Example Computer Architecture Research Project
Simon Moore Trustworthy Processor Design
• Mo va on – Security/Trustworthiness is increasingly important • need the hardware to help enforce policies
• Hypothesis – Capsicum (next slide) demonstrated that capability based protec on is good for fine-grained sandboxing of applica ons but with a performance cost – Hardware based capabili es will allow more security but with less performance overhead Capsicum
USNIX Security Best paper 2010 Observa ons from Capsicum
• So ware designs that employ the principle of least privilege are neither easily nor efficiently represented in current hardware • Kernels and programming language run mes (TCBs) building directly on hardware in C are enormous and unsound • So ware TCB implementa ons embody ar facts of security policies rather than design principles CAP Computer (1970s) Checkered History of Capability Machines • 1966: Dennis & Van Horn invent the term • 1972: Plessey System 250 use hardware capabili es commercially • 1976: Cambridge CAP Computer • 1979: IBM System/38 • 1981: Intel iAPX 432 – embodiment of CISC
• 1999: EROS uses so ware capabili es • 2010: Capsicum capability security model A RISC approach to capabili es: CHERI
• Base system - our own 64 bit MIPS style core (BERI) + extensive regression test suite • Implemented in Bluespec targe ng FPGAs • Running FreeBSD – complete UNIX setup • Now adding capability mechanisms to hardware and OS CHERI tablet demo pla orm So ware compartmentalisa on
Conventional "fetch" program Compartmentalized "fetch" program
Conventional Capability mode process main UNIX process loop vulnerable vulnerable main HTTP fetch HTTP fetch loop logic logic
Kernel Kernel • So ware compartmentalisa on decomposes applica ons into many isolated components • Each running with only the rights required to perform its func on • This implements the principle of least privilege Capability Register Model
Protection is a )*+*,-.#/0,123*# 7-1-85.569#!*4536*,3# first-class primitive !*4536*,3# /7# 1*,:3# 2691*#7/7# 8-3*# .*+46;#
!"#$$#"# 1*,:3#7!"#<4*+*,-.#10,123*#=-1-85.569>#2691*# 8-3*# .*+46;# !%# 1*,:3# 2691*#7!%# 8-3*# .*+46;# ! 1*,:3# 2691*#7! 8-3*# .*+46;#
Compiler manages '# Capabilities '# capability registers as it describe data, '# '# does general purpose code & objects '# '# registers !(%# 1*,:3# 2691*#7!(%#8-3*# .*+46;# Memory Access
8$/6,* +&"'()"* !"#$%&'()"** .,",%/0* 9/4/:707$;* +,$'-* 1/$/* 1/$/* 2'',##* 2'',##* .,",%/0* 3&%4)#,* !"# 56# 56# 5,67#$,%#* 9/4/:707$;* < =#=-):# 5,67#$,%*
9/4/:707$;* =/#,* "!"# "57# "56# 5,67#$,%#* >*5/"6,*?*3,%@*9-,'A* 9.4:;'0#8**4)--# Capabilities use virtual 3/6,*
!+,-./'0#8**4)--# Memory allocation & legacy support $'(()*#!+,-./'0#1)234,# Summary
• CHERI = MIPS + capabili es
• Aiming to show that hardware-based fine- grained protec on is a real winner for real applica ons Conclusions
• There’s lots of open research ques ons in computer architecture
• FPGAs provide an efficient “sand pit” for computer architecture research Ph.D. posi ons, Part II projects, etc.
• Lots of opportuni es available for bright well mo vated individuals to join the team over the next few years
• Need people interested in: – computer architecture – opera ng systems/run- me systems – security – compila on techniques – etc…