Example Architecture Research Project

Simon Moore Trustworthy Processor Design

• Movaon – Security/Trustworthiness is increasingly important • need the hardware to help enforce policies

• Hypothesis – (next slide) demonstrated that capability based protecon is good for fine-grained sandboxing of applicaons but with a performance cost – Hardware based capabilies will allow more security but with less performance overhead Capsicum

USNIX Security Best paper 2010 Observaons from Capsicum

• Soware designs that employ the principle of least privilege are neither easily nor efficiently represented in current hardware • Kernels and programming language runmes (TCBs) building directly on hardware in C are enormous and unsound • Soware TCB implementaons embody arfacts of security policies rather than design principles CAP Computer (1970s) Checkered History of Capability Machines • 1966: Dennis & Van Horn invent the term • 1972: use hardware capabilies commercially • 1976: Cambridge CAP Computer • 1979: IBM System/38 • 1981: Intel iAPX 432 – embodiment of CISC

• 1999: EROS uses soware capabilies • 2010: Capsicum capability security model A RISC approach to capabilies: CHERI

• Base system - our own 64 bit MIPS style core (BERI) + extensive regression test suite • Implemented in Bluespec targeng FPGAs • Running FreeBSD – complete UNIX setup • Now adding capability mechanisms to hardware and OS CHERI tablet demo plaorm Soware compartmentalisaon

Conventional "fetch" program Compartmentalized "fetch" program

Conventional Capability mode process main UNIX process loop vulnerable vulnerable main HTTP fetch HTTP fetch loop logic logic

Kernel Kernel • Soware compartmentalisaon decomposes applicaons into many isolated components • Each running with only the rights required to perform its funcon • This implements the principle of least privilege Capability Register Model

Protection is a )*+*,-.#/0,123*# 7-1-85.569#!*4536*,3# first-class primitive !*4536*,3# /7# 1*,:3# 2691*#7/7# 8-3*# .*+46;#

!"#$$#"# 1*,:3#7!"#<4*+*,-.#10,123*#=-1-85.569>#2691*# 8-3*# .*+46;# !%# 1*,:3# 2691*#7!%# 8-3*# .*+46;# !&# 1*,:3# 2691*#7!&# 8-3*# .*+46;#

Compiler manages '# Capabilities '# capability registers as it describe data, '# '# does general purpose code & objects '# '# registers !(%# 1*,:3# 2691*#7!(%#8-3*# .*+46;# Memory Access

8$/6,* +&"'()"* !"#$%&'()"** .,",%/0* 9/4/:707$;* +,$'-* 1/$/* 1/$/* 2'',##* 2'',##* .,",%/0* 3&%4)#,* !"# 56# 56# 5,67#$,%#* 9/4/:707$;* < =#=-):# 5,67#$,%*

9/4/:707$;* =/#,* "!"# "57# "56# 5,67#$,%#* >*5/"6,*?*3,%@*9-,'A* 9.4:;'0#8**4)--# Capabilities use virtual 3/6,*

!+,-./'0#8**4)--# Memory allocation & legacy support $'(()*#!+,-./'0#1)234,# Summary

• CHERI = MIPS + capabilies

• Aiming to show that hardware-based fine- grained protecon is a real winner for real applicaons Conclusions

• There’s lots of open research quesons in computer architecture

• FPGAs provide an efficient “sand pit” for computer architecture research Ph.D. posions, Part II projects, etc.

• Lots of opportunies available for bright well movated individuals to join the team over the next few years

• Need people interested in: – computer architecture – operang systems/run-me systems – security – compilaon techniques – etc…