Prototype cyber tech has revolutionary potential

The early findings of a pioneering cyber security project are showing promising signs that a novel technological approach implemented in the Arm Morello research prototype could revolutionise how businesses protect themselves from cyber attacks.

The Arm Morello board is a test platform for Morello prototype architecture which is based on the capability hardware enhanced RISC instructions – or CHERI – protection model, an instruction-set architecture developed by Cambridge University and SRI International.

One of CHERI’s more advanced features includes compartmentalisation, which works as a guarantee that in the event of a security breach, it can be contained within a single compartment and prevent the entire system from being compromised. Although a similar approach was taken to the design of the RMS Titanic, with disastrous results, in this case the compartmentalisation model is becoming a hotly anticipated use case for CHERI’s memory-safe features.

For the past six months, technology companies from across the UK have been experimenting with the prototype technology developed at Arm and the University of Cambridge under the auspices of the UK Research and Innovation (UKRI) Digital Security by Design’s (DSbD) Technology Access Programme.

A grand total of 27 participating organisations got together last month at Digital Catapult’s London headquarters to showcase some of the findings from their work, with projects demonstrating the technology’s easy-of-use, the possibility of minimal changes needed to already-existing code to support it, and its utility in discovering new bugs in software applications and their dependencies.

“Through the DSbD Technology Access Programme (TAP), Digital Catapult has been integral to ensuring that UK businesses can review and understand the new technology involved, while preparing for its adoption in their future products or services,” said John Goodacre, DSbD challenge director at UKRI.

“An ecosystem of companies is now ready to take full advantage of the cutting-edge technology once it becomes commercially available. DSbD is all about making a difference across the cyber security landscape, the positive result seen today and the enthusiasm of the cohorts really make that goal closer.”

The showcase event provided definitive proof that CHERI can defend against some of the more notorious and pernicious forms of cyber attack currently seen, based on memory corruption – including buffer overflows – which can enable threat actors to conduct denial-of-service attacks or even take control of remote hosts.

As many as 70% of cyber attacks exploit memory-related vulnerabilities to some degree, even though the techniques involved are well-known and well-studied. Up to now, the standard approach to remediation has been to patch up unsecure software, often leaving vulnerabilities in place that can be exploited further down the line. This work, however, has shown that CHERI means the Arm Morello board could be a more robust and reliable alternative to this approach.

Though clearly still in the research and development phase, it is entirely possible that eventually, the technology could offer an extra layer of protection in many critical sectors where safety and security are paramount, including automotive, energy and telecoms.

Sensor IT, a UK-based startup specialising in the application of internet of things (IoT) technology to solve some of society’s grand challenges, such as climate change, was accepted onto the DSbD programme in mid-2022.

Director Richard Gonzalez said: “Not only did the Morello board and CheriBSD provide functionality we did not expect, we also got to keep the board, which allows us to keep experimenting with it.

“We have managed to port a bug-ridden, security-flawed application into a complete secure software suite, using only off-the-shelf Morello Board - CheriBSD functionality, if this does not sound amazing, I would not know what would!”

Jessica Rushworth, chief strategy and policy officer at Digital Catapult said the TAP was a powerful example of technology development in action.

“The DSbD technologies have huge potential to make a difference for all kinds of industries, and the aspiration is that this approach to cyber security will become a standard for the future,” she said. “While learning about new cyber security technologies and approaches, the companies involved are building credibility with their peers and customers.”

To date, more than 1,350 days of development and 13 million lines of code have been ported to the Arm Morello board for experimentation and testing, and the DSbD TAP will be continuing this work throughout 2023. It plans to onboard a new group of companies in May to conduct more work exploring porting applications to Morello, and how CHERI might be able to enhance secure-by-design initiatives by highlighting bugs and coding malpractice during development.