Robert N. M. Watson
|University of Cambridge
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 0FD
|Office: GE-13, William Gates Building
Voice: +44 (0)1223 763 569
Fax: +44 (0)1223 334 678
E-mail: robert.watson AT cl.cam.ac.uk
I am a University Lecturer in Systems, Security, and Architecture at the University of Cambridge Computer Laboratory. I am involved in several research groups at the lab, including Security, Networks and Operating Systems, and Computer Architecture. I lead a number of cross-layer research projects spanning computer architecture, compilers, program analysis, program transformation, operating systems, networking, and security. Current projects include CTSRD, a project in collaboration with SRI International looking at clean-slate hardware and software designs for security. This includes the BERI and CHERI processor designs, and SOAAP and TESLA, software analysis and transformation systems based on LLVM. I also have active research projects in network-stack performance, tracing, and switching. Recent completed projects include the Capsicum hybrid capability system, system-call interposition concurrency problems, and the TrustedBSD MAC Framework, a widely deployed OS access-control extensibility framework (now found in FreeBSD, Mac OS X, Apple iOS, Junos, and other products). I have strong interests in open-source software, am on the board of directors of the FreeBSD Foundation, and have contributed extensively to the FreeBSD Project.
I completed two and a half years of post-doctoral research at the Computer Laboratory, and a Research Fellowship at St John's College, Cambridge in May, 2013. I finished my PhD in Computer Science at the Computer Laboratory in 2010, supervised by Professor Ross Anderson. Prior to that, I worked for six years in a series of industry research labs investigating operating systems, networking, and security; my contributions included widely used work in operating system security extensibility, the topic of my later PhD dissertation. My undergraduate degree is in Logic and Computation, with a double major in Computer Science at Carnegie Mellon University.
- August, 2015
I am pleased to announce that Khilan Gudka's paper, Clean Application Compartmentalization with SOAAP, has been accepted to the ACM Conference on Computer and Communications Security (CCS 2015). The paper explores the security benefits of software compartmentalization, and a practical, LLVM-based tool, SOAAP, that helps developers validate mitigation properties of compartmentalized software. The work was joint between the CTSRD team at SRI International and the University of Cambridge, and also Jon Anderson, now at Memorial University Newfoundland, and Ben Laurie at Google.
- May, 2015
I presented our paper, CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, at the IEEE Symposium on Security and Privacy ("Oakland") in San Jose, CA, USA, in mid-May. The paper outlines our vision for fine-grained, in-process software compartmentalization based on the incrementally adoptable CHERI ISA. This was the joint work of the CTSRD team at SRI International and the University of Cambridge.
- March, 2015
David Chisnall presented our paper, Beyond the PDP-11: Processor support for a memory-safe C abstract machine at ASPLOS 2015. This paper outlines extensions to our capability-based CHERI ISA to better meet the requirements of practical memory safety for C-language software. The presentation won Audience Top Picks!
- February, 2015
The Computer Laboratory's new masters-level coures on operating systems, L41: Advanced Operating Systems (through tracing, analysis, and experimentation), has now started. This course uses material from the second edition of the Design and Implemntation of the FreeBSD Operating System, Gregg and Mauro's DTrace book, and Jain's computer performance text. We're teaching the course using FreeBSD on the BeagleBone Black, and will release our course material as open source soon!
I lead a number of research projects spanning the security, computer architecture, and network + operating system research groups at the Computer Laboratory, supported by DARPA and Google. A theme spanning many of my current research areas is the tension between program representation and security, with interests in revising the hardware-software interface, and whole-system implementation of security. Several of these projects are part of the DARPA-sponsored CTSRD Project in collaboration with Peter G. Neumann at the Computer Science Laboratory at SRI International. We also have a second joint DARPA project, MRC2, which is applying many of these ideas in a distributed setting.
I have additional research interests in the interplay between concurrency and security, operating system access control (especially as relates to software pplication compartmentalisation and capability systems), multi-threaded network stacks, and revisiting a variety of hardware-software interfaces in support of security, networking, and operating system design. Utilising and improving open source platforms for research plays a key role in technology transition for my work.
Capability hardware enhanced RISC instructions (CHERI)
The CHERI processor provides hardware-assisted in-process sandboxing based on a hybrid capability model. The goal is to support several orders of magnitude greater numbers of sandboxes than current ISAs support -- while still maintaining compatibility with current software designs. We have had multiple workshop and conference papers on CHERI, including at ISCA 2014, ASPLOS 2015, and IEEE S&P 2015.
Bluespec experimental RISC implementation (BERI)
The Bluespec experimental RISC implementation is a new platform for research into the hardware-software interface. Consisting of a 64-bit MIPS ISA FPGA soft core implemented in the Bluespec Hardware Description Language (HDL), a port of the FreeBSD operating system, Clang/LLVM, and a conventional BSD/Apache-licensed software stack, we hope to use BERI to explore a range of new experimental research directions spanning the historically disjoint hardware and software research communities. CHERI is the first search research project. We have had several workshop and conference papers relating to the BERI platform. Brooks Davis (SRI) and I merged BERI support in to FreeBSD in August, 2012, which appeared in FreeBSD 10.0-RELEASE.
Temporally enhanced security logic assertions (TESLA)
Temporally enforced security logic assertions (TESLA) provide compiler-generated run-time instrumentation continuously to continuously validate complex (temporal) security properties, such as check-before-use, eventual audit, and network protocol state machines. We published a paper on TESLA at EuroSys 2014.
Security-oriented analysis of application programs (SOAAP)
The Security-oriented analysis of application programs (SOAAP) provides automated program analysis and transformation technqiues to help software developers deploy application compartmentalisation on sandboxing frameworks such as Capsicum and CHERI. We have had multiple workshop papers on these ideas, including at AHANS 2012 and the Security Protocols Workshop (SPW) 2013, as well as an ACM CCS 2015 paper.
Operating-system network stacks
I have taken a long interest in network-stack structure and performance, including contributing substantially to FreeBSD's multithreaded, multicore network-stack implementation. My past consulting projects in this area include scalable multi-threaded TCP performance and zero-copy support for BPF. My PhD student Ilias Marinos, has been working on network-stack specialisation, the adaptation of network stacks to specific applications and workloads, achieving vastly higher performance than general-purpose stacks. This work has been the subject of papers at HotNets 2013 and SIGCOMM 2014. Bjoern Zeeb, a PhD student jointly supervised by Andrew Moore and myself, is working in network-stack tracing and analysis: what new techniques and tools can we develop to analyse performance and behaviour?
Capsicum: practical capabilities for UNIX
Capsicum: practical capabilities for UNIX: In this work, we developed the notion of a hybrid capability model, blending ideas from research capability system security with commodity UNIX operating systems. Capsicum is intended to support application and library compartmentalisation through extensions to the POSIX API. A key concern in Capsicum is incremental adoption --- we have a long-term vision for capability-oriented security, but wanted to provide a short-term technology adoption path addressing immediate security problems without introducing fundamental incompatibilities (an assumption in prior OS capability systems). This work was first published in USENIX Security 2010, with a version appearing in Communications of the ACM Research Highlights in 2013. We have also published pieces in USENIX's ;login magazine and elsewhere. Capsicum appeared in FreeBSD 9.0, with a more mature implementation and API in FreeBSD 10.0. Google has ported Capsicum to Linux, and continues to support Capsicum development alongside DARPA and the FreeBSD Foundation.
Exploiting concurrency vulnerabilities in system call wrappers
Exploiting concurrency vulnerabilities in system call wrappers: historically, a number of operating system vendors, researchers, and third-party security vendors (such as anti-virus vendors) have relied on system call interposition to augment the OS security model. In this work, I explored inherent concurrency vulnerabilities that exist in the model. We now teach this as an exercise to our Part II security students, who must exploit vulnerabilities in Systrace to deface a web site.
Operating system access control extensibility (MAC Framework)
The TrustedBSD Project: brought features traditionally limited to "trusted" operating systems into open source, including mature security event auditing, extensible kernel access control in support of mandatory access control access control (MAC), and discretionary access control (DAC) extensions such as access control lists (ACLs). These features have been adopted by a number of vendors including the FreeBSD Project, in Apple's Mac OS X and iOS operating systems, Juniper's JunOS, McAfee's Sidewinder firewall, and others. My February 2013 Communications of the ACM retrospective article (and open-access, slightly extended ACM Queue version) cover this evolution in significant detail.
During the 2014-2015 academic year, I am teaching Part I.B Concurrent and Distributed Systems, and co-teach our masters-level courses in the R209 - Principles and Foundations of Computer Security and R210 - Current Applications and Research in Computer Security. I am also teaching our masters-level course L41 - Advanced Operating Systems, a newly designed course that teaches advanced topics in operating systems through tracing and performance analysis.
During the 2013-2014 academic year, I taught Part I.B Concurrent and Distributed Systems, and co-teach our masters-level courses in the R209 - Computer Security: Principles and Foundations and R210 - Computer Security: Current Applications and Research in Computer Security
During the 2012-2013 academic year, I taught Part I.B Concurrent and Distributed Systems, and co-taught our expanded masters-level courses R209 - Principles and Foundations of Computer Security and R210 - Current Applications and Research in Computer Security.
During the 2011-2012 academic year, I taught our new masters-level course in R206: Operating and Distributed system Security.
Research students and postdocs
I currently supervise four research students: Ionel Gog, Ilias Marinos, Matthew Grosvenor, and Bjoern Zeeb. Several other research students are closely involved in my research projects, including Alan Mujumdar, Robert Norton, and Jonathan Woodruff in the Computer Architecture group. David Chisnall, Khilan Gudka, and Michael Roe are post-doctoral researchers contributing to my various research projects. I have previously supervised post-doctoral work by Jonathan Anderson and Steven Murdoch.
If you are interested in applying to Cambridge for a research-oriented MPhil or PhD in one of my research areas -- including computer security, operating systems, and computer architecture -- please free to get in touch regarding your research topic of interest. More information on the two programmes, including application requirements and information on initial research proposals, can be found on the MPhil in Advanced Computer Science and PhD in Computer Science pages at the Computer Laboratory.
Technology transition plays a central role in my research, and I take a particular interest in transition of research through open source systems. I have worked closely with a number of companies, including Apple and Juniper Networks as they have adopted open source systems to both help them engage with the open source community, improved open source software to better meet their needs, and helped them upstream improvements to the open source community. Recent projects have included open source adaptations of Apple's Grand Central Dispatch, collaborative development of the OpenBSM operating system audit framework between Apple and the FreeBSD Project, and work on highly scalable multi-core TCP processing with Juniper. Slightly longer ago, I worked with several companies including Apple and nCircle to help them use and extend the TrustedBSD MAC Framework, a kernel reference monitor now used as the foundation for access control in Mac OS X, iOS, Junos, McAfee's Sidewinder firewall, nCircle's IP360 appliance, and many other products.
Prior to coming to Cambridge, I worked for a series of industrial research labs in the US, including SPARTA ISSO, Trusted Information Systems - Advanced Research and Engineering, and McAfee Research. While there I led a number of network and operating system security research projects for government and industrial sponsors, including DARPA, the US Navy, Apple Computer, and others.
I offer consulting services to companies in the areas of open source integration for products, network stack performance, and operating system audit and access control. A list of past customers and projects is available on request; please contact me directly with any queries.
FreeBSD Project and Foundation
In addition to my academic work, I'm on the board of directors of the FreeBSD Foundation, a US-based non-profit foundation supporting the open source FreeBSD Project. I'm an active contributor to the project, working in the areas of multiprocessor-centric network stacks, operating system security audit, and mandatory access control. I was a member of the FreeBSD Project's elected Core Team for 12 years, and continue to serve as a member of the board of directors of the non-profit FreeBSD Foundation supporting the project. I'm also involved in the project's security officer and release engineering teams.
Khilan Gudka, Robert N.M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, and Alex Richardson. Clean Application Compartmentalization with SOAAP, Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS 2015), Denver, CO, USA, October 2015.
Matthew P. Grosvenor, Malte Schwarzkopf, Ionel Gog, Robert N.M. Watson, Andrew Moore, Steven Hand, and Jon Crowcroft. Queues don't matter when you can JUMP them!, Proceedings of the 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI), Oakland, California, USA, May 2015. Best paper award!
Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, Proceedings of the 36th IEEE Symposium on Security and Privacy ("Oakland"), San Jose, California, USA, May 2015.
Robert N. M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Jonathan Woodruff. Bluespec Extensible RISC Implementation: BERI Software Reference, Technical Report UCAM-CL-TR-869, University of Cambridge, Computer Laboratory, April 2015.
Robert N.M. Watson, Jonathan Woodruff, David Chisnall, Brooks Davis, Wojciech Koszek, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Robert Norton, and Michael Roe. Bluespec Extensible RISC Implementation: BERI Hardware Reference, Technical Report UCAM-CL-TR-868, University of Cambridge, Computer Laboratory, April 2015.
David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Simon W. Moore, Peter G. Neumann and Michael Roe. Beyond the PDP-11: Processor support for a memory-safe C abstract machine, Proceedings of Architectural Support for Programming Languages and Operating Systems (ASPLOS 2015), Istanbul, Turkey, March 2015. Audience pick: best presentation award!
Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, and Michael Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, Technical Report UCAM-CL-TR-864, University of Cambridge, Computer Laboratory, December 2014.
Marshall Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson The Design and Implementation of the FreeBSD Operating System, 2nd Edition, Pearson Education, Boston, MA, USA, September 2014.
Ilias Marinos, Robert N. M. Watson, and Mark Handley, Network Stack Specialization for Performance, Proceedings of ACM SIGCOMM 2014 Conference (SIGCOMM'14), Chicago, IL, USA, August 17–22, 2014.
Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), Minneapolis, MN, USA, June 14–16, 2014.
Robert N.M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Simon W. Moore, Steven J. Murdoch, and Michael Roe. Capability Hardware Enhanced RISC Instructions: CHERI Instruction-Set Architecture, Technical Report UCAM-CL-TR-850, University of Cambridge, Computer Laboratory, April 2014.
Robert N.M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Capability Hardware Enhanced RISC Instructions: CHERI User’s Guide, Technical Report UCAM-CL-TR-851, University of Cambridge, Computer Laboratory, April 2014.
Robert N.M. Watson, Jonathan Woodruff, David Chisnall, Brooks Davis, Wojciech Koszek, A. Theodore Markettos, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, Robert Norton, and Michael Roe. Bluespec Extensible RISC Implementation: BERI Hardware Reference, Technical Report UCAM-CL-TR-852, University of Cambridge, Computer Laboratory, April 2014.
Robert N.M. Watson, David Chisnall, Brooks Davis, Wojciech Koszek, Simon W. Moore, Steven J. Murdoch, Peter G. Neumann, and Jonathan Woodruff. Bluespec Extensible RISC Implementation: BERI Software Reference, Technical Report UCAM-CL-TR-853, University of Cambridge, Computer Laboratory, April 2014.
Jonathan Anderson, Robert N. M. Watson, David Chisnall, Khilan Gudka, Brooks Davis, and Ilias Marinos. TESLA: Temporally Enhanced System Logic Assertions, Proceedings of The 2014 European Conference on Computer Systems (EuroSys 2014), Amsterdam, The Netherlands, April 14–16 2014.
Brooks Davis, Robert Norton, Jonathan Woodruff, and Robert N. M. Watson. How FreeBSD Boots: a soft-core MIPS perspective, Proceedings of AsiaBSDCon 2014, 13–16 March, 2014, Tokyo, Japan.
A Theodore Markettos, Jonathan Woodruff, Robert N. M. Watson, Bjoern A. Zeeb, Brooks Davis, Simon W Moore. The BERIpad tablet: open-source construction, CPU, OS and applications, Proceedings of 2013 FPGA Workshop and Design Contest, November 1st–3rd, Southeast University, Nanjing, China.
Ilias Marinos, Robert N. M. Watson, and Mark Handley. Network stack specialisation for performance. Twelfth ACM Workshop on Hot Topics in Networks (HotNets-XII), November, 2013.
William R. Harris, Somesh Jha, Thomas Reps, Jonathan Anderson, and Robert N.M. Watson. Declarative, Temporal, and Practical Programming with Capabilities, IEEE Symposium on Security and Privacy ("Oakland"), May, 2013.
Robert N. M. Watson, Steven J. Murdoch, Khilan Gudka, Jonathan Anderson, Peter G. Neumann, and Ben Laurie. Towards a theory of application compartmentalisation. Security Protocols Workshop, March, 2013.
Robert N. M. Watson. A decade of OS access-control extensibility. Communications of the ACM 56(2), ACM, February 2013.
Robert N. M. Watson. A decade of OS access-control extensibility. ACM Queue 11(1), ACM, January 2013. (Open access, extended version of CACM article.)
Khilan Gudka, Robert N. M. Watson, Steven Hand, Ben Laurie, and Anil Madhavapeddy. Exploring compartmentalisation hypotheses with SOAAP. Proceedings of Adaptive Host and Network Security (AHANS 2012), Lyon, France, September, 2012.
Robert N. M. Watson. New approaches to operating system security extensibility. Technical report UCAM-CL-TR-818, University of Cambridge, Computer Laboratory, April 2012.
Jonathan Anderson and Robert N. M. Watson. Stayin' Alive: Aliveness as an alternative to authentication. In proceedings of the Twentieth International Workshop on Security Protocols (SPW), April 2012.
Robert N. M. Watson, Peter G. Neumann, Jonathan Woodruff, Jonathan Anderson, Ross Anderson, Nirav Dave, Ben Laurie, Simon W. Moore, Steven J. Murdoch, Philip Paeps, Michael Roe, and Hassen Saidi. CHERI: a research platform deconflating hardware virtualization and protection. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.
Steven Smith, Anil Madhavapeddy, Christopher Smowton, Malte Schwarzkopf, Richard Mortier, Robert N.M. Watson, and Steven Hand. The Case for Reconfigurable I/O Channels. Workshop paper, Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2012), March, 2012.
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. A taste of Capsicum: practical capabilities for UNIX. In Communications of the ACM 55(3), pp. 97-104, March 2012.
Jonathan Anderson, Frank Stajano, and Robert Watson. How to keep bad papers out of conferences (with minimum reviewer effort). Proceedings of the Nineteenth International Workshop on Security Protocols, March 2011
Peter G. Neumann and Robert N. M. Watson. Capabilities Revisited: A Holistic Approach to Bottom-to-Top Assurance of Trustworthy Systems. Proceedings of the Fourth Annual Layered Assurance Workshop, Austin, Texas, December 2010.
Laurel D. Riek and Robert N.M. Watson. The Age of Avatar Realism: When seeing shouldn't be believing. IEEE Robotics and Automation (2010). Vol. 17, Issue 4, pp 37-42.
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway. Capsicum: practical capabilities for UNIX. In Proceedings, 19th USENIX Security Symposium 2010, Washington, DC.
Steven J. Murdoch and Robert N. M. Watson. Metrics for security and performance in low-latency anonymity systems. In Proceedings, Privacy Enhancing Technologies Symposium 2008, Leuven, Belgium.
Richard Clayton, Steven J. Murdoch, Robert N. M. Watson. Ignoring the Great Firewall of China. A Journal of Law and Policy for the Information Society, Volume 3, Issue 2, Fall 2007.
Robert N. M. Watson. Exploiting Concurrency Vulnerabilities in System Call Wrappers. In Proceedings, WOOT'07 - First USENIX Workshop on Offensive Technologies, Boston, Massachusetts, USA.
Robert N. M. Watson. How the FreeBSD Project Works. In Proceedings, 2006 EuroBSDCon, Milan, Italy.
Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson. Ignoring the Great Firewall of China. In Proceedings, Privacy Enhancing Technologies Workshop 2006, Cambridge, UK.
Robert N. M. Watson and Wayne Salamon. TrustedBSD OpenBSM: Open Source Security Audit Framework. In Proceedings, 2006 UKUUG Spring Conference, Durham, UK.
Robert N. M. Watson. Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack. In Proceedings, 2005 EuroBSDCon, Basel, Switzerland.
Poul-Henning Kamp, Robert N. M. Watson. Building Systems to be Shared, Securely. ACM Queue, July/August 2004.
Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance.The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In Proceedings, 2003 USENIX Annual Technical Conference, FREENIX Track.
Robert N. M. Watson, Brian Feldman, Adam Migus, and Chris Vance. Design and Implementation of the TrustedBSD MAC Framework. 2003 DARPA Information Security Conference and Exposition (DISCEX III). IEEE.
Sandra L. Murphy, Edward T. Lewis, Robert N. M. Watson. Secure Active Network Prototypes. In Proceedings, 2002 DARPA Active Network Conference and Exposition (DANCE'02). IEEE.
Robert N. M. Watson, TrustedBSD: Adding Trusted Operating System Features to FreeBSD. In Proceedings, 2001 USENIX Annual Technical Conference, FREENIX Track.
Sandra Murphy, Ed Lewis, Ralph Puga, Robert Watson, and Richard Yee. Strong Security for Active Networks. In Proceedings, IEEE OpenArch 2001.
Robert N. M. Watson. Statement for SACMAT 2001 Panel. ACM Workshop on Role Based Access Control. In proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 2001.
Poul-Henning Kamp and Robert N. M. Watson. Jails: Confining the Omnipotent Root. In Proceedings, SANE 2000 Conference. NLUUG, 2000.
Robert N. M. Watson. Introducing Supporting Infrastructure for Trusted Operating System Support in FreeBSD. In BSDCon 2000 Conference Proceedings. BSDi, 2000.