Programmes and agencies

The Digital Security by Design (DSbD) challenge is a government-backed initiative to solve long-standing cyber security challenges through a fundamental redesign of hardware and software.

The Technology Access Programme (TAP) is a publicly-funded DSbD scheme, overseen by UKRI and operated by Digital Catapult, to award recipients with a single Morello prototype, technical support, and up to £15,000 in funding to research and develop original applications for CHERI.

UK Research and Innovation (UKRI) is the UK’s national innovation funding body and the agency responsible for administering, funding, and evaluating the calls and programmes that constitute the DSbD challenge.

The Defense Advanced Research Projects Agency (DARPA) is a US government agency, within the Department of Defense, tasked with leading the formulation of military and other strategic research programmes.

CHERI

The University of Cambridge (UoC) is responsible for various software engineering projects and research groups engaged in the development of CHERI technologies. Cambridge’s Department of Computer Science and Technology conceived the CHERI project in 2010, and then partnered with Stanford Research Institute (SRI)  to develop and publish on an on-going basis.

Stanford Research Institute (SRI) is a non-profit research organisation jointly engaged with Cambridge in the development of CHERI and capability-aware software.

The Clean Slate Trustworthy Secure Research and Development (CTSRD) project, also known as “custard”, is the umbrella organisation responsible for the CHERI project. It comprises research groups from the University of Cambridge and SRI International and receives support from Arm, DARPA, and Google.

The Capability Hardware Enhanced RISC Instructions (CHERI) is a novel instruction set architecture developed by CTSRD to use capabilities to prevent unsafe C/C++ patterns and mitigate security vulnerabilities. It constitutes a foundational component in any capability-aware stack, but its actual implementation can be either a hybrid MMU or “purecap” kernel.

CheriBSD is a fork of the FreeBSD operating system, adapted to accommodate varying degrees of hybridisation, with capability-aware features over a traditional MMU architecture or a pure-capability model with a single address space. These two approaches entail respective “hybrid” and “purecap” kernels.

CheriABI, otherwise known as “purecap”, is the capability-aware ABI that is necessary to use CHERI’s memory-safe protection mechanisms.

The hybrid ABI is a capability-unaware ABI that has C/C++ pointer annotations to ensure that the code will nevertheless compile on hybrid or purecap kernels.

Morello

Arm is the British semiconductor designer and manufacturer responsible for the design and production of the initial hardware to use CHERI, the Morello System Development Platform.

The AArch64, A64, or ARM64, is Arm’s current-generation 64-bit RISC architecture.

Morello is Arm’s project for implementing CHERI features as extensions of the AArch64 and for the software, and research and development, needed to support that effort.

The Morello System Development Platform, the Morello board, is a microATX prototype, comprising off-the-shelf components as well as the ARMv8.2-A system-on-a-chip that implements CHERI in silicon. It has two case sizes: a medium-sized ATX and 2U rack-mounted server.

Morello Linux is Arm’s project for porting Linux distributions, such as Debian, to CHERI.

Terms and concepts

Security-by-design is a catch-all term for hardware and software architectures that introduce a core security feature that is then accessible by the rest of the stack—the compiler, operating system, and even the browser.

Security-by-default refers to the enforcement of secure configurations as the default option.

An application binary interface (ABI) is a shared interface that describes the handling of primitives, data structures, and system calls in machine code for any binaries compiled to a given ISA. ABIs are implemented by the compiler, through the compilation itself. They can and often will be agnostic to the operating system.

An instruction set architecture (ISA) is the abstraction used by the CPU that dictates the handling of machine code. It permits binary compatibility, the ability to run specific machine code, on any system using the same architecture. This abstraction is also extensible, in that features can be added or updated continually to extend the ISA’s original functionality.

The reduced instruction set computer (RISC) refers to a type of ISA that prioritises simple instructions, resulting in a system that is well-suited for smart and embedded applications.

A system-on-a-chip (SoC) is an integrated circuit, typically used in smart and embedded devices, that comprises various components and peripherals—the CPU, microprocessors or microcontrollers, and memory and storage interfaces. It contrasts with the motherboard concept, where the majority of components are removable and replaceable.

The memory management unit (MMU) is a common hardware component responsible for translating the virtual memory address space to a physical one.

A pointer is a reference to some part of the virtual or physical address space. When referencing another variable, the pointer is able to refer to the content indirectly.

A capability is a unique token that cannot be forged. It resembles a “fat” pointer because, with the bits it reserves for metadata, it is twice the size of a typical 32- or 64-bit pointer—64 and 128 bits respectively. Address space is unchanged.

Software compartmentalisation is the act of sandboxing parts of a given application, such as libraries and processes, so that they retain access to a shared address space for data flow but are otherwise isolated. This serves to reduce both the attack surface of the individual software components and the overall impact of the application being attacked.

Common Vulnerabilities and Exposures (CVE) are part of a public database of known security vulnerabilities. Each catalogued vulnerability receives an evaluation of its severity, which reflects its exploitability, the kinds of access or privilege required, and impact.