Introduction

The Digital Security by Design (DSbD) Technology Access Programme (TAP) is designed to give UK-based companies access to the Arm designed Morello board, CHERI stack, and technical support to trial these technologies within their systems, products, and applications.

Through the DSbD Technology Access Programme, companies will be able to experiment with and validate the prototype cyber security technology and feedback their findings to influence its future development before it enters commercialisation.

The DSbD project and its aims are detailed in this brochure.

Programme brief

Through the DSbD Technology Access Programme (TAP), qualifying UK-based companies will have exclusive access to an Arm Morello evaluation board, with its cutting-edge CPU architecture. 

A Morello board is a real-world test platform developed by Arm to implement the Morello architecture, which is itself based on Capability Hardware Enhanced RISC Instructions (CHERI). CHERI is a protection model, like virtual memory that can be integrated into different ISAs, including Arm Morello, CHERI RISC-V, and CHERIoT. This model is a project from the University of Cambridge and SRI International. Both technologies serve to prevent and mitigate common memory-safety issues in C/C++ via their use of capabilities. Participants are encouraged to experiment with these technologies to uncover security vulnerabilities in their own products, using a combination of (1) spatial and temporal safety mechanisms, and (2) novel compartmentalisation models for shared libraries or coprocesses.

In addition to receiving a Morello evaluation board, participating companies will get access to the CHERI software stack, technical guides, and expert support to get started and trial these new technologies within their systems. The duration of the Technology Access Programme is 6 months. After successful completion of the programme, participating companies will be permitted to keep the Morello evaluation board.

The TAP is a tiered programme; qualifying companies will receive a £15,000 grant during the experimentation period. The programme is administered by Digital Catapult on behalf of UK Research and Innovation (UKRI).

Stay up to date with the DSbD programme – sign up to the Newsletter.

Programme benefits

Companies will have exclusive access to cutting-edge cyber security technology, capable – if implemented correctly – of preventing around two thirds of hacks, cyber attacks and data breaches. This technology, when fully mature and market-ready, has the potential to open up whole new markets for cyber secure by design products, providing competitive advantage to companies who are already familiar with it.

These technologies can mitigate spatial and temporal memory-safety vulnerabilities in C/C++, and participants will be able to identify such issues in their own product code. CHERI has C/C++ language variants (CHERI C/C++) that require minimal change to an existing code base, approximately <0.5% LOC. CHERI also enables a second feature, a set of compartmentalisation models, to enrich the security guarantees provided by the architecture’s memory capabilities.

Further, individuals involved with the programme will become part of a vibrant community of like-minded professionals where they’ll be able to share ideas, forge new relationships and collaborations, as well as growing their knowledge and influence product development.

Companies sharing their programme related work will benefit from media exposure through DSbD as well as Digital Catapult communication channels.

Key benefits:

  • Experiment with prototype, cutting-edge technology and be ahead of the game
  • Build unique knowledge within your company and stay competitive
  • Improve your product by identifying cyber security vulnerabilities in your systems/software
  • Become part of a vibrant community of cyber security pioneers
  • Receive a £15,000 grant (Tier 1 companies only) 
  • Get access to experts at Arm, University of Cambridge, and Digital Catapult
  • Become part of the TAP Alumni upon successful completion of the experimentation period

Who is it for?

The programme is open to UK-based companies that have a company culture of exploring, experimenting and inventing with new technologies. Companies with an R&D department and a strong focus on cyber security are encouraged to apply. Applicants must be registered on Companies House and also have a business bank account.

Companies within the following industries should apply:

  • Information Technology and services
  • Computer software
  • Industrial automation
  • Computer hardware
  • CPU semiconductors
  • Energy
  • Automotive
  • Telecoms
  • Manufacturers of connected consumer / industrial electronics (IoT & IIoT)

Your company would ideally operate within or supply to the following sectors: utilities, healthcare, transportation, telecommunications, automotive, energy & mining, and all other sectors serving the Critical National Infrastructure.

Please also read the Technical Details section to understand if this is for you.

Application pathway

Whether you belong to a Tier 1 company (under 250 employees) or a Tier 2 company (more than 250 employees), this is the journey which all organisations will go through before being accepted into the TAP programme.

Registration of Interest

If this opportunity interests you, or if you have any questions about the Technology Access Programme, please fill out the form

We will take this as indication that you would like to be contacted further about the programme, and is also the starting point for all applications.

Preliminary Question Call

Once you have filled out the form, we will reach out to you via email to set up a brief, informal call. This will act as an opportunity for you to ask any questions, and for us to understand more what your application might be focussed on.

Please note, this is not an interview.

Application form

Once we have consulted with you about your proposed experimentation idea, we will send you the application form where you will fill in more details about your experimentation project.

You must complete this application form by 12:00 midday on 1st April 2024.

Application judged

A group of technologists and innovation practice experts from Digital Catapult, University of Cambridge and Arm will review your application. 

We will let you know by w/c 6th May 2024 whether your application has been successful.

Programme tiers and requirements

TAP is a tiered programme. Tier 1 is for UK-based companies with under 250 employees while Tier 2 is for UK-based companies with more than 250 employees.

Tier 1

  • Receive £15,000 in funding during the course of the 6 month programme.
  • Gain access to a Morello evaluation board, with possibility to keep it following successful completion of the programme.
  • Participate in one-to-one check-in sessions, group learning sessions, practical demonstrations and focused activities for the experimentation programme.
  • Receive technical guidance and support from the Digital Security by Design programme team and experts at Arm and University of Cambridge.

 

Tier 2

  • Gain access to a Morello evaluation board, with possibility to keep it following successful completion of the programme. 
  • Receive technical guidance and support from the Digital Security by Design programme team and experts at Arm and University of Cambridge.
  • Participate in one-to-one check-in sessions, group learning sessions, practical demonstrations and focused activities for the experimentation programme (optional).

 

Programme requirements

Over the six month period, successful applicants will be expected to:

  • Participate in one onboarding day at the start of the programme [Tier 1 & 2] 
  • Write two technical reports –a short interim report based on progress and findings, and a final report based on your experience within the programme [Tier 1 & 2]
  • Participate in monthly online peer-to-peer knowledge sharing sessions [Tier 1]
  • Attend monthly online one-to-one progress-update and technical support sessions with the Digital Security by Design team [Tier 1]
  • Participate in the end-of-programme Showcase event and provide a demonstration or presentation on their experimental outcomes or learnings [Tier 1 & 2]

TAP-visual_ways to get_involved

Technical Details

Please be aware of the following:

  • CHERI (Capability Hardware Enhanced RISC Instructions) technology can be applied to legacy C or C++ 
  • The architecture is currently only supported by CHERI-adapted versions of the open-source Linux/Android/FreeBSD Operating Systems distributed by Arm and the University of Cambridge.
  • CHERI-enabled C/C++ (Clang/LLVM) toolchains are currently available. Additional operating system enablement is currently being addressed by a joint development between Arm, University of Cambridge, Microsoft and Google.
  • The Morello Platform Model runs on Linux for testing/PoC purposes. QEMU-Morello runs on Linux and macOS. The Morello Instruction Emulator runs on Arm v8.0 Linux.
  • This technology it’s not secure ‘out of the box’, there’s work to do in order to turn on security features. It’s not enough to just put your code on the board, because security is implemented by following a series of steps.

FAQs

Find answers to frequently asked questions relating to the Technology Access Programme

  • What are the programme obligations?

    Tier 1 Participants 

    • Participate in the onboarding day (May 2024 )
    • Participate in 5 peer-to-peer sessions throughout the Technology Access  programme
    • Alignment and 1:1 tech sessions each month (a technical member of your team must join these)
    • Provide an updated project plan in Month 1, based on the use case/experimentation in the application (any subsequent changes in plan must be documented and agreed upon with the DSbD team)
    • Provide an interim technical report in Month 3 based on the experience gained from the project
    • Present a demo of your work
    • Provide a final technical report in Month 6 based on the experience gained from the project
    • Provide a final case study for marketing purposes
    • Participate in the demo-day in November 2024

    Tier 2 Participants

    • Participate in the onboarding day (May 2024)
    • Provide feedback survey at the end of Month 3 and Month 6 on the use of the technology
    • Participate in the final demo day in November 2024

    Please check the T&Cs page for more details about the programme obligations

  • What’s the duration of the programme?

    The Technology Access Programme is set to last 6 months, after which, depending on successful completion, you may keep your Morello board. However, considering the experimental nature of the project, it can be extended under certain circumstances that need to be discussed and agreed between the participating companies and Digital Catapult.

  • What are the key dates for the programme?

    Applications Open: 15th January 2024

    Application Deadline: 1st April 2024 at 12:00 noon

    Intended notification of all Applicants: w/c 26th April 2024

    Intended public announcement of successful Participants: May 2024

    Project:

    Start Date: w/c 20th May 2024 (programme onboarding day)

    End Date: November 2024

     

  • What are the eligibility criteria for the programme?

    All applications will be assessed on the following criteria:

    Relevance – The proposed use case or experimentation is relevant to DSbD technologies, CHERI, and the capabilities of the Morello board.

    Innovation – The proposed use case is novel and will provide valuable insights for the DSbD programme.

    Impact and scalability – The proposed use case or experimentation has the potential to scale and create impact beyond the immediate demonstrator.

    Expertise and commitment of team – The applicant has the relevant expertise to undertake their proposed work and adequate resources committed to the programme.

    Technical feasibility – The experimentation and project plan presented is technically feasible within the timeframe, budget, and resource available.

  • If selected, what required knowledge should I have?

    A familiarity with C/C++ code and OS compiling would greatly help, but not strictly a necessity. In addition, this programme is focused on two highly novel technologies, and therefore requires time to be spent on background reading. We suggest you take a look at the following links before the programme starts, to provide you with a better baseline understanding of the technologies and to familiarise yourself with the steps that will be required for you to get your Morello Board up and running (it will not arrive pre-configured):

    Morello Development Platform and Software getting started guide

    Getting started with CheriBSD

    CTSRD-CHERI

    Arm Morello Program

  • If I am selected to join this programme, can I use the Morello board outside the UK?

    No, all participating companies must comply with export control requirements, in particular by not exporting the Morello evaluation boards outside of the UK.

  • Does my organisation need to be registered in the UK to enter?

    Yes, your company has to be registered with Companies House and must be based in the UK. We will consider applicants with any legal structure (e.g. limited company, sole trader, consortium).

  • As a startup or scaleup, do I need to be working in cyber security already?

    No, but you will need to provide detail on the security threat that you would like to experiment against and how CHERI can be used to mitigate such risk.

  • What if I am involved in another accelerator programme, or have been involved in a previous Digital Catapult programme?

    Participation in another accelerator or in a start-up support programme does not preclude you from taking part in the Digital Security by Design TAP.

    If you have been part of any previous Digital Catapult programme you are welcome to join; for other programmes your participation will be dependent on the terms of the programme itself and what you have agreed to in the terms and conditions. De minimis funding will also need to be considered when applying to join the programme if you apply for Tier 1.

  • Who runs the Technology Access Programme?

    Digital Catapult, the UK’s leading authority in digital technologies, administers the Technology Access Programme.

  • How are applications selected?

    The judging criteria will be presented as statements within the application itself (as set out in the section above titled ‘What are the eligibility criteria for the programme’) . Each of the criteria has the same weighting. The judges will respond by indicating how strongly they accept these statements.

    During the application process we reserve the right to conduct enhanced financial or legal due diligence to ensure applicants will be able to meet all commitments.

     

  • Who are the judges, and when will I hear back about my application?

    Applications will be judged by a team of DSbD experts from Digital Catapult, UK Research and Innovation, and other organisations specialising in this technology. Successful applicants will be informed on the result of their applications after the end of the judging period.

  • What if my application is not successful to join the cohort of Tier 1 companies?

    If you are not successful you may still be able to take part in the programme through the Tier 2 route, but will not receive funding or have mandatory 1:1 check-in sessions with DSbD experts. You may also find another Digital Catapult programme of relevance, check the Digital Catapult website for all our programmes.

  • Is there an application fee for the programme?

    No, the programme is free to take part for applicants. Tier 1 companies who are selected and successfully complete the programme will receive £15,000 for their experimentation work. Tier 2 companies are not eligible to receive such grant funding.

  • How is the programme funded?

    The programme is funded by UKRI through the Industrial Strategy Challenge Fund, as part of the Digital Security by Design initiative.

  • What if I run over budget?

    The Technology Access Programme funding is £15,000 for Tier 1 successful applicants (broken down into 3 milestone payments). Further expenditure incurred by companies during the experimentation period will have to come from their own budget.

  • As an applicant, what’s the contracting process and terms and conditions to be on the programme?

    Applications are governed by the competition rules. If you are successful, a participation agreement will be issued which governs your activities on the programme with respect to the experimentation of the Morello board, programme requirements and deliverables, and payment milestones.

  • Who will my application data be shared with?

    The application information will only be used for the purposes of the programme and its evaluation, and will only be retained for the duration of the programme (two years), and for participants on the programme for the evaluation period (maximum five years) and otherwise to comply with legal requirements.

    Please see the Technology Access Programme Competition Terms for more details.

  • Why is Digital Catapult asking the innovator community to experiment with this prototype?

    Digital Catapult will provide access to Morello boards and lead in gathering evidence that will eventually explain what it means for real software to use these boards. During the programme, we will be looking for compelling examples from the selected companies in each cohort to share where security and performance are aligned and to check if there is no tradeoff.

Sign up to the newsletter

Sign up to the Digital Security by Design newsletter to stay up to date with our events, news, insights and opportunities. Be the first to know about our work and ways to get involved.

UKRI DSbD Councils
Website delivered by Digital Catapult as part of the Technology Access Programme, funded by UKRI through the Digital Security by Design Programme