ARM’s Morello Runs CheriBSD
“CHERI” is a project at Cambridge University based on a very old concept for implementing memory/process protection on computer hardware: that of “capabilities”. Instead of having specially-trusted kernel code run in a privileged mode that is allowed to do pretty much anything, capabilities allow for a more decentralized model, with distribution and separation of different areas of trust. The capability concept fell out of favour, because its implementation overhead was greater than the processor-privilege-level (also often described as “privilege rings”) concept that is so commonplace today. But with the increase in security vulnerabilities like Meltdown and Spectre, there is increasing interest in alternative approaches that might reduce complexity, hopefully with less of a performance cost than the fixes that were needed to mitigate those vulnerabilities. ARM Ltd’s experimental “Morello” chip is an implementation of the CHERI concept. And it has got as far as running CheriBSD, which is a specially-adapted variant of FreeBSD. This now includes Wayland as the GUI server, and it provides a KDE Plasma desktop on top of that, according to <https://www.theregister.com/2022/07/26/cheri_computer_runs_kde/>. All this code has been tweaked, where appropriate, to remove the assumptions of arbitrary access to process memory allowed by conventional C pointers, in favour of the more restricted access controlled by capabilities. The CHERI project started with MIPS-based hardware, and besides being on ARM now, it looks to be coming to RISC-V as well. By the way, the Linux kernel has already (mis)used the term ”capability” to refer to an entirely different concept <https://manpages.debian.org/bullseye/manpages/capabilities.7.en.html>. Those familiar with the process-privilege system on old VMS from DEC may notice some resemblance ...
On Thu, 28 Jul 2022 21:15:09 +1200, I wrote:
“CHERI” is a project at Cambridge University based on a very old concept for implementing memory/process protection on computer hardware: that of “capabilities”. Instead of having specially-trusted kernel code run in a privileged mode that is allowed to do pretty much anything, capabilities allow for a more decentralized model, with distribution and separation of different areas of trust.
An update on this <https://www.theregister.com/2022/08/26/arm_cheri_morello/>, with some details of the techniques being used in ARM’s experimental Morello architecture to implement CHERI. This being an ongoing project, some implementation details are still in flux. Some promising results so far: As for the impact on software, Grisenthwaite said that the X11 KDE-based desktop environment in CheriBSD was ported to Morello in three months by a single engineer having to make changes to less than 0.03 percent of the 6 million lines of code, and that these changes delivered an assessed vulnerability and mitigation rate of some 73.8 percent. That amounts to changes to less than 1800 lines of code in KDE. Took three months, eh? That’s around 20 lines of code a day, which is double what Frederick “Mythical Man-Month” Brooks estimated was typical programmer productivity for large-systems development. Microsoft seems to agree about the benefits: Arm's confidence in Morello is backed up by a detailed study conducted by Microsoft Security Research Center (MSRC). This looked into all of the 2019 memory safety vulnerabilities that affected Microsoft products and required an update to fix, and Microsoft concluded that CHERI, when combined with other measures, would have mitigated at least two-thirds of those issues. Also note this: However, CHERI technologies are not patented and Arm is encouraging others in the computing industry to evaluate it, so Morello is serving as showcase of the technology for other architectures, Grisenthwaite said. No doubt “other” architectures will likely include RISC-V at some point...
participants (1)
-
Lawrence D'Oliveiro