Wayland and the KDE Plasma desktop now run on CheriBSD, the special version of FreeBSD for Arm’s Morello board.
Cambridge University’s “Capability Hardware Enhanced RISC Instructions” project, or CHERI for short, has been underway for some years, but usable results are starting to emerge.
A few years ago in 2019, we reported when the project got government funding, and earlier this year, when prototype hardware began to ship. Coming just six months later, this experimental port is a significant step forward and a very promising sign.
The CHERI project originally targeted the MIPS processor architecture, but more recently has moved its focus to include RISC-V and Arm as well. Not only is Arm a much more significant processor architecture these days, but because Arm Ltd started out as an offshoot of Acorn Computers, it’s also headquartered in Cambridge.
Digital security via hardware design
CHERI brings to modern processors two features of hardware-enforced safety and protection that were part of some computer designs in the relatively early days: a tagged memory archicture and capability-based addressing.
Capabilities were a hardware-enforced protection mechanism that were features of some computers, such as the Burroughs large systems – descendants of which are still around today – and IBM’s early System/38 minicomputer. These systems flourished before the rise of Unix and Unix-like systems.
The S/38 evolved into the AS/400, today known as IBM i, but the designers of those later systems dropped the security mechanism. Similarly, the Multics OS which inspired the creation of Unix had some comparable features, but they were among the things which Dennis Ritchie and Ken Thompson left out of their smaller, simpler system.
The new desktop stack runs on an experimental OS derived from FreeBSD called CheriBSD, which can make use of the hardware facilities of CHERI-enhanced Arm and RISC-V processors.
The project has a FAQ which explains some more, as well as some less-technical articles about the design and the OS, although they’re not exactly light reading. We particularly recommend Chapter 13, Historical Context and Related Work, of this technical report [PDF], though.
Processor and compiler expert Mark Morgan Lloyd summarized it for us: “They’re trying to not be too rude, but they’re quite definite that they consider the industry to have taken a wrong turn in walking away from fine-grained hardware protection.”
In older systems, such as Multics, code running on the computer’s processor had to run in one of many rings: inner rings had more permissions and control, and outer ones had less. Older Intel chips had a limited, simpler version of this, as we explained in our brief history of virtualization back in 2011. Sadly, most PC OSes never really used the feature, favoring a much simpler design, just like Ritchie and Thompson 50 years ago.
One of the results of that simplification is the possibility of privilege-escalation attacks. As the great British computer scientist Tony Hoare said:
CHERI brings a more granular level of protection in the place of protection rings. Programs can be limited to accessing only certain permitted areas of memory, in certain restricted ways, and special hardware tags those areas of memory to limit what they can be used for – regardless of what the OS’s security mechanisms may be tricked into believing.
CHERI won’t make computers cheaper or faster, breaking the pattern of many modern hardware developments. But if it succeeds in its goals, CHERI-flavoured computers will be more resistant to hacking than ordinary ones. We suspect many organizations would be happy to pay for that. ®