Computer Laboratory

CHERI

Capability Hardware Enhanced RISC Instructions (CHERI)


Newflash - June 18 2014: the BERI/CHERI source code is now available for download! Physical build specs for the Terasic DE4-based tablet are online, as is FreeBSD OS support for BERI , which was merged to FreeBSD 10.0 in August 2012.
Newsflash - April 2014: Our first full paper on CHERI, The CHERI capability model: Revisiting RISC in an age of risk, was presented at the International Symposium on Computer Architecture (ISCA) in June 2014.
Newsflash - October 2012: The New York Times has posted an article on Peter G. Neumann and our work on clean-slate host and network security as part of their Science section.

This project is an outgrowth of our earlier Capsicum project, which explored hybrid capability models in the context of UNIX operating system design. While a successful project, we identified a number of limitations to current CPU designs that made application compartmentalisation tricky, despite enhanced operating system support. CHERI is a hardware-software interface research project seeking to revise ISA design in order to better support software compartmentalisation. CHERI transposes the Capsicum hybrid capability model into the CPU architecture space, allowing fine-grained compartmentalisation within process address spaces – while continuing to support current software designs.

We are developing a prototype of the CHERI ISA using the Bluespec Extensible RISC Implementation (BERI), a 64-bit MIPS FPGA soft core implemented in the Bluespec HDL. The FreeBSD operating system, with Capsicum support, has also been ported to CHERI in order to allow us to compare, side-by-side, traditional software compartmentalisation approaches (based on a translation look-aside buffer (TLB)), with those supported by a capability coprocessor. Using commodity software stacks, such as FreeBSD, LLVM, and the Chromium web browser, allows us to validate our hybrid design, applying capability-based compartmentalisation selectively to support both our most trusted (OS kernel, low-level language runtimes), and least trustworthy (web browsers and servers), software components.

Conference papers

  • Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), June 14–16, 2014, Minneapolis, MN, USA.

Workshop papers

Technical Reports

Presentations

  • Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI Capability Model - Revisiting RISC for an Age of Risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), Minneapolis, MN, USA, June 18, 2014. (video, PDF)
  • Robert N.M. Watson, Peter G. Neumann Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop on Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March 2, 2012. (slides)

Media

  • Peter G. Neumann, the San Jose Mercury News's Bruce Newman talks with Peter Neumann about cybersecurity. Link.
  • Robert N. M. Watson, IEEE Spectrum Techwise Conversation podcast interview, recorded 26 December 2012, explores the argument for clean-slate design and the nature of current attacker-defender asymmetry. Link.
  • Robert N. M. Watson, Queue Portrait: Robert Watson recorded in August 2012, explores research into the hardware-software interface. Link.