Computer Laboratory

Robert N. M. Watson

University of Cambridge
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 1FD
United Kingdom
  Office: GE-13, William Gates Building
Voice: +44 (0)1223 763 569
Fax: +44 (0)1223 334 678
E-mail: robert.watson AT cl.cam.ac.uk

I am a University Lecturer in Systems, Security, and Architecture in the Security Research Group at the University of Cambridge Computer Laboratory. I lead a number of cross-layer research projects spanning computer architecture, compilers, program analysis, program transformation, operating systems, networking, and security. Current projects include CTSRD, a project in collaboration with SRI International looking at clean-slate hardware and software designs for security. This includes the BERI and CHERI processor designs, and SOAAP and TESLA, software analysis and transformation systems based on LLVM. I also have active research projects in network-stack performance, tracing, and switching. Recent completed projects include the Capsicum hybrid capability system, system-call interposition concurrency problems, and the TrustedBSD MAC Framework, a widely deployed OS access-control extensibility framework (now found in FreeBSD, Mac OS X, Apple iOS, Junos, and other products). I have strong interests in open-source software, am on the board of directors of the FreeBSD Foundation, and have contributed extensively to the FreeBSD Project.

I completed two and a half years of post-doctoral research at the Computer Laboratory, and a Research Fellowship at St John's College, Cambridge in May, 2013. I finished my PhD in Computer Science at the Computer Laboratory in 2010, supervised by Professor Ross Anderson. Prior to that, I worked for six years in a series of industry research labs investigating operating systems, networking, and security; my contributions included widely used work in operating system security extensibility, the topic of my later PhD dissertation. My undergraduate degree is in Logic and Computation, with a double major in Computer Science at Carnegie Mellon University.

Recent news

March, 2014

We are pleased to announce that the CTSRD Project has had two papers on recent work accepted: one on CHERI's memory protection model, which will appear at ISCA 2014 in June; a second on TESLA that will appear at EuroSys 2014 in March. Papers will appear online as the conferences arise; citations can be found below

October, 2013

David Drysdale (Google) has announced port of Capsicum to Linux with the intent of upstreaming to the Linux kernel. This follows on news of a port to DragonFlyBSD sponsored by Google Summoer of Code. We are also eagerly awaiting news of the release of FreeBSD 10.0, which includes Capsicum enabled by default, a nice tidy up to the Capsicum API by Pawel Jakub Dawidek under contract to the FreeBSD Foundation (jointly sponsored by Google), and a moderate number of interesting base-system applications using Capsicum by default, including tcpdump, ktrace, hastd, and auditdistd. An exciting Autumn for Capsicum!

Ilias Marinos, Mark Handley (UCL), and I will present a paper at HotNets-XII arguing that network-stack specialisation is required in order to fully utilise current hardware. We demonstrate a clean-slate network stack (based on Luigi Rizzo's Netmap framework in FreeBSD) able to server web content at 3.5x the performance of FreeBSD and Linux using nginx, saturating six 10gbps NICs on a modestly configured contemporary server system.

May 2013

I have been appointed a University Lecturer in Systems, Security, and Architecture at the University of Cambridge Computer Laboratory effective 1 June 2013. This wraps up my post-doctoral positions at the lab and also my Research Fellowship at St John's College, Cambridge.

The May 2013 issue of Communications of the ACM carries an ACM Member News section on my research into the hardware-software interface, and in particular, the research team we have been building around the CTSRD Project joint with SRI International.

March 2013
Bill Harris, Somesh Jha, and Tom Reps at the University of Wisconsin, Madison, with support from Jon Anderson and myself at Cambridge, have published a paper at Oakland (IEEE Symposium on Security and Privacy) on using program annotations to drive capability-driven compartmentalisation of application programs. The intellectual foundations for this work are grounded in Bill's work on automata representations of compartmentalised application programs; Jon and I were very pleased to be able to contribute through our work on Capsicum.
January 2013

ACM has now posted the Communications of the ACM and ACM Queue (open access, slightly extended) versions of my article A decade of OS access-control extensibility. This is a retrospective piece exploring how the FreeBSD MAC Framework has been used to support a variety of access control models in products ranging from FreeBSD, to Juniper Junos, to Mac OS X and the iPhone. My thanks go out to countless contributors to the framework over the last decade, as well as numerous reviewers of the article who have assisted in characterising access control use across a large range of downstream products.

December 2012

IEEE Spectrum has posted a Techwise Conversations Podcast in which I opine on the clean-slate argument for operating systems and computer architecture in the context of computer security.

November 2012

The RESoLVE 2013 web site and CFP are now online; RESoLVE is an exciting workshop looking at virtualisation, programming language runtimes, and program transformation. We presented our first technical paper on the CHERI processor at RESoLVE 2012.

October 2012

ACM Queue has posted a video interview on the topic of my research into the hardware-software interface, as well as the SRI and Cambridge CHERI processor.

The New York Times is carrying a great article on Dr Peter Neumann, my collaborator on the CTSRD project. I even get a mention!

September 2012
Khilan Gudka and I have posted a workshop paper describing the Security-Oriented Analysis of Application Programs (SOAAP) at the Workshop on Adaptive Host and Network Security (AHANS 2012) in Lyon, France.
August 2012
Brooks Davis (SRI) and I have committed support for BERI, an SRI/Cambridge-developed FPGA soft core CPU, to the FreeBSD Subversion repository, which will be included in FreeBSD 10.0. BERI is a platform for research into the hardware-software interface.

Research interests

I lead a number of research projects spanning the security, computer architecture, and network + operating system research groups at the Computer Laboratory, supported by DARPA and Google. A theme spanning many of my current research areas is the tension between program representation and security, with interests in revising the hardware-software interface, and whole-system implementation of security. Several of these projects are part of the DARPA-sponsored CTSRD Project in collaboration with Peter G. Neumann at the Computer Science Laboratory at SRI International. We also have a second joint DARPA project, MRC2, which is applying many of these ideas in a distributed setting.

I have additional research interests in the interplay between concurrency and security, operating system access control (especially as relates to software pplication compartmentalisation and capability systems), multi-threaded network stacks, and revisiting a variety of hardware-software interfaces in support of security, networking, and operating system design. Utilising and improving open source platforms for research plays a key role in technology transition for my work.

Capability hardware enhanced RISC instructions (CHERI)

The CHERI processor provides hardware-assisted in-process sandboxing based on a hybrid capability model. The goal is to support several orders of magnitude greater numbers of sandboxes than current ISAs support -- while still maintaining compatibility with current software designs.

Bluespec experimental RISC implementation (BERI)

The Bluespec experimental RISC implementation is a new platform for research into the hardware-software interface. Consisting of a 64-bit MIPS ISA FPGA soft core implemented in the Bluespec Hardware Description Language (HDL), a port of the FreeBSD operating system, Clang/LLVM, and a conventional BSD/Apache-licensed software stack, we hope to use BERI to explore a range of new experimental research directions spanning the historically disjoint hardware and software research communities. CHERI is the first search research project.

Temporally enhanced security logic assertions (TESLA)

Temporally enforced security logic assertions (TESLA) provide compiler-generated run-time instrumentation continuously to continuously validate complex (temporal) security properties, such as check-before-use, eventual audit, and network protocol state machines.

Security-oriented analysis of application programs (SOAAP)

The Security-oriented analysis of application programs (SOAAP) provides automated program analysis and transformation technqiues to help software developers deploy application compartmentalisation on sandboxing frameworks such as Capsicum and CHERI.

Capsicum: practical capabilities for UNIX

Capsicum: practical capabilities for UNIX: In this work, we developed the notion of a hybrid capability model, blending ideas from research capability system security with commodity UNIX operating systems. Capsicum is intended to support application and library compartmentalisation through extensions to the POSIX API. A key concern in Capsicum is incremental adoption --- we have a long-term vision for capability-oriented security, but wanted to provide a short-term technology adoption path addressing immediate security problems without introducing fundamental incompatibilities (an assumption in prior OS capability systems). Capsicum will appear in FreeBSD 9.0; patches are available for OpenBSD, and there is a work-in-progress port of Capsicum to Linux by Google.


Exploiting concurrency vulnerabilities in system call wrappers

Exploiting concurrency vulnerabilities in system call wrappers: historically, a number of operating system vendors, researchers, and third-party security vendors (such as anti-virus vendors) have relied on system call interposition to augment the OS security model. In this work, I explored inherent concurrency vulnerabilities that exist in the model. We now teach this as an exercise to our Part II security students, who must exploit vulnerabilities in Systrace to deface a web site.

Operating system access control extensibility (MAC Framework)

The TrustedBSD Project: brought features traditionally limited to "trusted" operating systems into open source, including mature security event auditing, extensible kernel access control in support of mandatory access control access control (MAC), and discretionary access control (DAC) extensions such as access control lists (ACLs). These features have been adopted by a number of vendors including the FreeBSD Project, in Apple's Mac OS X and iOS operating systems, Juniper's JunOS, McAfee's Sidewinder firewall, and others. My February 2013 Communications of the ACM retrospective article (and open-access, slightly extended ACM Queue version) cover this evolution in significant detail.

Teaching

During the 2013-2014 academic year, I am lecturing Part I.B Concurrent and Distributed Systems, and co-teach our masters-level courses in the Principles and Foundations of Computer Security and Current Applications and Research in Computer Security

During the 2012-2013 academic year, I lectured Part I.B Concurrent and Distributed Systems, and co-taught our masters-level courses in the Principles and Foundations of Computer Security and Current Applications and Research in Computer Security.

Research students and postdocs

I currently supervise three research students: Ilias Marinos, Matthew Grosvenor, and Bjoern Zeeb. Several other research students are closely involved in my research projects, including Alan Mujumdar, Robert Norton, and Jonathan Woodruff in the Computer Architecture group. Jonathan Anderson, David Chisnall, Khilan Gudka, Steven Murdoch, and Michael Roe are post-doctoral researchers contributing to my various research projects.

If you are interested in applying to Cambridge for a research-oriented MPhil or PhD in one of my research areas -- including computer security, operating systems, and computer architecture -- please free to get in touch regarding your research topic of interest. More information on the two programmes, including application requirements and information on initial research proposals, can be found on the MPhil in Advanced Computer Science and PhD in Computer Science pages at the Computer Laboratory.

Industry

Technology transition plays a central role in my research, and I take a particular interest in transition of research through open source systems. I have worked closely with a number of companies, including Apple and Juniper Networks as they have adopted open source systems to both help them engage with the open source community, improved open source software to better meet their needs, and helped them upstream improvements to the open source community. Recent projects have included open source adaptations of Apple's Grand Central Dispatch, collaborative development of the OpenBSM operating system audit framework between Apple and the FreeBSD Project, and work on highly scalable multi-core TCP processing with Juniper. Slightly longer ago, I worked with several companies including Apple and nCircle to help them use and extend the TrustedBSD MAC Framework, a kernel reference monitor now used as the foundation for access control in Mac OS X, iOS, Junos, McAfee's Sidewinder firewall, nCircle's IP360 appliance, and many other products.

Prior to coming to Cambridge, I worked for a series of industrial research labs in the US, including SPARTA ISSO, Trusted Information Systems - Advanced Research and Engineering, and McAfee Research. While there I led a number of network and operating system security research projects for government and industrial sponsors, including DARPA, the US Navy, Apple Computer, and others.

I offer consulting services to companies in the areas of open source integration for products, network stack performance, and operating system audit and access control. A list of past customers and projects is available on request; please contact me directly with any queries.

FreeBSD Project and Foundation

In addition to my academic work, I'm on the board of directors of the FreeBSD Foundation, a US-based non-profit foundation supporting the open source FreeBSD Project. I'm an active contributor to the project, working in the areas of multiprocessor-centric network stacks, operating system security audit, and mandatory access control. I was a member of the FreeBSD Project's elected Core Team for 12 years, and continue to serve as a member of the board of directors of the non-profit FreeBSD Foundation supporting the project. I'm also involved in the project's security officer and release engineering teams.


Publications

Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), June 14–16, 2014, Minneapolis, MN, USA.

Jonathan Anderson, Robert N. M. Watson, David Chisnall, Khilan Gudka, and Brooks Davis. TESLA: Temporally Enhanced System Logic Assertions, Proceedings of The 2014 European Conference on Computer Systems (EuroSys 2014), April 14–16 2014, Amsterdam, The Netherlands.

Brooks Davis, Robert Norton, Jonathan Woodruff, and Robert N. M. Watson. How FreeBSD Boots: a soft-core MIPS perspective, Proceedings of AsiaBSDCon 2014, 13–16 March, 2014, Tokyo, Japan.

A Theodore Markettos, Jonathan Woodruff, Robert N. M. Watson, Bjoern A. Zeeb, Brooks Davis, Simon W Moore. The BERIpad tablet: open-source construction, CPU, OS and applications, Proceedings of 2013 FPGA Workshop and Design Contest, November 1st–3rd, Southeast University, Nanjing, China.

Ilias Marinos, Robert N. M. Watson, and Mark Handley. Network stack specialisation for performance. Twelfth ACM Workshop on Hot Topics in Networks (HotNets-XII), November, 2013.

William R. Harris (University of Wisconsin, Madison), Somesh Jha (University of Wisconsin, Madison), Thomas Reps (University of Wisconsin, Madison), Jonathan Anderson (University of Cambridge), and Robert N. M. Watson (University of Cambridge). Declarative, Temporal, and Practical Programming with Capabilities, IEEE Symposium on Security and Privacy ("Oakland"), May, 2013.

Robert N. M. Watson, Steven J. Murdoch, Khilan Gudka, Jonathan Anderson, Peter G. Neumann, and Ben Laurie. Towards a theory of application compartmentalisation. Security Protocols Workshop, March, 2013.

Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), February 2013.

Robert N. M. Watson. A decade of OS access-control extensibility. ACM Queue 11(1), January 2013. (Open access, extended version of CACM article.)

Khilan Gudka, Robert N. M. Watson, Steven Hand, Ben Laurie, and Anil Madhavapeddy. Exploring compartmentalisation hypotheses with SOAAP. Workshop paper, Adaptive Host and Network Security (AHANS 2012), September, 2012.

Robert N. M. Watson. New approaches to operating system security extensibility. Technical report UCAM-CL-TR-818, University of Cambridge, Computer Laboratory, April 2012.

Jonathan Anderson and Robert N. M. Watson. Stayin' Alive: Aliveness as an alternative to authentication. In proceedings of the Twentieth International Workshop on Security Protocols (SPW), April 2012.

Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.

Steven Smith, Anil Madhavapeddy, Christopher Smowton, Malte Schwarzkopf, Richard Mortier, Robert N.M. Watson, and Steven Hand. The Case for Reconfigurable I/O Channels. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.

Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. A taste of Capsicum: practical capabilities for UNIX. In Communications of the ACM 55(3), pp. 97-104, March 2012.

Jonathan Anderson, Frank Stajano, and Robert Watson. How to keep bad papers out of conferences (with minimum reviewer effort). Proceedings of the Nineteenth International Workshop on Security Protocols, March 2011

Peter G. Neumann and Robert N. M. Watson. Capabilities Revisited: A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems. Proceedings of the Fourth Annual Layered Assurance Workshop, Austin, Texas, December 2010.

Laurel D. Riek and Robert N.M. Watson. The Age of Avatar Realism: When seeing shouldn't be believing. IEEE Robotics and Automation (2010). Vol. 17, Issue 4, pp 37-42.

Robert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway. Capsicum: practical capabilities for UNIX. In Proceedings, 19th USENIX Security Symposium 2010, Washington, DC.

Steven J. Murdoch and Robert N. M. Watson. Metrics for security and performance in low-latency anonymity systems. In Proceedings, Privacy Enhancing Technologies Symposium 2008, Leuven, Belgium.

Richard Clayton, Steven J. Murdoch, Robert N. M. Watson. Ignoring the Great Firewall of China. A Journal of Law and Policy for the Information Society, Volume 3, Issue 2, Fall 2007.

Robert N. M. Watson. Exploiting Concurrency Vulnerabilities in System Call Wrappers. In Proceedings, WOOT'07 - First USENIX Workshoop on Offensive Technologies, Boston, Massachussetts, USA.

Robert N. M. Watson. How the FreeBSD Project Works. In Proceedings, 2006 EuroBSDCon, Milan, Italy.

Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson. Ignoring the Great Firewall of China. In Proceedings, Privacy Enhancing Technologies Workshop 2006, Cambridge, UK.

Robert N. M. Watson and Wayne Salamon. TrustedBSD OpenBSM: Open Source Security Audit Framework. In Proceedings, 2006 UKUUG Spring Conference, Durham, UK.

Robert N. M. Watson. Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack. In Proceedings, 2005 EuroBSDCon, Basel, Switzerland.

Poul-Henning Kamp, Robert N. M. Watson. Building Systems to be Shared, Securely. ACM Queue, July/August 2004.

Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance.The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In Proceedings, 2003 USENIX Annual Technical Conference, FREENIX Track.

Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance. Design and Implementation of the TrustedBSD MAC Framework. 2003 DARPA Information Security Conference and Exposition (DISCEX III). IEEE.

Sandra L. Murphy, Edward T. Lewis, Robert N. M. Watson. Secure Active Network Prototypes. In Proceedings, 2002 DARPA Active Network Conference and Exposition (DANCE'02). IEEE.

Robert N. M. Watson, TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings, 2001 USENIX Annual Technical Conference, FREENIX Track.

Sandra Murphy, et al. Strong Security for Active Networks. In Proceedings, OpenArch 2001.

Robert N. M. Watson. Statement for SACMAT 2001 Panel. ACM Workshop on Role Based Access Control. In proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 2001.

Poul-Henning Kamp and Robert N. M. Watson. Jails: Confining the Omnipotent Root. In Proceedings, SANE 2000 Conference. NLUUG, 2000.

Robert N. M. Watson. Introducing Supporting Infrastructure for Trusted Operating System Support in FreeBSD. In BSDCon 2000 Conference Proceedings. BSDi, 2000.