successful which may delay your
project start date.
39. Capital equipment usage
Eligible:
Used in the project or shared with day-
to-day production.
Calculations will need to be in line with
your accounting practices.
Even if the equipment is depreciated
fully over the life of the project this must
be added under capital equipment.
40. Subcontractors
Eligible:
Justified and quantified.
If non-UK sub-contractors are being
used, you will need to provide
strong justification on why an UK-
based sub-contractor is not being
used.
If you’re sub-contracting to a parent
or sister company, please ensure
you list at cost and do not include
profit.
41. Travel & subsistence
Eligible:
Costs must be directly linked to the
project
Please breakdown your costs as
follows:
• Travel
• Accommodation
• Subsistence
If you have an annual trip to visit
the parent company this is not an
eligible cost
42. Other costs
Eligible:
• Costs that could not be added under
previous headings
• Do not double count
• Patent filing costs for new IP – SMEs
up to £7,500
43. Funding
Funding rules
• The level of funding awarded will depend upon the type of organisation and the type of
research being undertaken in the project
• Funding is calculated by project participant
IFS will advise the maximum grant % you can request based upon your answers to:
• Type (and size) of organisation
• Research category defined by the lead applicant in the Application Details section of the
application
45. Why Je-S?
• We use the Research Councils’ Joint Electronic Submission System (Je-S) to collect academic
finances
• The Je-S system automates the collection of Full Economic Costs (FEC) based costs from academic
partners and tells them exactly what numbers should be used in the application form for their costs
• Also to collect project finance details from non-HEIs (e.g. RTOs) that are claiming they are carrying
out academic quality work and want to be funded on an FEC basis
• Using Je-S means that Innovate UK follows standard Research Council guidelines on funding
universities and enables Research Councils to easily co-fund Innovate UK projects
• The Je-S system is completely separate from Innovate UK and we cannot advise on its usage
46. • Enter the TSB reference number here
• Enter the TSB Contribution column figures
from your J-eS output document into the
project costs section of the application
• Upload the Je-S with council status form
as a PDF at the bottom of the screen
Queries about Je-S:
Contact Je-S Helpdesk (not Innovate UK)
• jeshelp@je-s.ukri.org
• 01793 444164
Project costs – academic partners
48. Project cost summary
All organisations can see a
summary of project costs
Ensure the highlighted costs
fits the criteria for this
competition
49. Checking your finances are complete
IFS checks
• all organisations have marked
their finances as complete
• research organisation participation
is no greater than 50% of the total
project costs
• IFS DOES NOT VALIDATE TOTAL
PROJECT COSTS
50. Editing a submitted application
Reopen by
clicking here
Remember to
press SUBMIT
53. Application assessment
All applications are assessed by independent assessors drawn from industry and academia
What do they look for?
• Clear and concise answers
• The right amount of information
• not too much detail
• no assumptions
• Quantification and justification
• A proposal that presents a viable opportunity for growth, a level of innovation that
necessitates public sector investment and has the right team and approach to be successful
Keep your assessors engaged
and interested in your proposal.
You want them to be fascinated
and excited by your idea!
54. Scoring
• We review scores and feedback to check assessors are adhering to our guidelines and scoring
fairly
• In some cases, where we feel a score is unjust and not supported by feedback, we may remove
that score as an outlier and update the total score for the application
• Please be aware that both low and high outliers may be removed and as a result scores may
increase or decrease
If outliers are removed we are unable to reflect this change in the scores you receive as part of
your feedback due to this decision being reached outside the IFS system
55. Note on feedback
• The feedback is compiled using the written comments of the independent assessors who review
and assess the applications
• It is intended to be constructive in nature and to highlight both the strong as well as the weak
areas of your application
• Please bear in mind that because applications are assessed by a number of assessors, you may
receive information which appears to be conflicting. This may reflect their different interpretations
of the proposal that you submitted
• It must also be noted that some proposals may appear to have been favourably assessed based
on their comments, in such instances it could be that your proposal simply fell below the funding
threshold, with others achieving a higher merit score overall
56. Application assessment
• The score spread shows the difference between the
top and bottom scores
• If score spread is 30 or more we will look to see if an
outlier is apparent
• If there is a 3 or more appear in either the two
columns Count of No Scope or Count of No Recc’d
we review the applications feedback and if justified,
the application will not be eligible for funding
57. • The green box = particular assessor scores on an application
• The purple box = set of scores for a particular question
• The red box = at first glance this looks like an outlier
Identifying outliers
60. Notification
If you are unsuccessful in this competition:
- you can use the feedback from the assessors to develop your idea and apply into another
competition that allows previously submitted applications
For industry led projects, if you are successful in this competition:
- you will be assigned a Delivery Executive who will guide you through the Project Set Up process
- you will have 30 days to complete the project team, project details and bank details you will then
have 90 days to complete project set up – funding may be withdrawn if this is not completed
within this timeframe
For academic led projects, if you are successful in this competition, contracting and project
start up will be managed by EPSRC.
Please ensure all your contact details in the IFS portal are correct
and up to date and that you regularly monitor it
61. Industry Led Project Set Up
• All communication will be through IFS
• Lead applicant must provide collaboration agreements and exploitation
plans if applicable
Industry Led Project Delivery
• All grants are paid quarterly in arrears, and are only paid following
quarterly reporting and necessary audits
• Claims can only be made for costs incurred and paid between the
project start and end dates
• Monitoring of the project includes a visit from the appointed Monitoring
Officer
62. Academic Led Project Set Up
• EPSRC will contact successful academic led projects to arrange funding.
• Successful proposals through the IFS will be uploaded to the JeS system, through which the grant
will be awarded and administered.
• A single JeS form must be submitted for the whole project with finances input in line with those
confirmed through the IFS
• Payments will be made quarterly in common with other JeS administered grants
• Additional monitoring requirements will be in place to ensure compliance with the terms of the
competition and provide financial monitoring.
• Full terms and conditions are available when registering for the competition on IFS.
79. Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force
Research Laboratory (AFRL), under contract FA8750-10-C-0237. The views, opinions, and/or findings contained in this article/presentation are those of the
author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
CHERI
Capability Hardware Enhanced RISC Instructions
Robert N. M.Watson, Simon W. Moore, Peter Sewell, Peter G. Neumann
Hesham Almatary, Jonathan Anderson,Alasdair Armstrong, Peter Blandford-Baker, John Baldwin, Hadrien Barrel,Thomas Bauereiss,
Ruslan Bukin, David Chisnall, Jessica Clarke, Nirav Dave, Brooks Davis, Lawrence Esswood, Nathaniel W. Filardo, Franz Fuchs,
Khilan Gudka, Brett Gutstein,Alexandre Joannou, Robert Kovacsics, Ben Laurie,A.Theo Markettos, J. Edward Maste,Alfredo Mazzinghi,
Alan Mujumdar, Prashanth Mundkur, Steven J. Murdoch, Edward Napierala, Robert Norton-Wright, Philip Paeps, Lucian Paul-Trifu,
Ivan Ribeiro,Alex Richardson, Michael Roe, Colin Rothwell, Peter Rugg, Hassen Saidi, Peter Sewell,Thomas Sewell, Stacey Son,
Domagoj Stolfa,Andrew Turner, MunrajVadera, Jonathan Woodruff, Hongyan Xia, and Bjoern A. Zeeb
University of Cambridge and SRI International
DSbD Software Ecosystem Workshop – 5 October 2021
80. Approved for public release; distribution is unlimited.
This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research
Laboratory (AFRL), under contract FA8750-10-C-0237 (“CTSRD”), with additional support from FA8750-11-C-0249
(“MRC2”), HR0011-18-C-0016 (“ECATS”), and FA8650-18-C-7809 (“CIFV”) as part of the DARPA CRASH, MRC, and
SSITH research programs.The views, opinions, and/or findings contained in this report are those of the authors and should
not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
This work was supported in part by the Innovate UK project Digital Security by Design (DSbD) Technology Platform
Prototype, 105694.
We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ERC ELVER Advanced Grant (789108), the
Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF),Thales E-Security, Microsoft Research Cambridge,
Arm Limited, Google, Google DeepMind, HP Enterprise, and the Gates Cambridge Trust.
2
81. Introduction
• An introduction to the CHERI architecture and software stack
• To learn more about the CHERI architecture and prototypes:
http://www.cheri-cpu.org/
• Watson, et al. An Introduction to CHERI, UCAM-CL-TR-941,
September 2019.
• Watson, et al. CHERI C/C++ Programming Guide, UCAM-CL-
TR-947, June 2020.
3
82. Capability systems
• The capability system is a design pattern for how CPUs, languages,
OSes, … can control access to resources
• Capabilities are communicable, unforgeable tokens of authority
• In capability-based systems, resources are reachable only via capabilities
• Capability systems limit the scope and spread of damage from
accidental or intentional software misbehavior
• They do this by making it natural and efficient to implement, in
software, two security design principles:
• The principle of least privilege dictates that software should run with the
minimum privileges to perform its tasks
• The principle of intentional use dictates that when software holds multiple
privileges, it must explicitly select which to exercise
4
The CAP computer project ran from
1970-1977 at the University of
Cambridge, led by R. Needham, M.
Wilkes, and D.Wheeler.
83. What is CHERI? (2010-current)
• CHERI is an architectural protection model
• Composes a capability-system model with hardware and software
• Adds new security primitives to Instruction-Set Architectures (ISAs)
• Implemented by microarchitectural extensions to the CPU/SoC
• Enables new security behavior in software
• CHERI mitigates vulnerabilities in C/C++Trusted Computing Bases
• Hypervisors, operating systems, language runtimes, browsers, ….
• Fine-grained memory protection deterministically closes many arbitrary
code execution attacks, and directly impedes common exploit-chain tools
• Scalable compartmentalization mitigates many vulnerability classes ..
even unknown future classes .. by extending the idea of software sandboxing
• CHERI-RISC-V research architecture and prototype FPGA implementations
• Arm Morello: Industrial scale + quality demonstrator CPU, SoC, board
5
An early experimental FPGA-based
CHERI tablet prototype running the
CheriBSD operating system and
applications, Cambridge, 2013
85. Architectural primitives for software security
7
Microarchitecture
Compilers and toolchain
Systems software
Applications
Instruction-Set Architecture
(ISA)
CHERI capabilities are an architectural primitive that
compilers, systems software, and applications use to constrain
their own future execution
Software configures and uses capabilities to continuously
enforce safety properties such as referential, spatial, and
temporal memory safety, as well as higher-level security
constructs such as compartment isolation
The microarchitecture implements the capability data type
and tagged memory, enforcing invariants on their
manipulation and use such as capability bounds,
monotonicity, and provenance validity
86. CHERI design goals and approach
• De-conflate memory virtualization and protection
• Memory Management Units (MMUs) protect by location (address)
• CHERI protects existing references (pointers) to code, data, objects
• Reusing existing pointer indirection avoids adding new architectural
table lookups
• Architectural mechanism that enforces software policies
• Language-based properties – e.g., referential, spatial, and temporal
integrity (C/C++ compiler, linkers, OS model, runtime, …)
• New software abstractions – e.g., software compartmentalization
(confined objects for in-address-space isolation, …)
8
87. CHERI enforces protection semantics for pointers
• Integrity and provenance validity ensure that valid pointers are derived from other valid pointers via valid
transformations; invalid pointers cannot be used
• Valid pointers, once removed, cannot be reintroduced solely unless rederived from other valid pointers
• E.g., Received network data cannot be interpreted as a code/data pointer – even previously leaked pointers
• Bounds prevent pointers from being manipulated to access the wrong object
• Bounds can be minimized by software – e.g., stack allocator, heap allocator, linker
• Monotonicity prevents pointer privilege escalation – e.g., broadening bounds
• Permissions limit unintended use of pointers; e.g.,W^X for pointers
• These primitives not only allow us to implement strong spatial and temporal memory protection, but
also higher-level policies such as scalable software compartmentalization
9
Globals
Data
Heap Stack
Code
Control flow
Monotonicity Permissions
Integrity and
provenance validity Bounds
88. Two key use cases for CHERI
1. Efficient, fine-grained memory protection for C/C++
• Good source-level compatibility, but ABI disruptive to binaries
• Supports referential, spatial, and temporal memory safety (with limitations)
• Generally modest overhead (0%-5%, some workloads 10%)
2. Scalable software compartmentalization
• Multiple software operational models from objects to processes
• Orders-of-magnitude performance improvement over MMU-based
techniques (<90% reduction in overhead in early benchmarks)
Other potential – but under-explored – use cases include within managed
language runtimes, and as a substrate for safer inter-language interoperation
10
90. Memory-safe CHERI C/C++
• Capabilities used to implement all pointers
Implied – Control-flow pointers, stack pointers, GOTs, PLTs, …
Explicit – All C/C++-level pointers and references
• Strong referential, spatial, and heap temporal safety
• Minor changes to C/C++ semantics; e.g.,
• All pointers must have well defined single provenance
• Increased pointer size and alignment
• Care required with integer-pointer casts and types
• Memory-copy implementations may need to preserve tags
• Watson, et al. CHERI C/C++ Programming Guide,
UCAM-CL-TR-947, June 2020
12
91. CHERI-based pure-capability process memory
13
• Capabilities are substituted for integer addresses throughout the address space
• Bounds and permissions are minimized by software including the kernel, run-time
linker, memory allocator, and compiler-generated code
• Hardware permits fetch, load, and store only through granted capabilities
• Tags ensure integrity and provenance validity of all pointers
Memory
Stack
Code
Heap
Implied
pointer
Explicit
pointer
…
Thread
register
file
PLTs
Globals
captable
DDC
PCC
GPRs
NULL
NULL
NULL
93. What is software compartmentalization?
• Fine-grained decomposition of a larger
software system into isolated
modules to constrain the impact of
faults or attacks
• Goals is to minimize privileges
yielded by a successful attack, and
to limit further attack surfaces
• Usefully thought about as a graph of
interconnected components,
where the attacker’s goal is to
compromise nodes of the graph
providing a route from a point of entry
to a specific target
15
CheriFreeRTOS components and the application execute
in compartments. CHERI contains an attack within
TCP/IP compartment, which access neither flash nor the
internals of the software update (OTA) compartment.
94. Shared virtual address space
Register
file
Protection
domain
A
Protection
domain
B
Shared
heap
Domain-specific
captables + PLTs
Domain-specific
stacks
Domain-specific
globals
Heap
allocations
Register
file Domain B
heap
Domain A
heap
Cross-
domain
resources
Shared
code
Implied
pointer
Explicit
pointer
CHERI-based compartmentalization
• Isolated compartments can be created using closed graphs of capabilities,
combined with a constrained non-monotonic domain-transition mechanism
16
Protection
domain A
Protection
Domain B
Flexible set of
shared resources
95. Opportunities and challenges
• CHERI dramatically improves compartmentalization scalability
• More compartments
• More frequent domain transitions
• Faster shared memory between compartments
• Many potential use cases – e.g., sandbox processing of each image
in a web browser, processing each message in a mail application
• Unlike memory protection, software compartmentalization also
requires careful software refactoring to support strong
encapsulation, and affects the software operational model
17
96. Proposed operational models:
Isolated libraries and UNIX co-processes
Isolated dynamically linked libraries
• New API loads libraries into in-process sandboxes.
• Calling functions in isolated libraries performs a domain transition, with
overheads comparable to function calls.
• Simple model eschews asynchrony, independent debugging, etc.
UNIX co-processes
• Multiple processes share a single virtual address space, separated using
independent CHERI capability graphs.
• CHERI capabilities enable efficient sharing, domain transition.
• Rich model associates UNIX process with each compartment.
• Active area of research; early prototype available for co-processes
18
98. Porting the CHERI software stack to Morello
• Validate the Morello architecture (functional, sufficient)
• Evaluate the Morello implementation (performance, energy use, …)
• Provide reference software semantics (spatial and temporal safety,
compartmentalization, POSIX integration, OS kernel use, …)
• Act as a template and prototyping platform for industrial
demonstration (e.g., for Morello Consortium partners)
• Provide a platform for future research (e.g., 11 EPSRC projects at
UK universities starting August-October 2020)
20
99. CHERI prototype software stack on Morello
• Complete open-source CHERI-enabled software stack from bare metal up: compilers,
toolchain, debuggers, operating systems, applications – all demonstrating CHERI ideas
• Rich CHERI feature use, but fundamentally incremental/hybridized deployment
• Aim: Mature and highly useful research and development platform for Morello
21
CHERI-extended Google Hafnium hypervisor (Morello only)
CHERI Clang/LLVM compiler suite, LLD, LLDB, GDB
CheriBSD/Morello (funded by DARPA and UKRI)
• FreeBSD kernel + userspace, application stack
• Kernel spatial and referential memory protection
• Userspace spatial, referential, and temporal memory protection
• Co-process compartmentalization
• Intra-process compartmentalization
• Morello-enabled bhyve Type-2 hypervisor
• ARMv8-A 64-bit binary compatibility for legacy binaries
Open-source application suite (KDE, X11,WebKit, Python, OpenSSH, nginx, PostgresQL …)
Android (Arm)
(Morello only)
Linux (Arm)
(Morello only)
Baseline CHERI
Clang/LLVM from
SRI/Cambridge;
Morello
adaptation by
Arm + Linaro
100. CHERI Reference Software Stack development plan (prospective)
22
2021 2022
2021Q3 CHERI
software release
(8 September 2021)
Morello support
merged to
development trunk
Spatially safe
(pure-capability)
kernel merged to
development trunk
Morello bhyve
hypervisor support
merged to
development trunk
Temporally safe
userspace heap
merged to
development trunk
(lower certainty)
2022Q1 CHERI software release
(Roughly March/April 2022?)
Co-process userspace
compartmentalization
merged to development
trunk
(lower certainty)
Panfrost Morello
GPU support
merged to
development trunk
101. How to obtain and install the CHERI software stack
• One build tool to rule them all: cheribuild
https://github.com/CTSRD-CHERI/cheribuild
• Builds, installs, and/or runs:
• QEMU CHERI-RISC-V and Morello, Morello FVP
• CheriBSD/CHERI-RISC-V and Morello disk images
• Small suite of adapted third-party applications
• Up and running with one command (CHERI-RISC-V):
./cheribuild.py --include-dependencies run-riscv64-purecap
23
102. Getting support
• CHERI discussion mailing list (currently pretty quiet)
• cl-cheri-discuss mailing list
• cl-cheri-announce to be announced soon J
• Slack: cheri-cpu.slack.com
• Arm Morello support forum and mailing list on Morello-specific
topics
24
103. 3-month CHERI Desktop pilot study
Assess the viability of a CHERI/Morello-enabled open-source desktop
software stack:
• Select sample open-source stack slice (window server, widget, window
manager, application suite): X11, Qt, KDE, applications
• Implement CHERI C/C++ referential and spatial memory protection
• Whiteboard possible software compartmentalizations
• Evaluate software change as %LoC changed
• Evaluate security via retrospective vulnerability analysis (5 year sample)
• Improve CHERI compiler toolchain as needed
Detailed technical report published in mid-September 2021
25
104. Results summary
• Adapted XVNC, X11 libraries, supporting libraries (e.g., libpng, …), Qt, KDE, selected KDE
applications
• Roughly 6 million lines of C/C++ code compiled for memory safety, with light dynamic
testing
• Three compartmentalization case studies in Qt/KDE
• Mitigation rates for selected software:
• 91% of X11 security advisories
• 100% of supporting library vulnerabilities (e.g., libpng, libxml2, …)
• 82% of Qt security advisories
• 43% of KDE security advisories
• Plenty of limitations discussed in detail in the report (e.g., language runtimes omitted)
• Lots of details in the technical report on CapLtd website - http://www.capabilitieslimited.co.uk/
26
106. Some potential software research areas
• Clean-slate OSes and languages
Current research has focused on incremental CHERI adoption
within current software and languages. How would we design new
OSes, languages, etc., assuming CHERI as an ISA baseline?
• Compilers, language runtimes, and JITs
How can we mitigate the performance overheads of more
pointer-dense executions, such as with language runtimes? Are
vulnerabilities in code generated by compilers and JIT susceptible
to mitigation using CHERI? How does CHERI break or potentially
improve current compiler analyses and optimization?
• Further C/C++ protections with CHERI
We have focused on spatial, referential, and temporal memory
safety for C/C++. But the CHERI primitives could assist with
data-oriented protections, garbage collection, type checking, etc.
Could these improve security, and at what performance cost?
• Safe and managed languages
Languages such as Java, Rust, C#, OCaml, etc., offer strong safety
properties, but frequently depend on C/C++ runtimes and FFI-
linked native code. Can CHERI provide stronger foundations for
higher-level language stacks?
• Virtualization
Can memory protection usefully harden hypervisors? Can we
compartmentalize hypervisors? Can CHERI offer a better
mechanism for virtualizing code than an MMU?
• Debuggers and tracing
Debugging/tracing tools rely on high levels of privilege to
operate. How can we reduce their privilege to mitigate
vulnerabilities in these tools? With stronger architectural
semantics, is new dynamic analysis possible?
• Software compartmentalization tools
Granular software compartmentalization offers vulnerability
mitigation through privilege reduction and strong encapsulation.
How should current applications be refactored, and new
applications be designed, to accomplish maintainable and more
secure software?
• Security evaluation and adversarial research
What is the impact of CHERI on known vulnerabilities and
attack techniques? How does a CHERI-aware attacker change
their behavior? Could formal models and proofs support
stronger security arguments for CHERI?
28
107. Conclusion
• New architectural primitives require rich HW and SW evaluation:
• Primitives support many potential usage patterns, use cases
• Applicable uses depend on compatibility, performance,
effectiveness
• Best validation approach: full hardware-software prototype
http://www.cheri-cpu.org/
• Watson, et al. An Introduction to CHERI,Technical Report
UCAM-CL-TR-941, Computer Laboratory, September 2019.
• Watson, et al. CHERI C/C++ Programming Guide, UCAM-CL-
TR-947, June 2020. 29