Following the Collaborators' Workshop held on 26th Sept (presentations available on KTN's SlideShare account), EPSRC/ESRC are running a Collaboration Development workshop on 22nd November 2019 in London to facilitate academia-industry and academia-academia collaboration ahead of the closing dates for the EPSRC and ESRC ISCF Digital Security by Design calls.
The calls need to be led by academic institutions. Industrial involvement, while not mandatory, is highly desirable and will be required for future competitions. Hence this workshop aims to have a mix of academic and industrial participants.
The Digital Security by Design challenge was announced in July. This challenge, amounting to £70 million of government funding over 5 years, will be delivered by UK Research and Innovation (UKRI) through the Industrial Strategy Challenge Fund (ISCF).
Find out more: https://ktn-uk.co.uk/news/iscf-digital-security-by-design-collaboration-development-workshop
5. What is Microsoft doing?
Remove classes of vulnerabilities
◦ Probabilistic prevention not considered suitable - servicing a vulnerability still required
◦ MemGC - https://msrc-blog.microsoft.com/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/
◦ Killing Uninitialized Memory: Protecting the OS Without Destroying Performance -
https://cppcon2019.sched.com/event/SfYc/killing-uninitialized-memory-protecting-the-os-without-destroying-
performance
Investing in safe(r) systems programming languages:
◦ Rust investigations, https://msrc-blog.microsoft.com/2019/07/18/we-need-a-safer-systems-programming-language/
◦ Project Verona, research project
◦ Cannot simply throw away old code!
6. Our research in Cambridge
Mitigations Language design Compartmentalisation
7. Project Verona
A new language for safe infrastructure
programming
With David Chisnall, Sylvan Clebsch, Manuel Costa, Sophia
Drossopoulou, Juliana Franco, Mads Torgersen, …
8. The application spectrum
C#
C/C++
Asm
Today
Boot loader/HAL
Core OS components Schedulers/Memory management
Exchange/ ASP.NET
Azure Storage/ Cosmos/ Data lake
Azure functions
Desktop Apps
Device drivers
Systems Programming
9. The space
• Fine grained control
• Resource management
• Latency sensitive
• Close to machine
• No abstraction over memory
• No type safety
Systems Programming
10. The application spectrum
C#
C/C++
Asm
Today
Boot loader/HAL
Core OS components Schedulers/Memory management
Exchange/ ASP.NET
Azure Storage/ Cosmos/ Data lake
Azure functions
Desktop Apps
Device drivers
Infrastructure
Programming
11. The space
• Fine grained control
• Resource management
• Latency sensitive
• Close to machine
• No abstraction over memory
• No type safety
Inherently unsafe
Possible for safe by construction
12. Core ideas
• Give up concurrent mutation, to enable scalable memory management.
Data-race
freedom
• New concurrency model that provides lightweight asynchronous coordination.
Concurrent
Owners
• passing groups of objects
• memory management strategies per region (reference counting, tracing, arenas, …)
• Compartmentalisation for legacy components
Linear Regions
14. Pervasive sandboxing
Verona program
C++ runtime library
C library
C / Assembly
library
C++ library
C/C++ library
C++ library
TCB,
needs
careful
auditing
Sandboxed, scope of
vulnerabilities
limited
16. Project Verona
status
Production quality runtime
Prototype interpreter and type checker
Compiler not started
Open-sourcing to github soon to enable collaborations
Ask me for a demo!
18. CHERI for
mitigations
Which exploit chains does CHERI break?
What gadgets can exist on CHERI?
Can temporal safety be achieved?
Microsoft Red team (attack) internship analysed security of CHERI
– 12 weeks not long enough to be conclusive
Need a thorough security analysis before it can be adopted as a
mitigation.
19. CHERI for legacy
Lightweight
compartmentalisation
• Contain existing libraries
• Single address space
• How can we build application
that have hundreds of
sandboxed libraries?
Low-cost containers
• Density important for the
cloud
• Can CHERI improve density in
Cloud applications?
20. Conclusions
Microsoft needs security for legacy!
Can we capitalise on CHERI to use existing
assets?
Can we architect software to integrate safe
new code with old unsafe legacy code?
Project Verona for compartmentalisation
research collaborations
23. Regions open up new possibilities
• Compartmentalisation
• Different regions can be compiled with different trust.
• Distributed and heterogenous hardware
• Moving collections of objects between devices – can be part of the
programming model
• Dynamic update of running code
• Each object accessed by at most one thread, updates can exploit this in the
running system