Is digital security by design possible?
As one of his last acts as Secretary of State for Business, Energy and Industrial Strategy, Greg Clark signed off on a new UK Industry Strategy Challenge Fund: Digital Security by Design. This £70m challenge fund is expected to be matched by funding of up to £117 million from industry. While a significant investment, it is dwarfed by the annual revenue of major big tech companies (Apple: $229b, Samsung $211b, Amazon $177b, Alphabet $110b, Microsoft $90b, Intel $62b, ARM $1.4b, etc.), so can it make a difference? I believe that it can because big tech. companies are driven to make money, often with short-sighted attention on earnings for the next quarter. Moreover, these companies operate in particular sectors with engineers working for these companies focusing their attention on improvement within these sectors: so, software companies improve the software and hardware companies improve the hardware, but rarely the two work on global optimisations/improvements. Even vertically integrated companies like Apple license processor technology or buy processor chips from ARM (for mobile phones) and Intel (for laptops and desktops).
The Common Vulnerabilities and Exposures (CVE) database records publicly known vulnerabilities and fixes. The number of CVE reports is growing at an alarming rate, fuelled by ever growing software systems that present an increasingly large attack surface, and mass connection of devices to the internet providing a conduit for attacks. I conjecture that we need a radical approach to reverse this alarming trend.
To fundamentally reduce the attack surface, we need to apply the principle of least privilege: code should be divided into compartments with each compartment being given the least amount of privilege needed to perform its task. This fundamental approach is based on a 1960s idea, yet it is only deployed to a limited extent today; for example, each tab in web browser is run in a separate compartment but for performance reasons once there are thirty or so tabs open, tabs share compartments, potentially allowing your Facebook page to interfere with your online banking. Ideally not only would each tab have its own component, but each element needed to render the page should be in a compartment: every image and every fragment of JavaScript should be in a separate compartment. But today’s hardware does not efficiently support this model, so software does not attempt to perform fine grained compartmentalisation. Since software does not perform fine grained compartmentalisation, hardware vendors do not optimise for it. This chicken and egg scenario has been played out for over a decade, with no signs of fundamental improvements being made by industry that fails to address fundamental challenges that require changes across the hardware and software divide.
Ransomware attacks are on the rise, paralysing critical public-sector functions. For example, WanaCry had a devastating impact on the NHS, taking down computer systems, which resulted in patients not being treated when medical records and test results became unavailable. The initial attack vector used is documented as CVE-2017-0145: Windows SMB Remote Code Execution Vulnerability. This is yet another example of a memory safety bug, specifically CWE-20: Improper Input Validation, that results in a buffer overflow. The buffer overflow vulnerability was first documented in 1972 and yet modern systems are still vulnerable. Our analysis indicates that much software vulnerable to buffer overflow at a machine code level (i.e. what a contemporary processor runs) is not inherently vulnerable at a source code level (i.e. what the human programmer wrote). The very process of transforming the human readable program code into machine code has introduced the vulnerability by failing to preserve the semantic intent the programmer had when describing data structures. This leads us to the ideal of the principle of intentional use: processors need to be able to run software the way the programmer intended, not the way the attacker tricked it. Implementing the principle of intentional use also demands changes to both hardware and software.
To conclude, I am excited by the UK Digital Security by Design initiative and believe that there is a real opportunity to fundamentally advance hardware and software to efficiently embody the principle of least privilege and the principle of intentional use.
Fundamentally more secure computer systems: the CHERI approach
In collaboration with SRI International (California), members of the Computer Architecture and Security groups in the Cambridge Computer Laboratory have spent over eight year exploring fundamentally more secure ways of building computer systems. Starting with a conventional microprocessor, we have added augmented the hardware/software interface with new compartmentalisation primitives that allow security critical properties of software to be better represented. This ensures that the hardware better understands the software that it is running, so is better able to run the code as the programmer intended, not as the attacker tricked it. Compartmentalisation allows software to exploit the principle of least privilege, a fundamental idea in computer security dating back to the 1960s but is ill supported by prior computers.
Our new microprocessor (CHERI), operating system (CheriBSD based on FreeBSD) and compiler support (based on Clang/LLVM) can run existing software while allowing security enhancements to be added automatically via recompilation of the software, and through the developer adding compartmentalisation. We have demonstrated automatic exploit mitigation of security vulnerabilities like Heartbleed (that his banking) and WannaCry (that hit the NHS), as well as mitigating common place buffer overflow/underflow and many return-oriented programming (ROP) and jump-oriented programming (JOP) attacks.
This radical approach was made possible through substantial US government funding (tens of millions of dollars) for a large team over eight years. We have been able to straddle many levels of abstraction that commercially are typically different industries, resulting in market failure. In particular, the hardware and software industries are separate, limiting their ability to optimise across the hardware/software divide.
We are currently working with large industrial players and government actors to bring the technology to the masses. We believe that this new technology can make computer systems far more trustworthy than they are today.
