David Chisnall

Photo by Will Harwood

Address University of Cambridge
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 1FD
United Kingdom
Office: GE10, William Gates Building
Telephone: +44 (0)1223 763 776
Fax: +44 (0)1223 334 678
E-mail: David.Chisnall AT cl.cam.ac.uk

I am a Principal Researcher in the Confidential Computing Group at Microsoft Research Cambridge, where I work at the intersection of computer architecture, operating systems, programming language design, and security. I am also a Visiting Researcher in the Computer Lab.

Research Interests

  • Cross-language interoperability
  • Hardware / language co-design
  • Safety in unsafe languages

Former teaching responsibilities

Open source

Recent Publications

A full list is available on the publications page.

  1. Saar Amar, Tony Chen, David Chisnall, Felix Domke, Nathaniel Filardo, Kunyan Liu, Robert Norton-Wright, Yucong Tao, Robert N. M. Watson and Hongyan Xia. CHERIoT: Rethinking security for low-cost embedded systems. Microsoft, 2023. [pdf]
      author = {Amar, Saar and Chen, Tony and Chisnall, David and Domke, Felix and Filardo, Nathaniel and Liu, Kunyan and Norton-Wright, Robert and Tao, Yucong and N. M. Watson, Robert and Xia, Hongyan},
      title = {CHERIoT: Rethinking security for low-cost embedded systems},
      institution = {Microsoft},
      year = {2023},
      month = feb,
      url = {https://www.microsoft.com/en-us/research/uploads/prod/2023/02/cheriot-63e11a4f1e629.pdf},
      number = {MSR-TR-2023-6}

    Abstract: Small embedded cores have little area to spare for security features and yet must often run code written in unsafe languages and, increasingly, are exposed to the hostile Internet. CHERIoT  (Capability Hardware Extension to RISC-V for Internet of Things) builds on top of CHERI and RISC-V to provide an ISA and software model that lets software depend on object-granularity spatial memory safety, deterministic use-after-free protection, and lightweight compartmentalization exposed directly to the C/C++ language model. This can run existing embedded software components on a clean-slate RTOS that scales up to large numbers of isolated (yet securely communicating) compartments, even on systems with under 256 KiB of SRAM.

  2. Kapil Vaswani, Stavros Volos, Cédric Fournet, Antonio Nino Diaz, Ken Gordon, Balaji Vembu, Sam Webster, David Chisnall, Saurabh Kulkarni, Graham Cunningham, Richard Osborne and Dan Wilkinson. Confidential Computing within an AI Accelerator. 2023 USENIX Annual Technical Conference, (2023). [pdf]
      author = {Vaswani, Kapil and Volos, Stavros and Fournet, Cédric and Nino Diaz, Antonio and Gordon, Ken and Vembu, Balaji and Webster, Sam and Chisnall, David and Kulkarni, Saurabh and Cunningham, Graham and Osborne, Richard and Wilkinson, Dan},
      title = {Confidential Computing within an AI Accelerator},
      booktitle = {2023 USENIX Annual Technical Conference},
      year = {2023},
      month = jul,
      url = {https://www.microsoft.com/en-us/research/uploads/prod/2023/05/confidential-ml-within-ipus-arxiv.pdf}

    Abstract: We present AITX, a set of hardware extensions that enable trusted execution environments on a commodity custom AI accelerator. AITX enables the execution of AI workloads with strong confidentiality and integrity guarantees at low performance overheads. AITX isolates workloads from untrusted hosts, and ensures their data/models remain encrypted at all times except within the accelerator’s chip. AITX includes a hardware root-of-trust that provides attestation capabilities and orchestrates trusted execution, and on-chip programmable cryptographic engines for authenticated encryption of code/data at PCIe bandwidth. We also present software for AITX in the form of compiler and runtime extensions that support multi-party training without requiring a CPU-based TEE.

    We included experimental support for AITX in an AI accelerator taped out at TSMC’s 7nm node. Its evaluation on a development board using standard DNN training workloads suggests that AITX adds < 5% performance overhead, and delivers up to 17x better performance compared to CPU-based confidential computing systems based on AMD SEV-SNP.

  3. Hugo Lefeuvre, David Chisnall, Marios Kogias and Pierre Olivier. Towards (Really) Safe and Fast Confidential I/O. HotOS XIX, (2023).
      title = {Towards (Really) Safe and Fast Confidential I/O},
      author = {Lefeuvre, Hugo and Chisnall, David and Kogias, Marios and Olivier, Pierre},
      booktitle = {HotOS XIX},
      year = {2023},
      month = jun

    Abstract: Confidential cloud computing enables cloud tenants to distrust their service provider. Achieving confidential computing solutions that provide concrete security guarantees requires not only strong mechanisms, but also carefully designed interfaces. In this paper, we make the observation that confidential I/O interfaces, caught in the tug-of-war between performance and security, fail to address both at a time when confronted to interface vulnerabilities and observability. We expose the problem of safe I/O interfaces in confidential computing, its implications and challenges, and devise research paths to achieve confidential I/O interfaces that are both safe and fast.

  4. Hongyan Xia, David Zhang, Wei Liu, Istvan Haller, Bruce Sherwin and David Chisnall. A Secret-Free Hypervisor: Rethinking Isolation in the Age of Speculative Vulnerabilities. 2022 IEEE Symposium on Security and Privacy, IEEE Computer Society (2022), 1544–1544. [pdf]
      author = {Xia, Hongyan and Zhang, David and Liu, Wei and Haller, Istvan and Sherwin, Bruce and Chisnall, David},
      title = {A Secret-Free Hypervisor: Rethinking Isolation in the Age of Speculative Vulnerabilities},
      booktitle = {2022 IEEE Symposium on Security and Privacy},
      year = {2022},
      month = may,
      publisher = {IEEE Computer Society},
      url = {https://www.microsoft.com/en-us/research/uploads/prod/2022/07/sf-hypervisor.pdf},
      pages = {1544-1544}

    Abstract: In recent years, the epidemic of speculative side channels significantly increases the difficulty in enforcing domain isolation boundaries in a virtualized cloud environment. Although mitigations exist, the approach taken by the industry is neither a long-term nor a scalable solution, as we target each vulnerability with specific mitigations that add up to substantial performance penalties. We propose a different approach to secret isolation: guaranteeing that the hypervisor is Secret-Free (SF).

    A Secret-Free design partitions memory into secrets and non-secrets and reconstructs hypervisor isolation. It enforces that all domains have a minimal and secret-free view of the address space. In contrast to state-of-the-art, a Secret-Free hypervisor does not identify secrets to be hidden, but instead identifies non-secrets that can be shared, and only grants access necessary for the current operation, an allow-list approach. SF designs function with existing hardware and do not exhibit noticeable performance penalties in production workloads versus the unmitigated baseline, and outperform state-of-the-art techniques by allowing speculative execution where secrets are invisible. We implement SF in Xen (a Type-I hypervisor) to demonstrate that the design applies well to a commercial hypervisor. Evaluation shows performance comparable to baseline and up to 37% improvement in certain hypervisor paths compared with Xen default mitigations.

    Further, we demonstrate Secret-Free is a generic kernel isolation infrastructure for a variety of systems, not limited to Type-I hypervisors. We apply the same model in Hyper-V (Type-I), bhyve (Type-II) and FreeBSD (UNIX kernel) to evaluate its applicability and effectiveness. The successful implementations on these systems prove the generality of SF, and reveal the specific adaptations and optimizations required for each type of kernel.

  5. Mark Russinovich, Manuel Costa, Cédric Fournet, David Chisnall, Antoine Delignat-Lavaud, Sylvan Clebsch, Kapil Vaswani and Vikas Bhatia. Toward Confidential Cloud Computing: Extending Hardware-Enforced Cryptographic Protection to Data While in Use. Queue 19, 1 (2021), 49–76. [doi]
      author = {Russinovich, Mark and Costa, Manuel and Fournet, C\'{e}dric and Chisnall, David and Delignat-Lavaud, Antoine and Clebsch, Sylvan and Vaswani, Kapil and Bhatia, Vikas},
      title = {Toward Confidential Cloud Computing: Extending Hardware-Enforced Cryptographic Protection to Data While in Use},
      year = {2021},
      issue_date = {January-February 2021},
      publisher = {Association for Computing Machinery},
      address = {New York, NY, USA},
      volume = {19},
      number = {1},
      issn = {1542-7730},
      url = {https://doi.org/10.1145/3454122.3456125},
      doi = {10.1145/3454122.3456125},
      journal = {Queue},
      month = mar,
      pages = {49–76},
      numpages = {28}

    Abstract: Although largely driven by economies of scale, the development of the modern cloud also enables increased security. Large data centers provide aggregate availability, reliability, and security assurances. The operational cost of ensuring that operating systems, databases, and other services have secure configurations can be amortized among all tenants, allowing the cloud provider to employ experts who are responsible for security; this is often unfeasible for smaller businesses, where the role of systems administrator is often conflated with many others.