Early findings of a pioneering project show promising signs that a novel technology approach which has been implemented in a research prototype called the Arm Morello Evaluation Board, could revolutionise the way businesses protect themselves against cyberattacks in the future.
The findings come as technology companies from across the UK were given the opportunity to experiment for six months with prototype cybersecurity technology developed by Arm and the University of Cambridge as part of Digital Security by Design’s (DSbD) Technology Access Programme. Last month, 27 participating companies convened at Digital Catapult’s headquarters in London to showcase key findings, such as the new technology’s ease-of-use, the minimal changes needed to existing code and its usefulness in discovering fresh bugs in their own software and in their dependencies.
Most importantly, the showcase has helped prove that this technology can defend against some notorious forms of cyber attacks based on memory corruption, including buffer overflows, which can allow cyber criminals to conduct denial-of-service attacks or gain total control over remote hosts.
Approximately 70% of cyberattacks exploit memory related vulnerabilities, despite the fact that these flaws are well-known and documented. Such cyberattacks have become increasingly complex in recent years as attackers look to bypass existing defences. To mitigate this threat, the traditional approach has been to regularly patch up unsecure software, often leaving vulnerabilities that can be exploited at a later date. Digital Catapult’s showcase has demonstrated however, that the prototype Morello evaluation board can provide a more robust and reliable alternative with its built-in features.
Developed by Arm, the Morello board is a test platform for Morello prototype architecture, based on the CHERI (capability hardware enhanced RISC instructions) protection model. CHERI is a novel instruction-set architecture developed by the University of Cambridge and SRI International. One advanced feature of CHERI is compartmentalisation, which works to guarantee that if there is a security breach, it will be contained within one compartment, therefore preventing the whole computing system from being compromised. This compartmentalisation model is but one anticipated use case for CHERI’s new memory-safe features.
Richard Gonzalez, Director of participating company SensorIT said: “Not only did the Morello board and CheriBSD provide functionality we did not expect, we also got to keep the board, which allows us to keep experimenting with it. We have managed to port a bug-ridden, security-flawed application into a complete secure software suite, using only off-the-shelf Morello Board/CheriBSD functionality, if this does not sound amazing, I would not know what would!”
Access to this technology has been facilitated by DSbD, an initiative led by UK Research and Innovation, which aims to create a more secure hardware and software ecosystem that will improve the foundations of the country’s digital infrastructure.
The Technology Access Programme is delivered by Digital Catapult with support from the University of Cambridge as well as Arm. Whilst currently in its research phase, once commercially available the technology could offer an extra layer of protection in critical applications such as telecommunications, energy infrastructure management and autonomous or connected vehicles, where safety of systems is paramount.
So far, the programme has achieved more than 1,350 days of development work and over 13 million lines of code have been ported to the Arm Morello board for continued experimentation and testing. The Technology Access Programme will be onboarding its next cohort of experimenting companies on 25 May, where they will look to explore how to port applications to the Morello platform, how the CHERI architecture can secure applications against known memory vulnerabilities, and whether it can enhance code by highlighting potential vulnerabilities and coding malpractices during the development phase.
Prof. John Goodacre, DSbD Challenge Director, UK Research and Innovation said: “Through the DSbD Technology Access Programme (TAP), Digital Catapult has been integral to ensuring that UK businesses can review and understand the new technology involved, while preparing for its adoption in their future products or services. An ecosystem of companies is now ready to take full advantage of the cutting-edge technology once it becomes commercially available. DSbD is all about making a difference across the cybersecurity landscape, the positive result seen today and the enthusiasm of the cohorts really make that goal closer”
Jessica Rushworth, Chief Strategy and Policy Office, Digital Catapult commented: “TAP is a powerful example of technology development in action, and it’s great to be showcasing the results so far. The DSbD technologies have huge potential to make a difference for all kinds of industries, and the aspiration is that this approach to cyber security will become a standard for the future. While learning about new cybersecurity technologies and approaches, the companies involved are building credibility with their peers and customers”