Robert N. M. Watson
I am a Senior Research Associate in the Security Research Group at the University of Cambridge Computer Laboratory; I am also a Research Fellow at St John's College Cambridge. My research interests include operating system security and networking, the hardware-software interface, and program analysis and transformation. I earned my PhD in computer science at the Computer Laboratory through 2010, supervised by Professor Ross Anderson. Prior to that, I worked for six years in a series of industry research labs investigating operating systems, networking, and security; my contributions included widely used work in operating system security extensibility, the topic of my later PhD dissertation. My undergraduate degree is in Logic and Computation, with a double major in Computer Science at Carnegie Mellon University. I have strong interests in open source software, am on the board of directors of the FreeBSD Foundation, and have contributed extensively to the FreeBSD Project.
- March 2013
- Bill Harris, Somesh Jha, and Tom Reps at the University of Wisconsin, Madison, with support from Jon Anderson and myself at Cambridge, have published a paper at Oakland (IEEE Symposium on Security and Privacy) on using program annotations to drive capability-driven compartmentalisation of application programs. The intellectual foundations for this work are grounded in Bill's work on automata representations of compartmentalised application programs; Jon and I were very pleased to be able to contribute through our work on Capsicum.
- January 2013
ACM has now posted the Communications of the ACM and ACM Queue (open access, slightly extended) versions of my article A decade of OS access-control extensibility. This is a retrospective piece exploring how the FreeBSD MAC Framework has been used to support a variety of access control models in products ranging from FreeBSD, to Juniper Junos, to Mac OS X and the iPhone. My thanks go out to countless contributors to the framework over the last decade, as well as numerous reviewers of the article who have assisted in characterising access control use across a large range of downstream products.
- December 2012
IEEE Spectrum has posted a Techwise Conversations Podcast in which I opine on the clean-slate argument for operating systems and computer architecture in the context of computer security.
- November 2012
The RESoLVE 2013 web site and CFP are now online; RESoLVE is an exciting workshop looking at virtualisation, programming language runtimes, and program transformation. We presented our first technical paper on the CHERI processor at RESoLVE 2012.
- October 2012
The New York Times is carrying a great article on Dr Peter Neumann, my collaborator on the CTSRD project. I even get a mention!
- September 2012
- Khilan Gudka and I have posted a workshop paper describing the Security-Oriented Analysis of Application Programs (SOAAP) at the Workshop on Adaptive Host and Network Security (AHANS 2012) in Lyon, France.
- August 2012
- Brooks Davis (SRI) and I have committed support for BERI, an SRI/Cambridge-developed FPGA soft core CPU, to the FreeBSD Subversion repository, which will be included in FreeBSD 10.0. BERI is a platform for research into the hardware-software interface.
- April 2012
- My PhD dissertation, New approaches to operating system security extensibility is now available as a Computer Laboratory technical report. The dissertation makes a number of contributions in the area of operating system kernel access control extensibility, including exploring concurrency vulnerabilities in past reference monitor designs, developing the kernel reference monitor found in widely used systems such as FreeBSD, Mac OS X, iOS, Intel/McAfee firewalls, and Junos, and an extended version of our 2010 paper on Capsicum.
- March 2012
- We have now posted a workshop paper describing our goals for the CHERI processor, which implements a hybrid capability model intended to support lightweight and highly scalable in-process sandboxing. This paper was presented at RESoLVE 2012 at ASPLOS in London, England.
I lead a number of research projects spanning the security, computer architecture, and network + operating system research groups at the Computer Laboratory, supported by DARPA and Google. A theme spanning many of my current research areas is the tension between program representation and security, with interests in revising the hardware-software interface, and whole-system implementation of security. Several of these projects are part of the DARPA-sponsored CTSRD Project in collaboration with Peter G. Neumann at the Computer Science Laboratory at SRI International. We also have a second joint DARPA project, MRC2, which is applying many of these ideas in a distributed setting.
I have additional research interests in the interplay between concurrency and security, operating system access control (especially as relates to software pplication compartmentalisation and capability systems), multi-threaded network stacks, and revisiting a variety of hardware-software interfaces in support of security, networking, and operating system design. Utilising and improving open source platforms for research plays a key role in technology transition for my work.
Capability hardware enhanced RISC instructions (CHERI)
The CHERI processor provides hardware-assisted in-process sandboxing based on a hybrid capability model. The goal is to support several orders of magnitude greater numbers of sandboxes than current ISAs support -- while still maintaining compatibility with current software designs.
Bluespec experimental RISC implementation (BERI)
The Bluespec experimental RISC implementation is a new platform for research into the hardware-software interface. Consisting of a 64-bit MIPS ISA FPGA soft core implemented in the Bluespec Hardware Description Language (HDL), a port of the FreeBSD operating system, Clang/LLVM, and a conventional BSD/Apache-licensed software stack, we hope to use BERI to explore a range of new experimental research directions spanning the historically disjoint hardware and software research communities. CHERI is the first search research project.
Temporally enhanced security logic assertions (TESLA)
Temporally enforced security logic assertions (TESLA) provide compiler-generated run-time instrumentation continuously to continuously validate complex (temporal) security properties, such as check-before-use, eventual audit, and network protocol state machines.
Security-oriented analysis of application programs (SOAAP)
The Security-oriented analysis of application programs (SOAAP) provides automated program analysis and transformation technqiues to help software developers deploy application compartmentalisation on sandboxing frameworks such as Capsicum and CHERI.
Capsicum: practical capabilities for UNIX
Capsicum: practical capabilities for UNIX: In this work, we developed the notion of a hybrid capability model, blending ideas from research capability system security with commodity UNIX operating systems. Capsicum is intended to support application and library compartmentalisation through extensions to the POSIX API. A key concern in Capsicum is incremental adoption --- we have a long-term vision for capability-oriented security, but wanted to provide a short-term technology adoption path addressing immediate security problems without introducing fundamental incompatibilities (an assumption in prior OS capability systems). Capsicum will appear in FreeBSD 9.0; patches are available for OpenBSD, and there is a work-in-progress port of Capsicum to Linux by Google.
Exploiting concurrency vulnerabilities in system call wrappers
Exploiting concurrency vulnerabilities in system call wrappers: historically, a number of operating system vendors, researchers, and third-party security vendors (such as anti-virus vendors) have relied on system call interposition to augment the OS security model. In this work, I explored inherent concurrency vulnerabilities that exist in the model. We now teach this as an exercise to our Part II security students, who must exploit vulnerabilities in Systrace to deface a web site.
Operating system access control extensibility
The TrustedBSD Project: brought features traditionally limited to "trusted" operating systems into open source, including mature security event auditing, extensible kernel access control in support of mandatory access control access control (MAC), and discretionary access control (DAC) extensions such as access control lists (ACLs). These features have been adopted by a number of vendors including the FreeBSD Project, in Apple's Mac OS X and iOS operating systems, Juniper's JunOS, McAfee's Sidewinder firewall, and others. My February 2013 Communications of the ACM retrospective article (and open-access, slightly extended ACM Queue version) cover this evolution in significant detail.
Research students and postdocs
I currently supervise three research students: Ilias Marinos, Matthew Grosvenor, and Bjoern Zeeb. Several other research students are closely involved in my research projects, including Alan Mujumdar, Robert Norton, and Jonathan Woodruff in the Computer Architecture group. Jonathan Anderson, David Chisnall, Khilan Gudka, Steven Murdoch, and Michael Roe are post-doctoral researchers contributing to my various research projects.
Technology transition plays a central role in my research, and I take a particular interest in transition of research through open source systems. I have worked closely with a number of companies, including Apple and Juniper Networks as they have adopted open source systems to both help them engage with the open source community, improved open source software to better meet their needs, and helped them upstream improvements to the open source community. Recent projects have included open source adaptations of Apple's Grand Central Dispatch, collaborative development of the OpenBSM operating system audit framework between Apple and the FreeBSD Project, and work on highly scalable multi-core TCP processing with Juniper. Slightly longer ago, I worked with several companies including Apple and nCircle to help them use and extend the TrustedBSD MAC Framework, a kernel reference monitor now used as the foundation for access control in Mac OS X, iOS, Junos, McAfee's Sidewinder firewall, nCircle's IP360 appliance, and many other products.
Prior to coming to Cambridge, I worked for a series of industrial research labs in the US, including SPARTA ISSO, Trusted Information Systems - Advanced Research and Engineering, and McAfee Research. While there I led a number of network and operating system security research projects for government and industrial sponsors, including DARPA, the US Navy, Apple Computer, and others.
I offer consulting services to companies in the areas of open source integration for products, network stack performance, and operating system audit and access control. A list of past customers and projects is available on request; please contact me directly with any queries.
FreeBSD Project and Foundation
In addition to my academic work, I'm on the board of directors of the FreeBSD Foundation, a US-based non-profit foundation supporting the open source FreeBSD Project. I'm an active contributor to the project, working in the areas of multiprocessor-centric network stacks, operating system security audit, and mandatory access control. I was a member of the FreeBSD Project's elected Core Team for 12 years, and continue to serve as a member of the board of directors of the non-profit FreeBSD Foundation supporting the project. I'm also involved in the project's security officer and release engineering teams.
Robert N. M. Watson, Steven J. Murdoch, Khilan Gudka, Jonathan Anderson, Peter G. Neumann, and Ben Laurie. Towards a theory of application compartmentalisation. Security Protocols Workshop, March, 2013.
William R. Harris (University of Wisconsin, Madison), Somesh Jha (University of Wisconsin, Madison), Thomas Reps (University of Wisconsin, Madison), Jonathan Anderson (University of Cambridge), and Robert N. M. Watson (University of Cambridge). Declarative, Temporal, and Practical Programming with Capabilities, IEEE Symposium on Security and Privacy ("Oakland"), May, 2013.
Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.
Robert N. M. Watson. A decade of OS access-control extensibility. ACM Queue 11(1), January 2013. (Open access, extended version of CACM article.)
Khilan Gudka, Robert N. M. Watson, Steven Hand, Ben Laurie, and Anil Madhavapeddy. Exploring compartmentalisation hypotheses with SOAAP. Workshop paper, Adaptive Host and Network Security (AHANS 2012), September, 2012.
Robert N. M. Watson. New approaches to operating system security extensibility. Technical report UCAM-CL-TR-818, University of Cambridge, Computer Laboratory, April 2012.
Jonathan Anderson and Robert N. M. Watson. Stayin' Alive: Aliveness as an alternative to authentication. In proceedings of the Twentieth International Workshop on Security Protocols (SPW), April 2012.
Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.
Steven Smith, Anil Madhavapeddy, Christopher Smowton, Malte Schwarzkopf, Richard Mortier, Robert N.M. Watson, and Steven Hand. The Case for Reconfigurable I/O Channels. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. A taste of Capsicum: practical capabilities for UNIX. In Communications of the ACM 55(3), pp. 97-104, March 2012.
Jonathan Anderson, Frank Stajano, and Robert Watson. How to keep bad papers out of conferences (with minimum reviewer effort). Proceedings of the Nineteenth International Workshop on Security Protocols, March 2011
Peter G. Neumann and Robert N. M. Watson. Capabilities Revisited: A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems. Proceedings of the Fourth Annual Layered Assurance Workshop, Austin, Texas, December 2010.
Laurel D. Riek and Robert N.M. Watson. The Age of Avatar Realism: When seeing shouldn't be believing. IEEE Robotics and Automation (2010). Vol. 17, Issue 4, pp 37-42.
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway. Capsicum: practical capabilities for UNIX. In Proceedings, 19th USENIX Security Symposium 2010, Washington, DC.
Steven J. Murdoch and Robert N. M. Watson. Metrics for security and performance in low-latency anonymity systems. In Proceedings, Privacy Enhancing Technologies Symposium 2008, Leuven, Belgium.
Richard Clayton, Steven J. Murdoch, Robert N. M. Watson. Ignoring the Great Firewall of China. A Journal of Law and Policy for the Information Society, Volume 3, Issue 2, Fall 2007.
Robert N. M. Watson. Exploiting Concurrency Vulnerabilities in System Call Wrappers. In Proceedings, WOOT'07 - First USENIX Workshoop on Offensive Technologies, Boston, Massachussetts, USA.
Robert N. M. Watson. How the FreeBSD Project Works. In Proceedings, 2006 EuroBSDCon, Milan, Italy.
Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson. Ignoring the Great Firewall of China. In Proceedings, Privacy Enhancing Technologies Workshop 2006, Cambridge, UK.
Robert N. M. Watson and Wayne Salamon. TrustedBSD OpenBSM: Open Source Security Audit Framework. In Proceedings, 2006 UKUUG Spring Conference, Durham, UK.
Robert N. M. Watson. Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack. In Proceedings, 2005 EuroBSDCon, Basel, Switzerland.
Poul-Henning Kamp, Robert N. M. Watson. Building Systems to be Shared, Securely. ACM Queue, July/August 2004.
Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance.The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In Proceedings, 2003 USENIX Annual Technical Conference, FREENIX Track.
Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance. Design and Implementation of the TrustedBSD MAC Framework. 2003 DARPA Information Security Conference and Exposition (DISCEX III). IEEE.
Sandra L. Murphy, Edward T. Lewis, Robert N. M. Watson. Secure Active Network Prototypes. In Proceedings, 2002 DARPA Active Network Conference and Exposition (DANCE'02). IEEE.
Robert N. M. Watson, TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings, 2001 USENIX Annual Technical Conference, FREENIX Track.
Sandra Murphy, et al. Strong Security for Active Networks. In Proceedings, OpenArch 2001.
Robert N. M. Watson. Statement for SACMAT 2001 Panel. ACM Workshop on Role Based Access Control. In proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 2001.
Poul-Henning Kamp and Robert N. M. Watson. Jails: Confining the Omnipotent Root. In Proceedings, SANE 2000 Conference. NLUUG, 2000.
Robert N. M. Watson. Introducing Supporting Infrastructure for Trusted Operating System Support in FreeBSD. In BSDCon 2000 Conference Proceedings. BSDi, 2000.