Computer Laboratory

Robert N. M. Watson

The Design and Implementation of the FreeBSD Operating System, Second Edition

University of Cambridge
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 1FD
United Kingdom
  Office: GE-13, William Gates Building
Voice: +44 (0)1223 763 569
Fax: +44 (0)1223 334 678
E-mail: robert.watson AT cl.cam.ac.uk

I am a University Lecturer in Systems, Security, and Architecture at the University of Cambridge Computer Laboratory. I am involved in several research groups at the lab, including Security, Networks and Operating Systems, and Computer Architecture. I lead a number of cross-layer research projects spanning computer architecture, compilers, program analysis, program transformation, operating systems, networking, and security. Current projects include CTSRD, a project in collaboration with SRI International looking at clean-slate hardware and software designs for security. This includes the BERI and CHERI processor designs, and SOAAP and TESLA, software analysis and transformation systems based on LLVM. I also have active research projects in network-stack performance, tracing, and switching. Recent completed projects include the Capsicum hybrid capability system, system-call interposition concurrency problems, and the TrustedBSD MAC Framework, a widely deployed OS access-control extensibility framework (now found in FreeBSD, Mac OS X, Apple iOS, Junos, and other products). I have strong interests in open-source software, am on the board of directors of the FreeBSD Foundation, and have contributed extensively to the FreeBSD Project.

I completed two and a half years of post-doctoral research at the Computer Laboratory, and a Research Fellowship at St John's College, Cambridge in May, 2013. I finished my PhD in Computer Science at the Computer Laboratory in 2010, supervised by Professor Ross Anderson. Prior to that, I worked for six years in a series of industry research labs investigating operating systems, networking, and security; my contributions included widely used work in operating system security extensibility, the topic of my later PhD dissertation. My undergraduate degree is in Logic and Computation, with a double major in Computer Science at Carnegie Mellon University.

Recent news

September, 2014

Kirk McKusick, George Neville-Neil, and I are pleased to announce the release of the second edition of The Design and Implementation of the FreeBSD Operating System published by Pearson Education. eBook versions of the book are also becoming available. The book is available from Pearson directly in dead-tree and electronic versions, or from Amazon. At last check, the Kindle version had been approved for publication but was still in Amazon's pipeline, but should be available soon.

June, 2014

I'm pleased to announce that the CTSRD Project has open sourced our CHERI processor implementation as well as complete software stack. CHERI is a 64-bit RISC processor extended with an in-address-space protection model, as well as fine-grained in-process sandboxing. We have ported the open-source FreeBSD operating system to CHERI, and adapted the Clang/LLVM compiler suite to generate capability-aware code, which can run alongside 64-bit MIPS code with relative transparency.

We have also released four new technical reports on BERI (the base RISC processor design) and CHERI (the capability extensions) including the CHERI ISA reference and BERI hardware and software references; these may be found on our CTSRD Publications Page.

April, 2014

Ilias Marinos, Mark Handley, and I have had a paper on Network Stack Specialization for Performance accepted to SIGCOMM 2014. Prospective citation below. This is very exciting work that pushes the boundary on current host networking performance by breaking down traditional barriers between the network stack and application -- possible thanks to the Netmap framework in FreeBSD.

March, 2014

We are pleased to announce that the CTSRD Project has had two papers on recent work accepted: one on CHERI's memory protection model, which will appear at ISCA 2014 in June; a second on TESLA that will appear at EuroSys 2014 in March. The papers can be found below

October, 2013

David Drysdale (Google) has announced port of Capsicum to Linux with the intent of upstreaming to the Linux kernel. This follows on news of a port to DragonFlyBSD sponsored by Google Summer of Code. We are also eagerly awaiting news of the release of FreeBSD 10.0, which includes Capsicum enabled by default, a nice tidy up to the Capsicum API by Pawel Jakub Dawidek under contract to the FreeBSD Foundation (jointly sponsored by Google), and a moderate number of interesting base-system applications using Capsicum by default, including tcpdump, ktrace, hastd, and auditdistd. An exciting Autumn for Capsicum!

Ilias Marinos, Mark Handley (UCL), and I will present a paper at HotNets-XII arguing that network-stack specialisation is required in order to fully utilise current hardware. We demonstrate a clean-slate network stack (based on Luigi Rizzo's Netmap framework in FreeBSD) able to server web content at 3.5x the performance of FreeBSD and Linux using nginx, saturating six 10gbps NICs on a modestly configured contemporary server system.

May 2013

I have been appointed a University Lecturer in Systems, Security, and Architecture at the University of Cambridge Computer Laboratory effective 1 June 2013. This wraps up my post-doctoral positions at the lab and also my Research Fellowship at St John's College, Cambridge.

The May 2013 issue of Communications of the ACM carries an ACM Member News section on my research into the hardware-software interface, and in particular, the research team we have been building around the CTSRD Project joint with SRI International.

March 2013
Bill Harris, Somesh Jha, and Tom Reps at the University of Wisconsin, Madison, with support from Jon Anderson and myself at Cambridge, have published a paper at Oakland (IEEE Symposium on Security and Privacy) on using program annotations to drive capability-driven compartmentalisation of application programs. The intellectual foundations for this work are grounded in Bill's work on automata representations of compartmentalised application programs; Jon and I were very pleased to be able to contribute through our work on Capsicum.

Research interests

I lead a number of research projects spanning the security, computer architecture, and network + operating system research groups at the Computer Laboratory, supported by DARPA and Google. A theme spanning many of my current research areas is the tension between program representation and security, with interests in revising the hardware-software interface, and whole-system implementation of security. Several of these projects are part of the DARPA-sponsored CTSRD Project in collaboration with Peter G. Neumann at the Computer Science Laboratory at SRI International. We also have a second joint DARPA project, MRC2, which is applying many of these ideas in a distributed setting.

I have additional research interests in the interplay between concurrency and security, operating system access control (especially as relates to software pplication compartmentalisation and capability systems), multi-threaded network stacks, and revisiting a variety of hardware-software interfaces in support of security, networking, and operating system design. Utilising and improving open source platforms for research plays a key role in technology transition for my work.

Capability hardware enhanced RISC instructions (CHERI)

The CHERI processor provides hardware-assisted in-process sandboxing based on a hybrid capability model. The goal is to support several orders of magnitude greater numbers of sandboxes than current ISAs support -- while still maintaining compatibility with current software designs. Our first major paper on CHERI will appear in ISCA 2014, although we have prior workshop papers at several venues including RESoLVE 2012.

Bluespec experimental RISC implementation (BERI)

The Bluespec experimental RISC implementation is a new platform for research into the hardware-software interface. Consisting of a 64-bit MIPS ISA FPGA soft core implemented in the Bluespec Hardware Description Language (HDL), a port of the FreeBSD operating system, Clang/LLVM, and a conventional BSD/Apache-licensed software stack, we hope to use BERI to explore a range of new experimental research directions spanning the historically disjoint hardware and software research communities. CHERI is the first search research project. We have had several workshop and conference papers relating to the BERI platform. Brooks Davis (SRI) and I merged BERI support in to FreeBSD in August, 2012, which appeared in FreeBSD 10.0-RELEASE.

Temporally enhanced security logic assertions (TESLA)

Temporally enforced security logic assertions (TESLA) provide compiler-generated run-time instrumentation continuously to continuously validate complex (temporal) security properties, such as check-before-use, eventual audit, and network protocol state machines. We published a paper on TESLA at EuroSys 2014.

Security-oriented analysis of application programs (SOAAP)

The Security-oriented analysis of application programs (SOAAP) provides automated program analysis and transformation technqiues to help software developers deploy application compartmentalisation on sandboxing frameworks such as Capsicum and CHERI. We have had multiple workshop papers on these ideas, including at AHANS 2012 and the Security Protocols Workshop (SPW) 2013.

Operating-system network stacks

I have taken a long interest in network-stack structure and performance, including contributing substantially to FreeBSD's multithreaded, multicore network-stack implementation. My past consulting projects in this area include scalable multi-threaded TCP performance and zero-copy support for BPF. My PhD student Ilias Marinos, has been working on network-stack specialisation, the adaptation of network stacks to specific applications and workloads, achieving vastly higher performance than general-purpose stacks. This work has been the subject of papers at HotNets 2013 and SIGCOMM 2014. Bjoern Zeeb, a PhD student jointly supervised by Andrew Moore and myself, is working in network-stack tracing and analysis: what new techniques and tools can we develop to analyse performance and behaviour?

Capsicum: practical capabilities for UNIX

Capsicum: practical capabilities for UNIX: In this work, we developed the notion of a hybrid capability model, blending ideas from research capability system security with commodity UNIX operating systems. Capsicum is intended to support application and library compartmentalisation through extensions to the POSIX API. A key concern in Capsicum is incremental adoption --- we have a long-term vision for capability-oriented security, but wanted to provide a short-term technology adoption path addressing immediate security problems without introducing fundamental incompatibilities (an assumption in prior OS capability systems). This work was first published in USENIX Security 2010, with a version appearing in Communications of the ACM Research Highlights in 2013. We have also published pieces in USENIX's ;login magazine and elsewhere. Capsicum appeared in FreeBSD 9.0, with a more mature implementation and API in FreeBSD 10.0. Google has ported Capsicum to Linux, and continues to support Capsicum development alongside DARPA and the FreeBSD Foundation.


Exploiting concurrency vulnerabilities in system call wrappers

Exploiting concurrency vulnerabilities in system call wrappers: historically, a number of operating system vendors, researchers, and third-party security vendors (such as anti-virus vendors) have relied on system call interposition to augment the OS security model. In this work, I explored inherent concurrency vulnerabilities that exist in the model. We now teach this as an exercise to our Part II security students, who must exploit vulnerabilities in Systrace to deface a web site.

Operating system access control extensibility (MAC Framework)

The TrustedBSD Project: brought features traditionally limited to "trusted" operating systems into open source, including mature security event auditing, extensible kernel access control in support of mandatory access control access control (MAC), and discretionary access control (DAC) extensions such as access control lists (ACLs). These features have been adopted by a number of vendors including the FreeBSD Project, in Apple's Mac OS X and iOS operating systems, Juniper's JunOS, McAfee's Sidewinder firewall, and others. My February 2013 Communications of the ACM retrospective article (and open-access, slightly extended ACM Queue version) cover this evolution in significant detail.

Teaching

During the 2013-2014 academic year, I am lecturing Part I.B Concurrent and Distributed Systems, and co-teach our masters-level courses in the Principles and Foundations of Computer Security and Current Applications and Research in Computer Security

During the 2012-2013 academic year, I lectured Part I.B Concurrent and Distributed Systems, and co-taught our masters-level courses in the Principles and Foundations of Computer Security and Current Applications and Research in Computer Security.

Research students and postdocs

I currently supervise four research students: Ionel Gog, Ilias Marinos, Matthew Grosvenor, and Bjoern Zeeb. Several other research students are closely involved in my research projects, including Alan Mujumdar, Robert Norton, and Jonathan Woodruff in the Computer Architecture group. David Chisnall, Khilan Gudka, and Michael Roe are post-doctoral researchers contributing to my various research projects. I have previously supervised post-doctoral work by Jonathan Anderson and Steven Murdoch.

If you are interested in applying to Cambridge for a research-oriented MPhil or PhD in one of my research areas -- including computer security, operating systems, and computer architecture -- please free to get in touch regarding your research topic of interest. More information on the two programmes, including application requirements and information on initial research proposals, can be found on the MPhil in Advanced Computer Science and PhD in Computer Science pages at the Computer Laboratory.

Industry

Technology transition plays a central role in my research, and I take a particular interest in transition of research through open source systems. I have worked closely with a number of companies, including Apple and Juniper Networks as they have adopted open source systems to both help them engage with the open source community, improved open source software to better meet their needs, and helped them upstream improvements to the open source community. Recent projects have included open source adaptations of Apple's Grand Central Dispatch, collaborative development of the OpenBSM operating system audit framework between Apple and the FreeBSD Project, and work on highly scalable multi-core TCP processing with Juniper. Slightly longer ago, I worked with several companies including Apple and nCircle to help them use and extend the TrustedBSD MAC Framework, a kernel reference monitor now used as the foundation for access control in Mac OS X, iOS, Junos, McAfee's Sidewinder firewall, nCircle's IP360 appliance, and many other products.

Prior to coming to Cambridge, I worked for a series of industrial research labs in the US, including SPARTA ISSO, Trusted Information Systems - Advanced Research and Engineering, and McAfee Research. While there I led a number of network and operating system security research projects for government and industrial sponsors, including DARPA, the US Navy, Apple Computer, and others.

I offer consulting services to companies in the areas of open source integration for products, network stack performance, and operating system audit and access control. A list of past customers and projects is available on request; please contact me directly with any queries.

FreeBSD Project and Foundation

In addition to my academic work, I'm on the board of directors of the FreeBSD Foundation, a US-based non-profit foundation supporting the open source FreeBSD Project. I'm an active contributor to the project, working in the areas of multiprocessor-centric network stacks, operating system security audit, and mandatory access control. I was a member of the FreeBSD Project's elected Core Team for 12 years, and continue to serve as a member of the board of directors of the non-profit FreeBSD Foundation supporting the project. I'm also involved in the project's security officer and release engineering teams.


Publications

Marshall Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson The Design and Implementation of the FreeBSD Operating System, 2nd Edition, Pearson Education, Boston, MA, USA, September 2014.

Ilias Marinos, Robert N. M. Watson, and Mark Handley, Network Stack Specialization for Performance, Proceedings of ACM SIGCOMM 2014 Conference (SIGCOMM'14), Chicago, IL, USA, August 17–22, 2014.

Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), Minneapolis, MN, USA, June 14–16, 2014.

Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, and Michael Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, Technical Report UCAM-CL-TR-850, University of Cambridge, Computer Laboratory, April 2014.

Robert N.M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Capability Hardware Enhanced RISC Instructions: CHERI User’s Guide, Technical Report UCAM-CL-TR-851, University of Cambridge, Computer Laboratory, April 2014.

Robert N.M. Watson, Jonathan Woodruff, David Chisnall, Brooks Davis, Wojciech Koszek, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Robert Norton, and Michael Roe. Bluespec Extensible RISC Implementation: BERI Hardware Reference, Technical Report UCAM-CL-TR-852, University of Cambridge, Computer Laboratory, April 2014.

Robert N.M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Bluespec Extensible RISC Implementation: BERI Software Reference, Technical Report UCAM-CL-TR-853, University of Cambridge, Computer Laboratory, April 2014.

Jonathan Anderson, Robert N. M. Watson, David Chisnall, Khilan Gudka, Brooks Davis, and Ilias Marinos. TESLA: Temporally Enhanced System Logic Assertions, Proceedings of The 2014 European Conference on Computer Systems (EuroSys 2014), Amsterdam, The Netherlands, April 14–16 2014.

Brooks Davis, Robert Norton, Jonathan Woodruff, and Robert N. M. Watson. How FreeBSD Boots: a soft-core MIPS perspective, Proceedings of AsiaBSDCon 2014, 13–16 March, 2014, Tokyo, Japan.

A Theodore Markettos, Jonathan Woodruff, Robert N. M. Watson, Bjoern A. Zeeb, Brooks Davis, Simon W Moore. The BERIpad tablet: open-source construction, CPU, OS and applications, Proceedings of 2013 FPGA Workshop and Design Contest, November 1st–3rd, Southeast University, Nanjing, China.

Ilias Marinos, Robert N. M. Watson, and Mark Handley. Network stack specialisation for performance. Twelfth ACM Workshop on Hot Topics in Networks (HotNets-XII), November, 2013.

William R. Harris (University of Wisconsin, Madison), Somesh Jha (University of Wisconsin, Madison), Thomas Reps (University of Wisconsin, Madison), Jonathan Anderson (University of Cambridge), and Robert N. M. Watson (University of Cambridge). Declarative, Temporal, and Practical Programming with Capabilities, IEEE Symposium on Security and Privacy ("Oakland"), May, 2013.

Robert N. M. Watson, Steven J. Murdoch, Khilan Gudka, Jonathan Anderson, Peter G. Neumann, and Ben Laurie. Towards a theory of application compartmentalisation. Security Protocols Workshop, March, 2013.

Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.

Robert N. M. Watson. A decade of OS access-control extensibility. ACM Queue 11(1), January 2013. (Open access, extended version of CACM article.)

Khilan Gudka, Robert N. M. Watson, Steven Hand, Ben Laurie, and Anil Madhavapeddy. Exploring compartmentalisation hypotheses with SOAAP. Workshop paper, Adaptive Host and Network Security (AHANS 2012), September, 2012.

Robert N. M. Watson. New approaches to operating system security extensibility. Technical report UCAM-CL-TR-818, University of Cambridge, Computer Laboratory, April 2012.

Jonathan Anderson and Robert N. M. Watson. Stayin' Alive: Aliveness as an alternative to authentication. In proceedings of the Twentieth International Workshop on Security Protocols (SPW), April 2012.

Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.

Steven Smith, Anil Madhavapeddy, Christopher Smowton, Malte Schwarzkopf, Richard Mortier, Robert N.M. Watson, and Steven Hand. The Case for Reconfigurable I/O Channels. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.

Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. A taste of Capsicum: practical capabilities for UNIX. In Communications of the ACM 55(3), pp. 97-104, March 2012.

Jonathan Anderson, Frank Stajano, and Robert Watson. How to keep bad papers out of conferences (with minimum reviewer effort). Proceedings of the Nineteenth International Workshop on Security Protocols, March 2011

Peter G. Neumann and Robert N. M. Watson. Capabilities Revisited: A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems. Proceedings of the Fourth Annual Layered Assurance Workshop, Austin, Texas, December 2010.

Laurel D. Riek and Robert N.M. Watson. The Age of Avatar Realism: When seeing shouldn't be believing. IEEE Robotics and Automation (2010). Vol. 17, Issue 4, pp 37-42.

Robert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway. Capsicum: practical capabilities for UNIX. In Proceedings, 19th USENIX Security Symposium 2010, Washington, DC.

Steven J. Murdoch and Robert N. M. Watson. Metrics for security and performance in low-latency anonymity systems. In Proceedings, Privacy Enhancing Technologies Symposium 2008, Leuven, Belgium.

Richard Clayton, Steven J. Murdoch, Robert N. M. Watson. Ignoring the Great Firewall of China. A Journal of Law and Policy for the Information Society, Volume 3, Issue 2, Fall 2007.

Robert N. M. Watson. Exploiting Concurrency Vulnerabilities in System Call Wrappers. In Proceedings, WOOT'07 - First USENIX Workshoop on Offensive Technologies, Boston, Massachussetts, USA.

Robert N. M. Watson. How the FreeBSD Project Works. In Proceedings, 2006 EuroBSDCon, Milan, Italy.

Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson. Ignoring the Great Firewall of China. In Proceedings, Privacy Enhancing Technologies Workshop 2006, Cambridge, UK.

Robert N. M. Watson and Wayne Salamon. TrustedBSD OpenBSM: Open Source Security Audit Framework. In Proceedings, 2006 UKUUG Spring Conference, Durham, UK.

Robert N. M. Watson. Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack. In Proceedings, 2005 EuroBSDCon, Basel, Switzerland.

Poul-Henning Kamp, Robert N. M. Watson. Building Systems to be Shared, Securely. ACM Queue, July/August 2004.

Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance.The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In Proceedings, 2003 USENIX Annual Technical Conference, FREENIX Track.

Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance. Design and Implementation of the TrustedBSD MAC Framework. 2003 DARPA Information Security Conference and Exposition (DISCEX III). IEEE.

Sandra L. Murphy, Edward T. Lewis, Robert N. M. Watson. Secure Active Network Prototypes. In Proceedings, 2002 DARPA Active Network Conference and Exposition (DANCE'02). IEEE.

Robert N. M. Watson, TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings, 2001 USENIX Annual Technical Conference, FREENIX Track.

Sandra Murphy, et al. Strong Security for Active Networks. In Proceedings, OpenArch 2001.

Robert N. M. Watson. Statement for SACMAT 2001 Panel. ACM Workshop on Role Based Access Control. In proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 2001.

Poul-Henning Kamp and Robert N. M. Watson. Jails: Confining the Omnipotent Root. In Proceedings, SANE 2000 Conference. NLUUG, 2000.

Robert N. M. Watson. Introducing Supporting Infrastructure for Trusted Operating System Support in FreeBSD. In BSDCon 2000 Conference Proceedings. BSDi, 2000.