Computer Laboratory

CHERI

Capability Hardware Enhanced RISC Instructions (CHERI)


November 2015: Two new technical reports on CHERI are now available: CHERI ISAv4, and the CHERI Programmer's Guide.
May 2015: Our third full paper on CHERI, CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, was presented at the IEEE Symposium on Security and Privacy (Oakland) in May 2015.
December 2014: The New York Times has published a Special section on security with a quote from Peter G. Neumann in the lead article and an article on the CRASH program mentioning our work on CHERI.
Learn more about fundamental research into security and the hardware-software interview by watching Robert Watson's August 2012 ACM Queue interview.

This project is an outgrowth of our earlier Capsicum project, which explored hybrid capability models in the context of UNIX operating system design. While a successful project, we identified a number of limitations to current CPU designs that made application compartmentalisation tricky, despite enhanced operating system support. CHERI is a hardware-software interface research project seeking to revise ISA design in order to better support software compartmentalisation. CHERI transposes the Capsicum hybrid capability model into the CPU architecture space, allowing fine-grained compartmentalisation within process address spaces – while continuing to support current software designs.

We are developing a prototype of the CHERI ISA using the Bluespec Extensible RISC Implementation (BERI), a 64-bit MIPS FPGA soft core implemented in the Bluespec HDL. The FreeBSD operating system, with Capsicum support, has also been ported to CHERI in order to allow us to compare, side-by-side, traditional software compartmentalisation approaches (based on a translation look-aside buffer (TLB)), with those supported by a capability coprocessor. Using commodity software stacks, such as FreeBSD, LLVM, and the Chromium web browser, allows us to validate our hybrid design, applying capability-based compartmentalisation selectively to support both our most trusted (OS kernel, low-level language runtimes), and least trustworthy (web browsers and servers), software components.

Research conference and journal papers

  • Khilan Gudka, Robert N.M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, and Alex Richardson. Clean Application Compartmentalization with SOAAP, Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015), Denver, CO, USA, October 2015.
  • Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, Proceedings of the 36th IEEE Symposium on Security and Privacy ("Oakland"), San Jose, California, USA, May 2015.
  • David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Simon W. Moore, Peter G. Neumann and Michael Roe. Beyond the PDP-11: Processor support for a memory-safe C abstract machine, Proceedings of Architectural Support for Programming Languages and Operating Systems (ASPLOS 2015), Istanbul, Turkey, March 2015. (Audience choice: Best presentation award.)
  • Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), June 14–16, 2014, Minneapolis, MN, USA.

Research workshop papers

Technical Reports

Current technical reports

  • Robert N. M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Capability Hardware Enhanced RISC Instructions: CHERI Programmer’s Guide, Technical Report UCAM-CL-TR-877, University of Cambridge, Computer Laboratory, September 2015. Current CHERI programmer's guide
  • Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Michael Roe, Jonathan Anderson, David Chisnall, Brooks Davis, Alexandre Joannou, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Robert Norton, and Stacey Son. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, Technical Report UCAM-CL-TR-876, University of Cambridge, Computer Laboratory, September 2015. Current CHERI ISA specification
  • Robert N. M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Jonathan Woodruff. Bluespec Extensible RISC Implementation: BERI Software Reference, Technical Report UCAM-CL-TR-869, University of Cambridge, Computer Laboratory, April 2015.
  • Robert N.M. Watson, Jonathan Woodruff, David Chisnall, Brooks Davis, Wojciech Koszek, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Robert Norton, and Michael Roe. Bluespec Extensible RISC Implementation: BERI Hardware Reference, Technical Report UCAM-CL-TR-868, University of Cambridge, Computer Laboratory, April 2015.

Older technical reports

  • Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, and Michael Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, Technical Report UCAM-CL-TR-864, University of Cambridge, Computer Laboratory, December 2014. Note: superseded by UCAM-CL-TR-876
  • Robert N.M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Bluespec Extensible RISC Implementation: BERI Software Reference, Technical Report UCAM-CL-TR-853, University of Cambridge, Computer Laboratory, April 2014. Note: superseded by UCAM-CL-TR-869.
  • Robert N.M. Watson, Jonathan Woodruff, David Chisnall, Brooks Davis, Wojciech Koszek, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Robert Norton, and Michael Roe. Bluespec Extensible RISC Implementation: BERI Hardware Reference, Technical Report UCAM-CL-TR-852, University of Cambridge, Computer Laboratory, April 2014. Note: superseded by UCAM-CL-TR-868.
  • Robert N.M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Capability Hardware Enhanced RISC Instructions: CHERI User’s Guide, Technical Report UCAM-CL-TR-851, University of Cambridge, Computer Laboratory, April 2014. Note: superseded by UCAM-CL-TR-877
  • Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, and Michael Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, Technical Report UCAM-CL-TR-850, University of Cambridge, Computer Laboratory, April 2014. Note: superseded by UCAM-CL-TR-864.

Presentations

  • Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, Proceedings of the 36th IEEE Symposium on Security and Privacy ("Oakland"), San Jose, California, USA, May 18 2015. (slides)
  • David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Simon W. Moore, Peter G. Neumann and Michael Roe. Beyond the PDP-11: Processor support for a memory-safe C abstract machine, Proceedings of Architectural Support for Programming Languages and Operating Systems (ASPLOS 2015), Istanbul, Turkey, March 5, 2015. (slides)
  • Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI Capability Model - Revisiting RISC for an Age of Risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), Minneapolis, MN, USA, June 18, 2014. (video, PDF)
  • Robert N.M. Watson, Peter G. Neumann Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop on Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March 2, 2012. (slides)

Media

  • Peter G. Neumann, the San Jose Mercury News's Bruce Newman talks with Peter Neumann about cybersecurity. Link.
  • Robert N. M. Watson, IEEE Spectrum Techwise Conversation podcast interview, recorded 26 December 2012, explores the argument for clean-slate design and the nature of current attacker-defender asymmetry. Link.
  • Robert N. M. Watson, Queue Portrait: Robert Watson recorded in August 2012, explores research into the hardware-software interface. Link.