Is it possible to change an industry mindset on cybersecurity when every product continues to be based on hardware and software design practice that has allowed exploitation of memory vulnerabilities, and has done so for 50 years?
That is the challenge that a U.K. government backed initiative and supported by Arm, Microsoft and Google is aiming to do. The ‘Digital Security by Design’, or DSbD, initiative funded by UK Research and Innovation (UKRI) builds upon work done by the University of Cambridge and industrial partners, as well as research since 2010 carried out by DARPA and others. In January 2022, a major landmark in the program was the release by Arm of a system-on-chip (SoC) and demonstrator board based on the architecture resulting from the research to define hardware capabilities that could fundamentally provide more secure building block for software.
The architecture is called CHERI (Capability Hardware Enhanced RISC Instructions) and is the basis of the Arm Morello board which is being made available to developers to explore the adoption of this new protection model.
According to DSbD, the aim is to help prevent the continuous cycle of patching and mitigating vulnerabilities, which is often the strategy that organizations take today to protect their cyberattack surface. In the long term, the new approach to security proposed by DSbD will help prevent memory pointer exploits, to block the exploitation of up to 70% of ongoing vulnerabilities. My podcast with John Goodacre, professor of computer architectures at the University of Manchester, who leads the DSbD program explore the background.
As part of this program, embedded.com was a media partner with DSbD’s in-person and online ‘Four Nations Roadshow’. The physical events took place in England, Scotland, Wales and Northern Ireland while online attendees from around the world got to explore the topics delivered by several prominent speakers in the fields of computer systems architecture and cybersecurity. I had the pleasure of moderating these events and following the story.
Each event was visualized by a live illustrator, or scribe, Chris Shipton, who provided a graphic record of the key points of each event. Here, we present those visualizations which hopefully tell the story by themselves.
The events formed a continuous story exploring the journey so far in computing, and the future for trusted computing. This involved speakers like Sir Dermot Turing (nephew of Alan Turing) who looked at the history of computers and computing, to exploring new technologies in cybersecurity, how to strengthen the foundations for security, and a look at the future for trusted computers.
Notable quotes from the event:
“Software and hardware are not as disconnected as we think” – Sir Dermot Turing
“Computer memory has always been the Achilles’ heel [of cybersecurity]” – Andrew Herbert
“Buffer overflows… a systemic flaw discovered in 1972” – Paul Waller
“We’re living with 20th century technology while having 21st century expectations” – Professor Daniel Dresner
“Code bloat makes it easier for attackers… software compartmentalization decomposes software into isolated compartments” – Professor Simon Moore
Day 1: The history of computers
This first event explored the history of computers with Sir Dermot Turing at The National Museum of Computing at Bletchley Park, England. Andrew Herbert then talked about the history of computer performance, and then Professor Genevieve Liveley highlighted the need to look back to look forward and explored the art of futures thinking (and introduced ‘chronocentrism’). In the final talk Andrew Elliot looked at the ubiquity of computers in the digital world and what that meant for security.
Day 2: The journey to a more secure future
The next step in the story explored the world of cybersecurity today and new technologies in cybersecurity, at the Glasgow Science Centre in Scotland. It was kicked off by Professor Daniel Dresner, who explored various socio-economic impacts of cyberattacks and who blames who when something goes wrong. And then, Paul Waller talked about fixing the foundations for security, and the importance of academia and different industries working together. Next was Professor Simon Moore who went into technical detail about CHERI, looking at the importance of memory pointer integrity and bounds checking. The final talk from Jude McCorry provide her perspective on cybersecurity, and why relying just on luck is not such a great strategy.
Day 3: Strengthening the foundations of security
At the third event in Newport, Wales, speakers looked at how foundations can be strengthened to make the world more secure, not just from a technology standpoint but from all stakeholders. Setting the context Clare Johnson highlighted the importance of partnerships and collaborations in the adoption of new technologies. Then, Professor John Goodacre asked, “can we actually prevent computer security vulnerabilities with today’s solutions?” Richard Grisenthwaite then outlined the Arm Morello program, and its role in realizing a solution to addressing some of the fundamental security vulnerabilities that other speakers highlighted in the roadshow. David Chisnall then asked, “Do we still need safe languages if we have CHERI?”. Finally, Katy Ho outlined how people could get involved in DSbD’s design technology access program.
Day 4: The future for trusted computers
The final event in the series, which took place in Belfast, Northern Ireland, looked at what’s next, the future for trusted computers. Professor Adam Joinson discussed the social-economic impact of security on trust. Philip Wilson gave a perspective form a software programmers point of view with some great real-world examples of where things can go wrong and presented a case study of security in ecommerce. Tim Silversides talked about growing business and differentiating through security by design. And finally, Professor Maire O’Neil detailed the future for trusted computers, and explained why we need to move away from the strategy of mitigating and patching.
- Global IoT security push, podcast on tackling memory safety exploits
- Arm releases CHERI-based Morello board to explore next-gen security