Capable VMs
Lead Research Organisation:
University of Glasgow
Department Name: School of Computing Science
Abstract
Abstracts are not currently available in GtR for all funded research. This is normally because the abstract was not required at the time of proposal submission, but may be because it included sensitive information such as personal details.
Organisations
People |
ORCID iD |
| Jeremy Singer (Principal Investigator) |
Publications
Bramley J
(2023)
Picking a CHERI Allocator: Security and Performance Considerations
Bramley J
(2023)
Picking a CHERI Allocator: Security and Performance Considerations
Egger B
(2023)
Towards Secure MicroPython on Morello (WIP)
Jacob D
(2022)
Boehm-Demers-Weiser Garbage Collection on Morello
Kell S
(2020)
Notes on notebooks: is Jupyter the bringer of jollity?
Lowther D
(2023)
Morello MicroPython: A Python Interpreter for CHERI
Lowther D
(2023)
CHERI Performance Enhancement for a Bytecode Interpreter
Lowther D
(2023)
CHERI Performance Enhancement for a Bytecode Interpreter
| Description | The concept of CHERI-style hardware capabilities does improve cybersecurity for low-level systems software such as runtime memory managers and bytecode interpreters. There are some runtime performance overheads but further experimentation is required to ascertain whether these are significant. |
| Exploitation Route | Secure systems software will benefit from using capabilities - in particular we provide a secure garbage collection framework based on the Boehm-Demers-Weiser collector and a bytecode interpreter based on the MicroPython system. More generally, our experience is that software can be modified for CHERI / Morello with minimal source code updates and ideally, without excessive runtime overhead. Our software is available under permissive open source licenses and will be distributed as CheriBSD packages directly. |
| Sectors | Aerospace Defence and Marine Digital/Communication/Information Technologies (including Software) Electronics Security and Diplomacy |
| URL | https://capablevms.github.io |
| Description | We have made excellent progress with this Digital Security by Design project. In collaboration with Arm, we have demonstrated the potential of the CHERI / Morello prototype capability platform for improving the secure execution of programming language virtual machines and language runtime systems. Along with contacts at Arm, we have developing and adapted open-source virtual machine code to harness the CHERI memory safety properties and explore lightweight software compartmentalization models. These findings have been materialized in open-source projects including the Boehm garbage collector and the MicroPython language runtime. |
| First Year Of Impact | 2022 |
| Sector | Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| Impact Types | Economic |
| Description | M4Secure: Making Memory Management More Secure |
| Amount | £457,857 (GBP) |
| Funding ID | EP/X037525/1 |
| Organisation | Engineering and Physical Sciences Research Council (EPSRC) |
| Sector | Public |
| Country | United Kingdom |
| Start | 08/2023 |
| End | 08/2026 |
| Description | Scotland-Asia Partnerships Higher education Research (SAPHIRE) Fund |
| Amount | £5,500 (GBP) |
| Organisation | Royal Society of Edinburgh (RSE) |
| Sector | Charity/Non Profit |
| Country | United Kingdom |
| Start | 03/2024 |
| End | 06/2024 |
| Description | Secure MicroPython for Morello |
| Amount | £99,662 (GBP) |
| Funding ID | DSTL0000013741 |
| Organisation | Defence Science & Technology Laboratory (DSTL) |
| Sector | Public |
| Country | United Kingdom |
| Start | 03/2023 |
| End | 12/2023 |
| Title | Boehm-Demers-Weiser Garbage Collector for CHERI |
| Description | The Boehm-Demers-Weiser garbage collector is a conservative collector for C/C++ applications, which has been ported to CHERI/Morello hardware - taking advantage of hardware-assisted security mechanisms. |
| Type Of Technology | Software |
| Year Produced | 2022 |
| Open Source License? | Yes |
| Impact | Published papers. First proof-of-concept that garbage collection works on capability hardware. |
| URL | https://github.com/capablevms/bdwgc |
| Title | CHERI examples repository |
| Description | A portfolio of sample C programs that demonstrate CHERI / capability features targetting RISC-V and Arm/Morello emulators. |
| Type Of Technology | Software |
| Year Produced | 2021 |
| Open Source License? | Yes |
| Impact | Engagement with other members of the Digital Security by Design research community in the UK, sharing knowledge and experiences with the CHERI platform. |
| URL | https://github.com/capablevms/cheri-examples |
| Title | MicroPython for CHERI |
| Description | MicroPython is a lean implementation of a Python bytecode interpreter. This variant of MicroPython is an adaptation of the system for pure capability (memory safe) platforms like CHERI. |
| Type Of Technology | Software |
| Year Produced | 2023 |
| Open Source License? | Yes |
| Impact | Adoption of MicroPython interpreter in the CheriBSD operating system package library for Morello, as part of the Digital Security by Design ecosystem. Memory safety bug fixes upstreamed to original MicroPython distribution. FreeBSD Foundation DSbD Ecosystem Beacon Awards Honourable Mention 2024. |
| URL | https://github.com/glasgowPLI/micropython |
| Title | glasgowPLI/micropython: CC 2025 Artifact Evaluation |
| Description | This release of our CHERIoT MicroPython software is intended for artifact evaluation for the CC 2025 conference. It contains the full set of performance results from our paper, evaluated across 10 Python benchmarks on the Sonata system, comparing both CHERI and non-CHERI builds of MicroPython. In the accompanying evaluation.zip file (https://github.com/glasgowPLI/micropython/releases/download/cheriot-cc-2025-eval/evaluation.zip) (a binary asset in our github release), there are full instructions regarding artifact evaluation in the README.md file. |
| Type Of Technology | Software |
| Year Produced | 2025 |
| Impact | 3x ACM artifact reproducibility badges awarded. |
| URL | https://zenodo.org/doi/10.5281/zenodo.14685666 |
| Description | CHERI workshop (Australia) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | 30 technical experts attended a briefing session on CHERI technology, to learn about how to apply it to legacy C/C++ systems code. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://comp.anu.edu.au/foundations/seminars/past/2024-05-17/ |
| Description | CHERI workshop (Singapore) |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | 50 software engineers from university and industry attended a briefing session on CHERI technology. |
| Year(s) Of Engagement Activity | 2024 |
| Description | Capable VMs project poster |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | We had a poster about our project on display at an international research conference, which started lots of conversations about the concept of CHERI memory safety and the need for secure-by-design systems. |
| Year(s) Of Engagement Activity | 2023 |
| URL | https://2023.splashcon.org/home/mplr-2023 |
| Description | Cyber UK Conference 2023 |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | I had a demonstration on the UKRI stand at the Cyber UK 2023 event in Belfast, showing how memory safety worked on CHERI in the context of garbage collected applications. Over two days, around 200 people attended the demo and interacted with it. |
| Year(s) Of Engagement Activity | 2023 |
| URL | https://www.cyberuk.uk/ |
| Description | DSbD showcase event |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Industry/Business |
| Results and Impact | We demonstrated secure CHERI runtime technologies in a booth at the DSbD showcase event in London. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://www.dsbd.tech/event/uks-digital-security-by-design-showcase-2025/ |
| Description | Digital DNA Glasgow 2023 event |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Industry/Business |
| Results and Impact | We had a UKRI-sponsored stand at this Cyber Security trade show. Around 50 people attended and interacted with our Morello/Arm CHERI demo device. We had interesting discussions about cyber security. |
| Year(s) Of Engagement Activity | 2023 |
| URL | https://digitaldna.org.uk/digital-dna-glasgow-2023/ |
| Description | FutureScot Cyber Security Show |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Around 200 people attended the FutureScot Cyber Security show in Glasgow, 27 Feb 2024. We had a stall demonstrating CHERI hardware and capability-enabled software - which provoked lots of conversations, raising awareness about memory-safe technologies. We also had a Q+A time in the plenary session with more than 200 participants. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://futurescot.com/futurescot-conferences/cyber-security-2024/ |
| Description | High School visit (Gryffe) |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Schools |
| Results and Impact | At a school careers event, I spoke to around 50 pupils about Cybersecurity, and gave a high-level overview of CHERI / Digital Security by Design. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Research visit to Chalmers University, Sweden |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Postgraduate students |
| Results and Impact | Presentation on CHERI / capabilities, including an overview of how garbage collection works in a capability system. |
| Year(s) Of Engagement Activity | 2022 |
| Description | SICSA PhD summer school |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Postgraduate students |
| Results and Impact | 30 PhD students attended an interactive workshop on CHERI technologies as part of a cybersecurity summer school. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://sicsa.ac.uk/event/2024-sicsa-phd-conference/ |
| Description | Scottish Programming Languages Seminar |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Professional Practitioners |
| Results and Impact | Hybrid seminar presentation (50 in-person plus 50 online) about Digital Security by Design, in particular memory management on CHERI platforms. Numerous conversations followed, and we are investigating possible partnerships with other organizations to exploit this work. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://spls-series.github.io/meetings/2022/march/ |
| Description | Singapore DSO lab visit |
| Form Of Engagement Activity | Participation in an open day or visit at my research institution |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Visitors from Singapore came to our lab to learn about Digital Security by Design, in particular about hardware assisted mechanisms for secure systems. They were interested in the work and would like to launch some collaborative activities. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://www.gla.ac.uk/colleges/socialsciences/research/interdisciplinaryresearchthemes/headline_8779... |
| Description | Strathclyde Cybersecurity summer school |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Postgraduate students |
| Results and Impact | 50 computing students learned about CHERI technologies in a hands-on workshop. |
| Year(s) Of Engagement Activity | 2024 |
| URL | https://www.strath.ac.uk/science/computerinformationsciences/strathcyber/cybercrimesummerschool/ |
| Description | Summer School lecture on Capabilities |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Postgraduate students |
| Results and Impact | Around 100 people attended the PhD summer school on Programming Languages and Verification, at which I gave an invited lecture on 'Capabilities for Coders' - a generalist introduction to CHERI. There were many questions and comments following the talk, and a number of students followed up by downloading the software for CHERI. |
| Year(s) Of Engagement Activity | 2022 |
| URL | https://www.macs.hw.ac.uk/splv/splv-2022/ |
| Description | Visit to Heriot Watt University |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Postgraduate students |
| Results and Impact | Presentation about profiling cybersecure systems, for ensuring efficiency of memory allocators in CHERI. Lots of followup questions; one researcher then ordered a Morello machine for their own research project. |
| Year(s) Of Engagement Activity | 2023 |
| Description | Zoom workshop (hosted by Queen's University Belfast) on Programming |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Postgraduate students |
| Results and Impact | 30 students and professionals attended a remote workshop, discussing aspects of programming and security. |
| Year(s) Of Engagement Activity | 2021 |