CHERI for Hypervisors and Operating Systems (CHaOS)
Lead Research Organisation:
University of Cambridge
Department Name: Computer Science and Technology
Abstract
Software compartmentalisation is the decomposition of larger software packages - such as web browser or OS kernels - into isolated components. Each is granted limited rights to utilize system services or communicate with other isolated components. Intuitively, vulnerability mitigation from compartmentalisation is grounded in the principle of least privilege, which argues that security is improved by minimising the set of privileges available to those required. Compromised software will yield fewer rights and limit further attack surfaces to a successful attacker.
In prior work, we have developed CHERI, a set of architectural extensions to RISC instruction-set architectures to support efficient, fine-grained memory protection and scalable software compartmentalisation. Supported by the UK Industrial Strategy Challenge Fund (ISCF), Arm is creating the Morello CPU, SoC, and board, a high-end, industrial-quality demonstrator of the CHERI principles embodied within a commercial hardware design. This platform has the potential to support far more granular and more easily integrated compartmentalization support than convention hardware designs. However, the current research software stacks for CHERI have been almost entirely focused on memory protection rather than compartmentalisation -- in part because the software operational models associated with CHERI-based compartmentalisation have not yet been established.
We propose to design, prototype, and evaluate new CHERI-based compartmentalisation techniques usable to support fine-grained, scalable software compartmentalisation of real-world software on the Morello board, building a deep understanding (as well as practical prototypes) spanning a rich range of use cases and operational models. CHaOS will enable extensive adoption of software compartmentalisation in systems software stacks, offering strong mitigation for many known (and also still-to-be-discovered) vulnerability classes and exploit techniques affecting server, desktop, mobile, and embedded systems.
CHaOS will investigate the hypotheses that: (1) CHERI can support multiple effective operational models for compartmentalisation; (2) approaches to CHERI compartmentalisation must cater to substantial differences up and down the systems stack; (3) detailed elaboration of compartmentalisation will turn up critical practical considerations (e.g., as relates to debugging); and (4) further refinement of the CHERI (and Morello) architectures may be required as a result of lessons learned in this work.
We will explore these hypotheses across the systems software stack: the hypervisor, general-purpose OS kernel, and user applications. Our existing open-source corpus adapted for CHERI memory safety will be our starting point: the FreeBSD kernel and userspace, the PostgreSQL database, and Apple's WebKit. With our industrial partners on this proposal (Arm, Google, HPI, and Microsoft), we will extend our investigation to include Arm's Morello Android, Google's Hafnium hypervisor, HPI's printer software stack, and Microsoft's Verona language runtime.
In prior work, we have developed CHERI, a set of architectural extensions to RISC instruction-set architectures to support efficient, fine-grained memory protection and scalable software compartmentalisation. Supported by the UK Industrial Strategy Challenge Fund (ISCF), Arm is creating the Morello CPU, SoC, and board, a high-end, industrial-quality demonstrator of the CHERI principles embodied within a commercial hardware design. This platform has the potential to support far more granular and more easily integrated compartmentalization support than convention hardware designs. However, the current research software stacks for CHERI have been almost entirely focused on memory protection rather than compartmentalisation -- in part because the software operational models associated with CHERI-based compartmentalisation have not yet been established.
We propose to design, prototype, and evaluate new CHERI-based compartmentalisation techniques usable to support fine-grained, scalable software compartmentalisation of real-world software on the Morello board, building a deep understanding (as well as practical prototypes) spanning a rich range of use cases and operational models. CHaOS will enable extensive adoption of software compartmentalisation in systems software stacks, offering strong mitigation for many known (and also still-to-be-discovered) vulnerability classes and exploit techniques affecting server, desktop, mobile, and embedded systems.
CHaOS will investigate the hypotheses that: (1) CHERI can support multiple effective operational models for compartmentalisation; (2) approaches to CHERI compartmentalisation must cater to substantial differences up and down the systems stack; (3) detailed elaboration of compartmentalisation will turn up critical practical considerations (e.g., as relates to debugging); and (4) further refinement of the CHERI (and Morello) architectures may be required as a result of lessons learned in this work.
We will explore these hypotheses across the systems software stack: the hypervisor, general-purpose OS kernel, and user applications. Our existing open-source corpus adapted for CHERI memory safety will be our starting point: the FreeBSD kernel and userspace, the PostgreSQL database, and Apple's WebKit. With our industrial partners on this proposal (Arm, Google, HPI, and Microsoft), we will extend our investigation to include Arm's Morello Android, Google's Hafnium hypervisor, HPI's printer software stack, and Microsoft's Verona language runtime.
Planned Impact
Economic and societal impact lie at the heart of the Industrial Strategy Challenge Fund (ISCF) Digital Security by Design (DSbD) programme, in which our prior work on CHERI constitutes an essential core technology, now being prototyped at scale via the Arm Morello CPU, SoC, and board. The DSbD challenge argues that enhanced processor security can close many of the most critical security vulnerabilities that have made widespread malware and ransomware attacks, hacking, and other malicious activities essentially trivial to perform given current system designs. If successful, Morello has the potential to inform all of Arm's future processor product lines, used in trillions of devices ranging from Internet of Things (IoT) and embedded, to mobile devices, to servers. The potential economic and societal impact of more trustworthy systems will arise not just from decreased actual damage (e.g., NHS outages due to WannaCry), but also from increased confidence to deploy computer systems in security- and safety-critical contexts such as autonomous vehicles and medical systems.
CHERI directly target these ubiquitous software vulnerabilities via efficient, fine-grained memory protection for C/C++ software, and scalable software compartmentalisation. Of these two pitches, only the former, memory protection, is currently grounded in strong practical understanding. However, software compartmentalisation carries with it the potentially more significant security effect, being one of the few known techniques to address not just known vulnerability classes and exploit techniques, but also future undiscovered ones. Unlike CHERI memory protection, there is a strong argument for improved performance and reduced energy use with CHERI compartmentalisation, as compared to baseline MMU-based designs.
Success of the DSbD programme, and widespread adoption of CHERI, depends integrally on the success of software compartmentalisation, which is the key challenge addressed by CHaOS.
There is a strong industrial desire to deploy increased compartmentalisation - but little appetite for current performance and power expense. In collaboration with our industrial partners, we will apply CHERI-based compartmentalisation to elements of several critical software ecosystems including FreeBSD, Android/Linux, iOS/macOS, Windows, and the HP printer stack. If successful, this project will enable widespread deployment of fine-grained software compartmentalization, mitigating many known vulnerability classes and exploit techniques, but also future as-yet undiscovered vulnerability classes and exploit techniques. Our approach will protect billions of devices from Android/iOS mobile phones and tablets to the Sony Playstation, Juniper routers, HP laser printers, and are also used by cloud services such as Netflix and Azure, from trivial attacks that are highly damaging today -- future classes of computing devices, including many billions more IoT devices.
CHERI directly target these ubiquitous software vulnerabilities via efficient, fine-grained memory protection for C/C++ software, and scalable software compartmentalisation. Of these two pitches, only the former, memory protection, is currently grounded in strong practical understanding. However, software compartmentalisation carries with it the potentially more significant security effect, being one of the few known techniques to address not just known vulnerability classes and exploit techniques, but also future undiscovered ones. Unlike CHERI memory protection, there is a strong argument for improved performance and reduced energy use with CHERI compartmentalisation, as compared to baseline MMU-based designs.
Success of the DSbD programme, and widespread adoption of CHERI, depends integrally on the success of software compartmentalisation, which is the key challenge addressed by CHaOS.
There is a strong industrial desire to deploy increased compartmentalisation - but little appetite for current performance and power expense. In collaboration with our industrial partners, we will apply CHERI-based compartmentalisation to elements of several critical software ecosystems including FreeBSD, Android/Linux, iOS/macOS, Windows, and the HP printer stack. If successful, this project will enable widespread deployment of fine-grained software compartmentalization, mitigating many known vulnerability classes and exploit techniques, but also future as-yet undiscovered vulnerability classes and exploit techniques. Our approach will protect billions of devices from Android/iOS mobile phones and tablets to the Sony Playstation, Juniper routers, HP laser printers, and are also used by cloud services such as Netflix and Azure, from trivial attacks that are highly damaging today -- future classes of computing devices, including many billions more IoT devices.
People |
ORCID iD |
Robert Watson (Principal Investigator) |
Publications
Grisenthwaite R
(2023)
The Arm Morello Evaluation Platform-Validating CHERI-Based Security in a High-Performance System
in IEEE Micro
Description | The CHERI computer architecture has been demonstrated to support highly scalable software compartmentalisation through the library compartmentalisation design and implementation developed in the CHaOS project. |
Exploitation Route | CHaOS has laid the groundwork for new research into analysis and tooling to support human-driven software compartmentalisation efforts -- i.e., not just at library boundaries, but other arbitrary points in software structure intended to support stronger security goals. |
Sectors | Aerospace Defence and Marine Digital/Communication/Information Technologies (including Software) Healthcare |
Description | Our compartmentalisation models are the de facto standard compartmentalisation implementations used on Arm's prototype Morello hardware (jointly funded with UKRI as part of ISCF), and will be used by dozens of companies and universities in the UK and internationally as part of the UKRI Digital Security by Design programme. Current industrial consumers include Google, Microsoft, and Arm in their research environments. The library compartmentalisation implementation from CHaOS is the first viable, large-scale compartmentalisation approach available to these industrial use cases. |
First Year Of Impact | 2023 |
Sector | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
Description | Collaboration with Google |
Organisation | |
Department | Google UK |
Country | United Kingdom |
Sector | Private |
PI Contribution | We have regular meetings with teams from Google, sharing research results from our work, and engaging with their product teams on potential use cases. |
Collaborator Contribution | During our meetings, we have reviewed a large number of potential use cases for CHERI-based compartmentalisation in Google products including Android, the Chromium web browser, and others. This has been extremely helpful in formulating our ideas and preparing for experimental deployment and evaluation. Members of multiple Google teams attend our regular project meetings, including from GChips and Google Research, and collaborate with us on papers, reports, and specifications. |
Impact | Our improving research prototypes addressing Google requirements, with the intention of experimental Google use as they mature. |
Start Year | 2020 |
Description | Collaboration with, and funding from, Microsoft Research Cambridge |
Organisation | Microsoft Research |
Department | Microsoft Research Cambridge |
Country | United Kingdom |
Sector | Private |
PI Contribution | Our collaboration is around co-process compartmentalisation, a form of CHERI-based compartmentalisation implementing a higher-performance version of the UNIX process model. A PhD student working closely with the CHaOS team, supported by a Microsoft ICASE award, is developing a user level microkernel over the co-process model. |
Collaborator Contribution | Microsoft Research Cambridge has supported an EPSRC ICASE award for the PhD student, who is building a user level microkernel running over the co-process model designed and implemented by a research engineer supported by CHaOS. We meet with Microsoft Research monthly to discuss this work, and are preparing for the student to attend an internship at Microsoft this summer to collaborate more closely with the group. Further, multiple members of the MSR CHERI / Morello team are engaged closely with us in the design of the co-process model, even beyond the PhD student's work. |
Impact | An in-progress open-source software prototype of the 'comsg' IPC model and userspace microkernel. |
Start Year | 2021 |
Description | SRI International |
Organisation | SRI International (inc) |
Country | United States |
Sector | Charity/Non Profit |
PI Contribution | We have developed co-process and other compartmentalisation models as part of our EPSRC CHaOS work. SRI International and Cambridge will now receive joint DARPA to funding to extend this work to explore application prototypes and further techniques. |
Collaborator Contribution | Our collaboration will begin in April 2022. |
Impact | This is a long-term research partnership, but the collaboration around the CHaOS compartmentalisation work is quite recent and doesn't yet have outputs. |
Start Year | 2021 |
Title | CheriBSD 22.12 |
Description | The CheriBSD research operating system runs on the CHERI-RISC-V and Arm Morello architectures, demonstrating tight integration of CHERI support into a richly featured, open-source operating system. The December 2022 release, 22.12, incorporates support for a memory-safe graphics stack, a large collection of memory-safe software packages, and experimental support for library compartmentalisation. |
Type Of Technology | Software |
Year Produced | 2022 |
Open Source License? | Yes |
Impact | In extensive use across the UKRI Digital Security by Design (DSbD) research ecosystem of dozens of companies and universities across the UK, as well as a number of industrial research labs around the world running on Arm Morello boards. |
URL | https://cheribsd.org/ |
Title | CheriBSD 23.11 |
Description | CheriBSD 23.11 is an OS software release that includes support for library compartmentalisation developed as part of the CHaOS project. |
Type Of Technology | Software |
Year Produced | 2023 |
Open Source License? | Yes |
Impact | It has enabled the first large-scale software compartmentalisations with low effort. CheriBSD 23.11 is been used across the UKRI DSbD research ecosystem for other early pilot projects on software compartmentalisation using CHERI. |
URL | https://www.cheribsd.org/ |