RealVNC

Testing a new way of reducing C++ vulnerabilities through Digital Security by Design

Overview

RealVNC uses C++ to build the desktop clients that form part of their VNC Connect secure remote access solution. As part of the Digital Security by Design (DSbD) Technology Access Programme, they have been experimenting with the CHERI Morello board and software.

As a SaaS business using desktop, mobile software, and cloud infrastructure, RealVNC faces a wide range of security issues, including bugs in others’ code and external threats. The C++ codebase has, in the past, faced security issues catalogued by the CVE Program, such as potentially exploitable buffer overflows and elevation of privilege exposure. Increasing cyber security through a change in hardware enables the prevention of memory-related cyber-attacks, which is where around 70% of exploits take place.

Compiling, running, and testing their software on the Morello platform should allow the RealVNC team to spot more obvious logic errors that have the potential to affect security. 

Digital Catapult is running the DSbD Technology Access Programme (TAP), and is supporting RealVNC throughout this project.

“[DSbD] has enabled us to bolster our security focus further, specifically with a novel means of proving our software is secure. It has also been a useful and interesting way into finding out more about other organisations who share our concerns and focus on security issues.” – Dominic Parkes, RealVNC

The benefits of the Morello Board implementation

The CHERI based Morello evaluation board is a prototype System on Chip (SoC) and development board. Developed by UK-based Arm, the Morello board is a real-world test platform for Arm’s Morello prototype architecture, which is based on the University of Cambridge Computer Lab’s CHERI protection model. It is the first hardware implementation of DSbD technology. 

CHERI extends conventional hardware instruction-set architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalisation. This architecture, when deployed, could do away with whole classes of possible exploits, with a far lower chance of zero-day vulnerabilities being exploited. This would significantly reduce the ability of bad actors to capture user data, take over machines, or shut down critical systems – problems affecting most industries today.

The story so far

RealVNC has ported its core codebase and all desktop applications to run on the Morello device using the CHERI ABI/pure capability mode (as far as possible within the current limitations of the environment). The company has begun performance and security testing: evaluating the pixel throughput of their remote desktop software with the new pure capability mode, and aiming to identify previously undetected programming errors. RealVNC is also evaluating whether CHERI would have effectively detected those legacy bugs catalogued previously by the CVE Program.

As a result of the programme, the company team now understands the CHERI architecture itself – the capabilities encoded into 128-bit pointers – and the implications this has for porting existing software. They also have a better understanding of what can be done in terms of mitigating diverse types of security error, and have learned more about FreeBSD as a platform. 

RealVNC will continue to evaluate the architecture against known security issues, as well as attempting to break their software on the platform to see what can be improved in the codebase. They are also looking at more of the CHERI-specific mechanisms to see where they could be best used within their software.

 

About RealVNC

RealVNC’s best-in-class remote access software is used daily by millions worldwide to connect to billions of devices. Since 2002, RealVNC has delivered secure remote access to various industries and organisations, from internationally-renowned household names to specialised start-ups. The company is a global brand with customers in over 160 countries.

https://realvnc.com/

Delivered by Digital Catapult, funded by UKRI through the Digital Security by Design programme.