This technical report describes CHERI ISAv7, the seventh version of the Capability Hardware Enhan... more This technical report describes CHERI ISAv7, the seventh version of the Capability Hardware Enhanced RISC Instructions (CHERI) Instruction-Set Architecture (ISA) being developed by SRI International and the University of Cambridge. This design captures nine years of research, development, experimentation, refinement, formal analysis, and validation through hardware and software implementation. CHERI ISAv7 is a substantial enhancement to prior ISA versions. We differentiate an architecture-neutral protection model vs. architecture-specific instantiations in 64-bit MIPS, 64-bit RISC-V, and x86-64. We have defined a new CHERI Concentrate compression model. CHERI-RISC-V is more substantially elaborated. A new compartment-ID register assists in resisting microarchitectural side-channel attacks. Experimental features include linear capabilities, capability coloring, temporal memory safety, and 64-bit capabilities for 32-bit architectures. CHERI is a hybrid capability-system architecture that adds new capability-system primitives to commodity 64-bit RISC ISAs, enabling software to efficiently implement fine-grained memory protection and scalable software compartmentalization. Design goals include incremental adoptability within current ISAs and software stacks, low performance overhead for memory protection, significant performance improvements for software compartmentalization, formal grounding, and programmer-friendly underpinnings. We have focused on providing strong, non-probabilistic, efficient architectural foundations for the principles of least privilege and intentional use in the execution of software at multiple levels of abstraction, preventing and mitigating vulnerabilities. The CHERI system architecture purposefully addresses known performance and robustness gaps in commodity ISAs that hinder the adoption of more secure programming models centered around the principle of least privilege. To this end, CHERI blends traditional paged virtual memory with an in-address-space capability model that includes capability registers, capability instructions, and tagged memory. CHERI builds on the C-language fat-pointer literature: its capabilities can describe fine-grained regions of memory, and can be substituted for data or code pointers in generated code, protecting data and also improving control-flow robustness. Strong capability integrity and monotonicity properties allow the CHERI model to express a variety of protection properties, from enforcing valid C-language pointer provenance and bounds checking to implementing the isolation and controlled communication structures required for software compartmentalization. CHERI's hybrid capability-system approach, inspired by the Capsicum security model, allows incremental adoption of capability-oriented design: software implementations that are more robust and resilient can be deployed where they are most needed, while leaving less critical software largely unmodified, but nevertheless suitably constrained to be incapable of having adverse effects. Potential deployment scenarios include low-level software Trusted Computing Bases (TCBs) such as separation kernels, hypervisors, and operating-system kernels, as well as userspace TCBs such as language runtimes and web browsers. We also see potential early-use scenarios around particularly high-risk software libraries (such as data compression, protocol parsing, and image processing), which are concentrations of both complex and historically vulnerability-prone code exposed to untrustworthy data sources, while leaving containing applications unchanged. at other institutions who have provided invaluable feedback and continuing support throughout this work:
Embedded systems are deployed ubiquitously among various sectors including automotive, medical, r... more Embedded systems are deployed ubiquitously among various sectors including automotive, medical, robotics and avionics. As these devices become increasingly connected, the attack surface also increases tremendously; new mechanisms must be deployed to defend against more sophisticated attacks while not violating resource constraints. In this paper we present CheriRTOS on CHERI-64, a hardware-software platform atop Capability Hardware Enhanced RISC Instructions (CHERI) for embedded systems. Our system provides efficient and scalable task isolation, fast and secure inter-task communication, fine-grained memory safety, and real-time guarantees, using hardware capabilities as the sole protection mechanism. We summarize state-of-the-art security and memory safety for embedded systems for comparison with our platform, illustrating the superior substrate provided by CHERI's capabilities. Finally, our evaluations show that a capability system can be implemented within the constraints of embedded systems.
Background: Errors and alleged fraud in computer-based elections have been recurring Risks Forum ... more Background: Errors and alleged fraud in computer-based elections have been recurring Risks Forum themes. The state of the computing art continues to be primitive. Punch-card systems are seriously flawed and easily tampered with, and still in widespread use. Direct recording equipment is also suspect, with no ballots, no guaranteed audit trails, and no real assurances that votes cast are properly recorded and processed.
A variety of \key recovery," \key escrow," and \trusted third-party" encryption re... more A variety of \key recovery," \key escrow," and \trusted third-party" encryption requirements have been suggested in recent years by government agencies seeking to conduct covert surveillance within the changing environments brought about by new technologies. This report examines the fundamental properties of these requirements and attempts to outline the technical risks, costs, and implications of deploying systems that provide government access to encryption keys. MIT Laboratory for Computer Science/Hewlett-Packard, University of Cambridge, AT&T Laboratories { Research, Microsoft Research, AT&T Laboratories { Research, Sun Microsystems, SRI International, MIT Laboratory for Computer Science, MIT Information Systems, Counterpane Systems, The latest version of this document can be found on the world-wide-web at , in PostScript format at and in ASCII text format at .
V viewpoints closed-circuit TV cameras, cable set-top boxes, and digital video recorders (DVRs) w... more V viewpoints closed-circuit TV cameras, cable set-top boxes, and digital video recorders (DVRs) were compromised and used as unwitting botnet zombies. This significant event used malware (Mirai) that searches for vulnerable victims, and whose source code had been freely published. By targeting the DNS services provided by Dyn, this attack seriously interfered with user access to major services such as Twitter, Amazon, Tumblr, Reddit, Spotify, and Netflix. In one fell swoop, it exposed the tip of just one of many hazardous icebergs. While earlier DDoS attacks using Mirai had exploited hundreds of thousands of devices, this attack appeared to involve tens of millions of compromised devices—according to a statement from Dyn. 13 The attack illustrates some of the risks associated with having very large numbers of inadequately protected Things connected to the Internet—particularly Things that are simple enough to be vulnerable to compromise, but sufficiently capable to be part of a dist...
Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, 2019
The CHERI architecture allows pointers to be implemented as capabilities (rather than integer vir... more The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world
This paper considers both software development and computer system use from the viewpoint of the ... more This paper considers both software development and computer system use from the viewpoint of the human effort involved. It attempts to identify various factors contributing to the successful development and use of computer programs and systems. For example, the "software factory" notion itself can become a large part of the problem unless considered thoughtfully. Various recommendations are made for increasing human productivity in this context.
Risks to the public in computers and related systems
ACM SIGSOFT Software Engineering Notes, 2005
Edited by Peter G. Neumann (Risks Forum Moderator and Chairman of the ACM Committee on Computers ... more Edited by Peter G. Neumann (Risks Forum Moderator and Chairman of the ACM Committee on Computers and Public Policy), plus personal contributions by others, as indicated. Opinions expressed are individual rather than organizational, and all of the usual disclaimers apply. We address problems relating to software, hardware, people, and other circumstances that affect computer systems. To economize on space, we tersify most items and include pointers to items in the online Risks Forum: (R i j) denotes RISKS vol i number j. Cited RISKS items generally identify contributors and sources, together with URLs. Official RISKS archives are available at www.risks.org (which redirects to Newcastle and gets you nice html formatting and a search engine courtesy of Lindsay Marshall; http://catless.ncl.ac.uk/Risks/i.j.html gets you (R i j)) and at ftp://www.sri.com/risks.
Verification and the UK proposal (Jim Horning) When the going gets tough, the tough use the phone... more Verification and the UK proposal (Jim Horning) When the going gets tough, the tough use the phone... (Jerry Leichter) Re: 60 minutes reporting on the Audi 5000 (Eugene Miya) Minireviews of Challenger article and computerized-roulette book (Martin Minow) More on the UK Software-Verification Proposal (Bill Janssen) Volume 4 Issue 19 (26 Nov 86) Very Brief Comments on the Current Issues (Kim Collins) The Audi discussion is relevant (Hal Murray) Audi 5000 (Roy Smith) Laser-printer health risks; also, how to get ACARD report (Jonathan Bowen) Data point on error rate in large systems (Hal Murray) Re: Program Trading (Roger Mann) Technical merits of SDI (from Richard Scribner) Volume 4 Issue 20 (30 Nov 86) Smart metals (Steven H. Gutfreund) Risks of having-or not having-records of telephone calls Audi and 60 Minutes (Mark S. Brader) Audi 5000/Micros in cars and the Mazda RX7 (Peter Stokes) Automated trading (Scott Dorsey) "Borrowed" Canadian tax records; Security of medical records (Mark S. Brader) Volume 4 Issue 21 (30 Nov 86) Risks of Computer Modeling and Related Subjects (Mike Williams-LONG MESSAGE) Volume 4 Issue 22 (2 Dec 86) More Air Traffic Control Near-Collisions (PGN) Re: satellite interference (Jerome H. Saltzer) "Welcome to the .......... system": An invitation? (Bruce N. Baker) Replicability; econometrics (Charles Hedrick) Re: Risks of computer modeling (John Gilmore) Computerized weather models (Amos Shapir) Active control of skyscrapers (Warwick Bolam) Privacy in the office (Paul Czarnecki) Kremlin is purging dimwitted scientists (Matthew P Wiener; also in ARMS-D) Volume 4 Issue 23 (3 Dec 86) The persistence of memory [and customs officials] (Richard V. Clayton) America's Cup-floppies held to ransom (Computing Australia via Derek) Some thoughts regarding recent postings: blame and causality (Eugene Miya) Microcomputer controlled cars (not Audi) (Miriam Nadel) Re: Welcome to the system (Ronda Henning) Re: Automated trading (Scott Dorsey) Active control of skyscrapers (Herb Lin) Volume 4 Issue 24 (5 Dec 86) Criminal Encryption & Long Term effects (Baxter) The Risks Digest Index to Volume 4
This paper revisits the risks of untrustworthiness, and considers some incidents involving comput... more This paper revisits the risks of untrustworthiness, and considers some incidents involving computer-based systems that have failed to live up to what had been expected of them. The risks relate to security, reliability, survivability, human safety, and other attributes, and span a variety of applications and critical infrastructuressuch as electric power, telecommunications, transportation, finance, medical care, and elections. The range of causative factors and the diversity of the resulting risks are both enormous. Unfortunately, many of the problems seem to recur far too often. Various lessons therefrom and potential remedies are discussed.
This paper reflects on many risks in the development and use of computer-related systems. It cons... more This paper reflects on many risks in the development and use of computer-related systems. It considers past and future alternatives, suggests some remedial approaches, and offers a few broad conclusions. Various long-touted common-sense approaches that are holistic and proactive are more urgently needed now than ever before.
DARPA Information Survivability Conference and Exposition, 2003
Huge challenges exist with systems and networks that must dependably satisfy stringent requiremen... more Huge challenges exist with systems and networks that must dependably satisfy stringent requirements for security, reliability, and other attributes of trustworthiness. Drawing on what we have learned over the past decades, our CHATS project seeks to establish a coherent common-sense approach toward trustworthy systems. The approach en- compasses comprehensive sets of requirements, inherently sound architectures that can be predictably composed
returned to probe his memory for this article, after his past decade as the proprietor of Books W... more returned to probe his memory for this article, after his past decade as the proprietor of Books With a Past (which included some surprising rare classics on cryptography and security). Ames, Davida, G.R. Blakley (Bob's father), Marv Schaefer and Rein Turn were instrumental in organizing 1981. 1982 saw pre-proceedings distributed beforehand, when Neumann was program chairman, with assistance from Bob Morris, and with Roger Schell as general chair. 1983 again had pre-proceedings, under G.R. Blakley and Dorothy Denning. Beginning in 1984, the IEEE Computer Society produced proceedings in time for the meeting, and SSP began to develop some of the organizational structure and refinements of the reviewing process that emerged subsequently.
Because views on relational database systems mathematically define arbitrary sets of stored and d... more Because views on relational database systems mathematically define arbitrary sets of stored and derived data, they have been proposed as a way of handling context-and content-dependent classification, dynamic classification, inference, aggregation, and sanitization in multilevel database systems. This paper describes basic view concepts for a multilevel-secure relational database model that addresses the above issues. All data entering the database are labeled according to views called classification constraints, which specify access classes for related data. In addition, views called aggregation constraints restrict access to aggregates of information. All data accesses are confined to a third set of views called access views.
ACM Conference on Computer and Communications Security, 2006
Characteristic problem areas experienced in the past are considered here, as well as some of the ... more Characteristic problem areas experienced in the past are considered here, as well as some of the challenges that must be confronted in trying to achieve greater trustworthiness in computer systems and networks and in the overall environments in which they must oper- ate. Some system development recommendations for the future are also discussed.
After summarizing the EMERALD architecture and the evolutionary process from which EMERALD has ev... more After summarizing the EMERALD architecture and the evolutionary process from which EMERALD has evolved, this paper focuses on our experience to date in designing, implementing, and applying EMERALD to various types of anomalies and misuse. The discussion addresses the fundamental importance of good software engineering practice and the importance of the system architecture in attaining detectability, i n teroperability, general applicability, and future evolvability. It also considers the importance of correlation among distributed and hierarchical instances of EMERALD, and needs for additional detection and analysis components.
Various risks of insider misuse arise at dierent,layers of abstraction. This observation leads to... more Various risks of insider misuse arise at dierent,layers of abstraction. This observation leads to a perspective on insiders that is both hierarchical and context-dependent. This position paper examines systemic ap- proaches that might be most useful in overcoming the risks. It applies these approaches to the problems of developing and operating computer-related systems that would be suitable for use in applications requiring trustworthy systems and networking, such as critical infrastructures, privacy-preserving database systems, voting systems, and so on. It also examines the relevance of the Saltzer-Schroeder security principles to elections. Ultimately, insider misuse cannot be sensibly addressed unless significant improvements are made in system and networking trustworthiness, architecturally, developmentally, and operationally. Some of the distinctions presented here are intentionally not all clear-cut. There are nuances that must be considered, because blurrings exist among wh...
Uploads
Papers by Peter Neumann