Example Computer Architecture Research Project Simon Moore Trustworthy Processor Design • Mo>vaon – Security/Trustworthiness is increasingly important • need the hardware to help enforce policies • Hypothesis – Capsicum (next slide) demonstrated that capability based protec>on is good for fine-grained sandboxing of applicaons but with a performance cost – Hardware based capabili>es will allow more security but with less performance overhead Capsicum USNIX Security Best paper 2010 Observaons from Capsicum • SoRware designs that employ the principle of least privilege are neither easily nor efficiently represented in current hardware • Kernels and programming language run>mes (TCBs) building directly on hardware in C are enormous and unsound • SoRware TCB implementaons embody ar>facts of security policies rather than design principles CAP Computer (1970s) Checkered History of Capability Machines • 1966: Dennis & Van Horn invent the term • 1972: Plessey System 250 use hardware capabili>es commercially • 1976: Cambridge CAP Computer • 1979: IBM System/38 • 1981: Intel iAPX 432 – embodiment of CISC • 1999: EROS uses soRware capabili>es • 2010: Capsicum capability security model A RISC approach to capabili>es: CHERI • Base system - our own 64 bit MIPS style core (BERI) + extensive regression test suite • Implemented in Bluespec targe>ng FPGAs • Running FreeBSD – complete UNIX setup • Now adding capability mechanisms to hardware and OS CHERI tablet demo plaorm SoRware compartmentalisaon Conventional "fetch" program Compartmentalized "fetch" program Conventional Capability mode process main UNIX process loop vulnerable vulnerable main HTTP fetch HTTP fetch loop logic logic Kernel Kernel • SoRware compartmentalisaon decomposes applicaons into many isolated components • Each running with only the rights required to perform its func>on • This implements the principle of least privilege Capability Register Model Protection is a )*+*,-.#/0,123*# 7-1-85.569#!*4536*,3# first-class primitive !*4536*,3# /7# 1*,:3# 2691*#7/7# 8-3*# .*+46;# !"#$$#"# 1*,:3#7!"#<4*+*,-.#10,123*#=-1-85.569>#2691*# 8-3*# .*+46;# !%# 1*,:3# 2691*#7!%# 8-3*# .*+46;# !&# 1*,:3# 2691*#7!&# 8-3*# .*+46;# Compiler manages '# Capabilities '# capability registers as it describe data, '# '# does general purpose code & objects '# '# registers !(%# 1*,:3# 2691*#7!(%#8-3*# .*+46;# Memory Access 8$/6,* +&"'()"* !"#$%&'()"** .,",%/0* 9/4/:707$;* +,$'-* 1/$/* 1/$/* 2'',##* 2'',##* .,",%/0* 3&%4)#,* !"# 56# 56# 5,67#$,%#* 9/4/:707$;* < =#=-):# 5,67#$,%* 9/4/:707$;* =/#,* "!"# "57# "56# 5,67#$,%#* >*5/"6,*?*3,%@*9-,'A* 9.4:;'0#8**4)--# Capabilities use virtual 3/6,*</:0,* <%/"#0/()"* $%&# $%&# $%&# addresses !+,-./'0#8**4)--# Memory allocation & legacy support $'(()*#!+,-./'0#1)234,# Summary • CHERI = MIPS + capabili>es • Aiming to show that hardware-based fine- grained protec>on is a real winner for real applicaons Conclusions • There’s lots of open research ques>ons in computer architecture • FPGAs provide an efficient “sand pit” for computer architecture research Ph.D. posi>ons, Part II projects, etc. • lots of opportuni>es available for bright well mo>vated individuals to join the team over the next few years • Need people interested in: – computer architecture – operang systems/run->me systems – security – compilaon techniques – etc… .