CHERI-based computer runs KDE for the first time
Digital security via processor design, hardware-enforced protection … and a friendly desktop
Wayland and the KDE Plasma desktop now run on CheriBSD, the special version of FreeBSD for Arm's experimental Morello hardware.
The University of Cambridge's Capability Hardware Enhanced RISC Instructions project, or CHERI for short, has been underway for some years, and usable results are starting to emerge. It aims to bake extra hardware-level security protections into processors, and Arm's Morello board incorporates that research work by CHERI.
And Ruslan Bukin, a researcher at Cambridge's computer science department and also a FreeBSD contributor, has now ported the Wayland display server and KDE desktop to CheriBSD. As he puts it:
I don't have a single C pointer in kernel, DRM, Panfrost, Wayland, Qt, KDE, the entire user space graphical stack. All together, millions (if not billions?) of lines of code. […] Remember this moment, because in 5-10 years, capabilities will be in your jeans pocket.
Ruslan's work builds on that of Google's Alexander Richardson. Over three months, Richardson ported the bulk of the KDE stack, displaying it remotely both by forwarding X11 to another machine over SSH, and using XVNC, as described in this report [PDF.] Ruslan then ported Wayland, DRM and Panfrost in order to run the whole stack on CheriBSD.
A few years ago in 2019, we reported when the project got government funding, and earlier this year, when the aforementioned Arm prototype hardware began to ship. Coming just six months later, this experimental port is a significant step forward and a very promising sign.
The CHERI project originally targeted the MIPS processor architecture, but more recently has moved its focus to include RISC-V and Arm as well. Not only is Arm a much more significant processor architecture these days, but because Arm Ltd started out as an offshoot of Acorn Computers, it's also headquartered in Cambridge.
Digital security via hardware design
CHERI brings to modern processors two features of hardware-enforced safety and protection that were part of some computer designs in the relatively early days: a tagged memory architecture and capability-based addressing.
Capabilities were a hardware-enforced protection mechanism that were features of some computers, such as the Burroughs large systems – descendants of which are still around today – and IBM's early System/38 minicomputer. These systems flourished before the rise of Unix and Unix-like systems.
The S/38 evolved into the AS/400, today known as IBM i, but the designers of those later systems dropped the security mechanism. Similarly, the Multics OS which inspired the creation of Unix had some comparable features, but they were among the things which Dennis Ritchie and Ken Thompson left out of their smaller, simpler system.
The boffins at Cambridge's Computer Laboratory worked out a way to add capabilities in a Unix-compatible way, and called it Capsicum, which has been part of FreeBSD since version 9.
The new desktop stack runs on an experimental OS derived from FreeBSD called CheriBSD, which can make use of the hardware facilities of CHERI-enhanced Arm and RISC-V processors.
The project has an FAQ which explains some more, as well as some less-technical articles about the design and the OS, although they're not exactly light reading. We particularly recommend Chapter 13, Historical Context and Related Work, of this technical report [PDF], though.
Processor and compiler expert Mark Morgan Lloyd summarized it for us: "They're trying to not be too rude, but they're quite definite that they consider the industry to have taken a wrong turn in walking away from fine-grained hardware protection."
- How does £36m sound, mon CHERI? UK.gov pumps cash into Arm security research
- Arm rages against the insecure chip machine with new Morello architecture
- License to thrill: Ahead of v13.0, the FreeBSD team talks about Linux and the completed toolchain project that changes everything
- Arm wants to wrestle industry into a seat on the UK.gov's £70m hardware security train
In older systems, such as Multics, code running on the computer's processor had to run in one of many rings: inner rings had more permissions and control, and outer ones had less. This rings-of-protection approach is also used in, for instance, Intel chips, which have a limited, simpler version, as we explained in our brief history of virtualization back in 2011. Most PC OSes never really used the feature, opting instead to use the CPU's memory management unit and page tables to primarily enforce access protections.
CHERI brings a more granular level of protection. Programs can be limited to accessing only certain permitted areas of memory, in certain restricted ways, and special hardware tags those areas of memory to limit what they can be used for – regardless of what the OS's security mechanisms may be tricked into believing.
CHERI won't make computers cheaper or faster, breaking the pattern of many modern hardware developments. But if it succeeds in its goals, CHERI-flavored computers will be more resistant to exploitation than ordinary ones. We suspect many organizations would be happy to pay for that. ®