CHERI for Hypervisors and Operating Systems (CHaOS)

Software compartmentalisation is the decomposition of larger software packages - such as web browser or OS kernels - into isolated components. Each is granted limited rights to utilize system services or communicate with other isolated components. Intuitively, vulnerability mitigation from compartmentalisation is grounded in the principle of least privilege, which argues that security is improved by minimising the set of privileges available to those required. Compromised software will yield fewer rights and limit further attack surfaces to a successful attacker.

In prior work, we have developed CHERI, a set of architectural extensions to RISC instruction-set architectures to support efficient, fine-grained memory protection and scalable software compartmentalisation. Supported by the UK Industrial Strategy Challenge Fund (ISCF), Arm is creating the Morello CPU, SoC, and board, a high-end, industrial-quality demonstrator of the CHERI principles embodied within a commercial hardware design. This platform has the potential to support far more granular and more easily integrated compartmentalization support than convention hardware designs. However, the current research software stacks for CHERI have been almost entirely focused on memory protection rather than compartmentalisation -- in part because the software operational models associated with CHERI-based compartmentalisation have not yet been established.

We propose to design, prototype, and evaluate new CHERI-based compartmentalisation techniques usable to support fine-grained, scalable software compartmentalisation of real-world software on the Morello board, building a deep understanding (as well as practical prototypes) spanning a rich range of use cases and operational models. CHaOS will enable extensive adoption of software compartmentalisation in systems software stacks, offering strong mitigation for many known (and also still-to-be-discovered) vulnerability classes and exploit techniques affecting server, desktop, mobile, and embedded systems.

CHaOS will investigate the hypotheses that: (1) CHERI can support multiple effective operational models for compartmentalisation; (2) approaches to CHERI compartmentalisation must cater to substantial differences up and down the systems stack; (3) detailed elaboration of compartmentalisation will turn up critical practical considerations (e.g., as relates to debugging); and (4) further refinement of the CHERI (and Morello) architectures may be required as a result of lessons learned in this work.

We will explore these hypotheses across the systems software stack: the hypervisor, general-purpose OS kernel, and user applications. Our existing open-source corpus adapted for CHERI memory safety will be our starting point: the FreeBSD kernel and userspace, the PostgreSQL database, and Apple's WebKit. With our industrial partners on this proposal (Arm, Google, HPI, and Microsoft), we will extend our investigation to include Arm's Morello Android, Google's Hafnium hypervisor, HPI's printer software stack, and Microsoft's Verona language runtime.

Economic and societal impact lie at the heart of the Industrial Strategy Challenge Fund (ISCF) Digital Security by Design (DSbD) programme, in which our prior work on CHERI constitutes an essential core technology, now being prototyped at scale via the Arm Morello CPU, SoC, and board. The DSbD challenge argues that enhanced processor security can close many of the most critical security vulnerabilities that have made widespread malware and ransomware attacks, hacking, and other malicious activities essentially trivial to perform given current system designs. If successful, Morello has the potential to inform all of Arm's future processor product lines, used in trillions of devices ranging from Internet of Things (IoT) and embedded, to mobile devices, to servers. The potential economic and societal impact of more trustworthy systems will arise not just from decreased actual damage (e.g., NHS outages due to WannaCry), but also from increased confidence to deploy computer systems in security- and safety-critical contexts such as autonomous vehicles and medical systems.

CHERI directly target these ubiquitous software vulnerabilities via efficient, fine-grained memory protection for C/C++ software, and scalable software compartmentalisation. Of these two pitches, only the former, memory protection, is currently grounded in strong practical understanding. However, software compartmentalisation carries with it the potentially more significant security effect, being one of the few known techniques to address not just known vulnerability classes and exploit techniques, but also future undiscovered ones. Unlike CHERI memory protection, there is a strong argument for improved performance and reduced energy use with CHERI compartmentalisation, as compared to baseline MMU-based designs.

Success of the DSbD programme, and widespread adoption of CHERI, depends integrally on the success of software compartmentalisation, which is the key challenge addressed by CHaOS.
There is a strong industrial desire to deploy increased compartmentalisation - but little appetite for current performance and power expense. In collaboration with our industrial partners, we will apply CHERI-based compartmentalisation to elements of several critical software ecosystems including FreeBSD, Android/Linux, iOS/macOS, Windows, and the HP printer stack. If successful, this project will enable widespread deployment of fine-grained software compartmentalization, mitigating many known vulnerability classes and exploit techniques, but also future as-yet undiscovered vulnerability classes and exploit techniques. Our approach will protect billions of devices from Android/iOS mobile phones and tablets to the Sony Playstation, Juniper routers, HP laser printers, and are also used by cloud services such as Netflix and Azure, from trivial attacks that are highly damaging today -- future classes of computing devices, including many billions more IoT devices.