Earlier this month, a U.K. government initiative called Digital Security by Design (DSbD) held a showcase in London to enable companies with pioneering technologies to demonstrate their products, technologies and solutions that could tackle a perceived market failure in integrating fundamental hardware security and, ultimately, reduce the economic impact of cyber major security breaches caused by memory safety vulnerabilities.
A key to addressing this is a technology called CHERI (Capability Hardware Enhanced RISC Instructions), for which the story starts around 2010. The DSbD initiative was then put in place in 2019 because of £70 million (about $88.4 million) U.K. government funding earlier that year to figure out how industry could implement memory safe technologies like CHERI, build prototypes and look at bringing it to market in a commercially viable way.
John Goodacre, a professor and technologist who spearheaded the DSbD initiative, said in his opening remarks at the showcase that CHERI and memory safety were key to implementing security, and that it was essential now to achieve real-world adoption of CHERI at scale.
Ollie Whitehouse, CTO of the U.K.’s National Cyber Security Centre, added, “Addressing memory safety at source, and the standardization of technologies like CHERI and RISC-V present a unique opportunity to adopt security technology.” However, he said that refactoring code into being memory safe is not practical. Hence, he said the industry needed to figure out how to prioritize cyber security in the system development phase and embrace open standards to ultimately create market demand.
At the London event, Arm fellow and chief architect Richard Grisenthwaite added more detail about the context and the significance of addressing memory safety. “Security is not just one thing. The cleverness of cybercriminals is immense, and memory safety remains a fundamental problem,” Grisenthwaite said. “CHERI provides a way of compartmentalization so that when there is a breach, damage can be minimized. Functions stay in their little boxes.”
He said that before 2018, people would ask, “Is CHERI deployable in the real world?” That is a key part of what DSbD’s task was: to show how it could be deployed to effectively get proofs of concept, develop prototypes and find early adopters of potential solutions. “Of course there are deployment challenges – for example, with millions of lines of code out there already, how can some of the software ecosystems be addressed,” Grisenthwaite said.
At the showcase, speakers highlighted that as a result of the DSbD program, some 160 companies and over 1,000 people were looking at using CHERI.
Professor Rober Watson on the origins of CHERI
EE Times was able to spend some time earlier this month in Cambridge, U.K., with the professor of systems, security and architecture at the University of Cambridge Computer Laboratory, Robert Watson, to explain the origins of CHERI and where it is now.
From EETimes