Capability Hardware Enhanced RISC Instructions (CHERI)
|Newsflash - December 2012: IEEE Spectrum has posted a Techwise Conversations podcast with Robert Watson discussing the clean-slate argument for computer security in operating systems and computer architecture.|
|Newsflash - October 2012: The New York Times has posted an article on Peter G. Neumann and our work on clean-slate host and network security as part of their Science section.|
|Newsflash - October 2012: ACM Queue has posted a video interview with Robert Watson, CTSRD project lead at Cambridge on the topic of research into the hardware-software interface, as well as the CHERI processor.|
This project is an outgrowth of our earlier Capsicum project, which explored hybrid capability models in the context of UNIX operating system design. While a successful project, we identified a number of limitations to current CPU designs that made application compartmentalisation tricky, despite enhanced operating system support. CHERI is a hardware-software interface research project seeking to revise ISA design in order to better support software compartmentalisation. CHERI transposes the Capsicum hybrid capability model into the CPU architecture space, allowing fine-grained compartmentalisation within process address spaces -- while continuing to support current software designs.
We are developing a prototype of the CHERI ISA using the Bluespec Extensible RISC Implementation (BERI), a 64-bit MIPS FPGA soft core implemented in the Bluespec HDL. The FreeBSD operating system, with Capsicum support, has also been ported to CHERI in order to allow us to compare, side-by-side, traditional software compartmentalisation approaches (based on a translation look-aside buffer (TLB)), with those supported by a capability coprocessor. Using commodity software stacks, such as FreeBSD, LLVM, and the Chromium web browser, allows us to validate our hybrid design, applying capability-based compartmentalisation selectively to support both our most trusted (OS kernel, low-level language runtimes), and least trustworthy (web browsers and servers), software components.
- Robert N.M. Watson, Peter G. Neumann Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.
- Peter G. Neumann, Robert N.M. Watson. Capabilities Revisied: A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems. Proceedings of the Fourth Annual Layered Assurance Workshop, Austin, Texas, December 2010.
- Robert N.M. Watson, Peter G. Neumann Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection (slides). Workshop presentation, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March 2, 2012.