Digital security by design: Toward computer systems that are more trustworthy
All too often we see news of yet another attack on computer systems. In Cambridge we have been exploring how to redesign computer systems from the hardware up with the objective of making them fundamentally more trustworthy. After over ten years of research and over 150 researcher years of effort, we have produced the CHERI secure computer architecture[1] comprising new mechanisms for processors that provide the fundamental building blocks on which secure software can be built. We have prototyped complete systems to demonstrate the benefits of such an approach and are now in a process of transitioning the technology. Our aims are, out of necessity, ambitious: to change the entire computer industry to use our more secure technology. This is not something that can be done by spinning out a start-up company but requires engagement across the industry.
Through working with Innovate UK, the Digital Security by Design (DSbD) Industry Strategy Challenge Fund[2] was established in 2019 to transition the CHERI security technology. This comprises £70m of UK government funding and £117m of industry backing. When the funding was announced, Business Secretary Andrea Leadsom said:
- “Cyber-attacks can have a particularly nasty impact on businesses, from costing them thousands of pounds in essential revenue to reputational harm.
- Cyber-criminals operate in the shadows, with the severity, scale and complexity of breaches constantly evolving. It’s critical that we are ahead of the game and developing new technologies and methods to confront future threats, supporting our businesses and giving them peace of mind to deliver their products and services safely.
- Investing in our world-leading researchers and businesses to develop better defence systems makes good business and security sense.”
Under the DSbD initiative, ARM is building the Morello platform that will demonstrate CHERI security on the ARM processor[3]. ARM Ltd has its HQ in the UK and is the world leader in processors for mobile phones, tablet computers, the Raspberry Pi, etc., and has recently been adopted by Apple for their new laptops and Apple mini using their M1 chip. The Morello platform hardware and software will be provided to academic and industrial partners to evaluate this new security technology and explore the myriad of software use-cases.
Microsoft’s Security Response Center (MSRC) have already undertaken an analysis. Matt Miller led this work and in his talk at Bluehat 2019 he concluded that CHERI would have mitigated over 70% of all the vulnerabilities in Microsoft software in the last ten years. Such vulnerabilities include WannaCry that had a devastating effect on the NHS in 2018.
The DSbD initiative is also providing £10m of funding for nine UK research projects[4]. At the launch the Digital Secretary, the Rt Hon Oliver Dowden said:
“We have a world-class cyber security sector, and together we are working hard to make sure the UK is the safest place to work, connect and live online. With government support, these projects will build cutting-edge, secure technologies that will give people and businesses further confidence in our digital services and help weaken the threat of cyber attackers.”
To explore the social impact of these technologies, the DSbD initiative is funding the Describe research hub[5] hosted by University of Bath.
With all of the industrial and academic activity around CHERI, we have high hopes that this technology can be deployed into consumer produce and that in the longer term it will have a major impact, making computer systems more secure and robust, giving us a computer platform that is far more trustworthy than systems today.
