#### CRASH-worthy Trustworthy Systems Research and Development

# **CTSRD** Project Briefing

Robert N. M. Watson (Cambridge) Peter G. Neumann (SRI) Simon W. Moore (Cambridge)

> DARPA CRASH PI Meeting San Diego, California, USA 14 January 2014



Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contract FA8750-10-C-0237. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense or the U.S. Government.



#### CTSRD at the PI Meeting



Dr Peter G. Neumann



Dr Robert N. M. Watson



Dr Simon W. Moore



Dr Jonathan Anderson



Dr David Chisnall



Dr Nirav Dave



Mr Brooks Davis



Mr Rance DeLong



Dr Khilan Gudka

Dr Theo A. Markettos



Mr Ed Maste



Dr Michael Roe



Rothwell

Mr Stacey Son





#### CTSRD

- Spans security, CPUs, OS, compilers, languages, program analysis/transformation, HW/SW formal methods.
- Clean-slate design violates some current conventions, in exchange for dramatic security improvements.
- Capability-based CPU protection and compartmentalization features mitigate known and unknown vulnerability classes.
- Hybrid model facilitates incremental SW adoption.
- Program analysis and transformation techniques improve software TCB correctness, utilize new CPU features.
- Formal methods link models, hardware, and software.





### CTSRD project elements

- Capsicum, compartmentalization, and CTSRD
- Capability Hardware Enhanced RISC Instructions (CHERI)
  - CHERI ISA and hardware compartmentalization prototype
  - CHERI platform: tablet, CheriCloud, peripherals, etc.
  - CHERI software: CheriBSD, CHERI Clang/LLVM, apps
  - Architectural extraction, verification of Bluespec (Smten)
  - ISA-level proofs and automated test generation
- Security-Oriented Analysis of Application Programs (SOAAP)
- Temporally Enhanced Security Logic Assertions (TESLA)



#### August 2013 CTSRD/MRC2 meetings, Cambridge, UK









### COMPARTMENTALIZATION FOUNDATIONS





#### Application compartmentalization



- Compartmentalization decomposes software into isolated components.
- Each sandbox runs with only the rights required to perform its function.
- This model implements the principle of least privilege.





CTSRD



As vulnerabilities yield fewer rights, attackers must

exploit many vulnerabilities to meet their goals.





#### Capsicum update





- Hybrid capability model: OS APIs for application compartmentalization
- Joint Cambridge/Google project
- Experimental feature in FreeBSD 9.x; out-of-the box in 10.0 (RSN)
- FreeBSD Foundation, Google
  - Funded projects will continue in 2014
  - Growing number of FreeBSD programs are using Capsicum out-of-the-box: tcpdump, auditdistd, hastd, etc.
  - Casper framework offers services to sandboxes (e.g., DNS, socket server)
- Google early Linux port published



#### CTSRD

#### Code-centred compartmentalisation



- Applications can be compartmentalized in different ways, trading off security and performance
- Finer-grained decompositions mitigate vulnerabilities better: attacks yield fewer rights, so attackers must exploit more vulnerabilities to accomplish their goals
- Ideally, web browsers would use hundreds/thousands of sandboxes: one for each image, script, etc.
- However, CPUs support few simultaneous processes; e.g., Google Chrome reuses up to 20 sandboxes, one per tab
- As a consequence of CPU design, malware in a webmail image attachment can access a user's entire mailbox











Capability hardware enhanced RISC instructions

### **CHERI PROCESSOR**





### Capability hardware enhanced RISC instructions (CHERI)





- CHERI hybrid capability model:
  - Fine-grained memory protection
  - In-address-space sandboxing
- **Extends 64-bit MIPS ISA**
- Haskell-derived Bluespec System Verilog HDL; synthesizes to Altera and Xilinx **FPGAs**
- Fully pipelined; multithreaded and multicore under development
- Extensive test suite and tools
- ISA and design subject to new formal analysis
- Shortly to be released as open source



CAMBRIDGE

CTSRD



#### CHERI development timeline





#### CHERI hardware platform



| BERI Pipeline & L1     | <b>26</b> % |  |
|------------------------|-------------|--|
| Control Regs & MMU     | 3%          |  |
| Capability Coprocessor | 17%         |  |
| Debug Unit             | 5%          |  |
| Level 2 Cache          | 5%          |  |
| Multiply & Divide      | 3%          |  |
| Tag Controller & Cache | 3%          |  |
| FPU FPU                | 32%         |  |

- CHERI prototypes
- Tablet prototype: CPU, DRAM, battery, flash, touchscreen, HDMI, Ethernet
- In-field CPU, OS updates
- CheriBSD OS, CHERI SDK
- CHERI demonstrations
  - E.g., fine-grained compartmentalization in CheriPoint presentation package



#### CheriCloud



- Centralized facility supporting remote CHERI software development for CTSRD and MRC2 projects
- 7 x DE4 FPGA boards in 4U
- CHERI CPU + CheriBSD with Ethernet on each DE4
- Reset and serial console
- SSH into a live CHERI system; off-the-shelf open-source applications
- Total end-user transparency!





#### CHERI enhancements (CTSRD)

- CHERI ISAv2.1 enhancements to object-capability invocation, software debugging features
- FPU particularly useful for Olden benchmarks
- Improved hardware ISA-level tracing + CheriVis
- CHERI2 now fully implements ISAv2.I
- Annabella release in July 2013
- Multithreaded CHERI2 boots BSD in simulation
- Multicore CHERI in testing





# CHERI enhancements ((MRC)<sup>2</sup>)

- DARPA MRC sister project also using and enhancing CHERI
- Multithreading and multicore
- Multi-FPGA interconnect
- AXI bus conversion
- NetFPGA I0G
- CPU Tracing enhancements
- FPU maturity
- BlueSwitch









CTSR

#### CHERI formal verification: ISA model

- Formal model of ISA described in SAL model checker
- Bluespec CHERI and CHERI2 capability units are automatically tested against the SAL model
- New: we can now automatically translate the SAL model into PVS
- Using PVS, we can prove "memory safety" for a CHERI ISA subset
- Future work: prove security properties of full model
- Future work: prove security properties of key software TCB elements (e.g., CCall, Creturn)





#### CHERI formal verification: Bluespec analysis / Smten

- Smten: Automatic Translation of High-level Symbolic Computations into SMT Queries
- Motivation: SMT solvers are widely used for model checking, automated theorem proving and test generation, but translating a model into an SMT form is tedious
- Solution: Smten is a high-level, purely functional language, with syntax and features borrowed heavily from Haskell which greatly helps translation of models into SMT queries
- Initial work published at CAV'13
- See Nirav Dave during the poster session for details.









#### **CHERI SOFTWARE**





CAMBRIDGE

#### CHERI software model



- Legacy application code compiled for general-purpose registers
- Hybrid code blending general-purpose registers and capabilities
- High-assurance "pure" capability code
- Per-address space memory management and capability executive

- Fine-grained userspace memory protection, in-process sandboxing
- MIPS/CHERI binaries tightly integrated (e.g., CHERI library in MIPS binary)
- Compiler allows pointers to be replaced with tagged, bounds-checked capabilities
- In-progress CHERI debugger
- OS support for model, tracing tools, etc.
- Userspace sandbox model, class libraries, components, monitoring tools
- CheriBSD on github so more easily accessible to downstream users
- BERI support + drivers shipping as FreeBSD 10.0 embedded target in weeks UNIVERSITY OF



#### CHERI extensions to FreeBSD

- CHERI register file preserved for each user thread
- CCall/CReturn exception handlers: object-capability invocation
- CHERI "trusted stack" for object-capability return path
- Sandbox fault recovery unwinds trusted stack on MMU fault, capability fault, or other thread traps
- Kernel accepts system calls only from in-process protection domains with ambient authority; requires using the system class
- Kernel debugging extensions for CHERI LLDB
- CHERI memory protection via CHERI Clang/LLVM
- libcheri(3) API to create and invoke sandboxes
- Extensions to the procstat(1) tool to track sandbox state





# CHERI Clang/LLVM/LLDB

- CHERI Clang/LLVM
  - Clang supports new qualifiers, builtins for capability manipulation
  - LLVM CHERI code generation extends MIPS support
  - Pointers use MIPS representation and instructions by default
  - Pointers tagged as capability generates CHERI instead of MIPS
  - Experimental CCured work automatically converts C code to CHERI ISA
- CHERI SDK
  - Complete cross-development environment: toolchain, libraries, headers.
- CHERI LLDB
  - LLDB supports CHERI registers in core files; live debugging in-progress





#### libcheri: object-capability sandbox API

- C-language bindings for CHERI object-capability sandboxes
- Sandbox class
  - For now, memory image; soon, ELF binary (or segment)
  - new, method\_declare, destroy
  - Sandbox object
  - Instantiated class with data
  - new, getsystemobject, cinvoke, destroy
- Small assembly stubs for caller invoke() and callee enter()

```
LIBCHERI(3)
                           BSD Library Functions Manual
                                                                          LIBCHERI(3)
NAME
     libcheri, sandbox class new, sandbox class method declare,
     sandbox_class_destroy, sandbox_object_new,
     sandbox object getsystemobject, sandbox object cinvoke,
     sandbox object invoke, sandbox object destroy -- Library interface for
     CHERI sandboxing
LIBRARY
     librarv ``libcheri''
SYNOPSIS
     #include <machine/cheri.h>
     #include <machine/cheric.h>
     #include <sandbox.h>
     sandbox_class_new(const char *path, size_t sandboxlen,
         struct sandbox class **sbcpp);
     int
     sandbox class method declare(struct sandbox class *sbcp, u int methodnum
         const char *methodname);
     void
     sandbox class destroy(struct sandbox class *sbcp);
     sandbox object new(struct sandbox class *sbcp,
         struct sandbox object **sbopp);
     struct cheri_object
     sandbox object getsystemobject(struct sandbox object *sbop);
     #if has feature(capabilities)
     register t
     sandbox_object_cinvoke(struct sandbox_object *sbop, u_int methodnum,
         register t a1, register t a2, register t a3, register t a4,
register t a5, register t a6, register t a7, capability void *c3
          capability void *c4, capability void *c5, capability void *c6,
capability void *c7, capability void *c8, capability void *c9,
           capability void *c10);
     #else
     register t
     sandbox object invoke(struct sandbox object *sbop, u int methodnum)
```





#### libc\_cheri: sandboxed C library; libcheri system class

- Subset of key C functions
  - Useful functions useable without ambient authority (e.g., snprintf)
  - Bottom-end functions invoke CHERI systemclass object capabilities instead of system calls
- Kernel rejects calls without ambient authority
  - Sandboxes must request operations with ambient effects through CHERI system class



#### procstat(1): sandbox monitoring

% slogin -i .ssh/id\_cheri\_host ctsrd@cheritest.sec.cl.cam.ac.uk Last login: Sat Nov 16 03:26:50 2013 from ip-64-134-230-112.public.wayport.net FreeBSD 11.0-CURRENT (CHERI DE4 SDROOT) #8 825c7e7(master)-dirty: Sat Jan 11 00:35:25 GMT 2014

% procstat -RX 7114

| PID  | COMM      | CLASS                | METHOD     | INVOKE | FAULT | SMIN   | SMAX   | SMEAN  | SMEDIAN |
|------|-----------|----------------------|------------|--------|-------|--------|--------|--------|---------|
| 7114 | cheritest | cheritest-helper.bin | md5        | 4      | 0     | 10116  | 158925 | 47478  | 10436   |
| 7114 | cheritest | cheritest-helper.bin | abort      | 1      | 1     | 3187   | 3187   | 3187   | 3187    |
| 7114 | cheritest | cheritest-helper.bin | helloworld | 1      | 0     | 452296 | 452296 | 452296 | 452296  |
| 7114 | cheritest | cheritest-helper.bin | puts       | 1      | 0     | 456118 | 456118 | 456118 | 456118  |
| 7114 | cheritest | cheritest-helper.bin | syscall    | 1      | 0     | 6551   | 6551   | 6551   | 6551    |
| 7114 | cheritest | cheritest-helper.bin | divzero    | 3      | 3     | 2900   | 3166   | 3005   | 2950    |
| 7114 | cheritest | cheritest-helper.bin | malloc     | 0      | 0     | 0      | 0      | 0      | 0       |

- Libcheri exports statistics on sandbox classes, objects, and methods
- libprocstat(3) and procstat(1) can query/print this
- libprocstat(3) rovided data backend for demo UI



## In progress: open sourcing CHERI

- Complete open-source hardware-software research/teaching stack
- BERI Open Systems CIC ("Community Interest Company") Dec 2013
- BERI Apache-style license (HW), BSD license (SW)
- Physical designs for DE4 tablet, interconnect boards
- CHERI and CHERI2 Bluespec designs; debugging components/tools
- CHERI test suite, formal models
- FreeBSD device drivers
- CheriBSD capability support
- CHERI Clang/LLVM/LLDB
- ETA: January/February 2014





#### CHERI next steps

- CheriBSD kernel features (e.g., debugging, lazy switching)
- "Pure" CHERI ISA support for Clang/LLVM
- CHERI LLDB full feature support
- CCured-like automated use of memory protection
- Further CHERI ISA refinements: e.g., explicit CNULL
- Shift stack, heap access to CHERI ISA
- CCall/CReturn hardware optimizations
- Linker support for capabilities
- CHERI multithreading/multicore
- Additional languages: Object C, Ocaml







Compartmentalized packet capture and processing

#### **CHERI DEMO**





#### November 2012 - CheriPoint



- Bespoke compartmentalized CHERI presentation package
- Sandboxing mitigates trojan inserted in PNG library
- × Largely MIPS ISA code generated from C
- A small amount of utility code written in CHERI assembly
- × Static sandboxing policy





#### CHERI tcpdump demonstration

- Memory protection + compartmentalization
  - OS support for CHERI thread contexts
  - Compiler \_\_capability pointers
  - Userspace libcheri sandboxing model
  - Compartmentalized packet printing
- Key results:
  - Applicability of hybrid capability model
  - Tight C-language/capability integration
  - Tradeoffs policy/performance/mitigation
  - Compartmentalization scalability
  - Variable granularity

| 00                                                                                                                                    |                  | 👚 brooks - | – nc — 80× | 46         |             |            | R <sub>M</sub> |
|---------------------------------------------------------------------------------------------------------------------------------------|------------------|------------|------------|------------|-------------|------------|----------------|
| ssh                                                                                                                                   | ss               | ı          | ba         | ish        |             | nc         |                |
| 08:19:22.254991 [sand                                                                                                                 | box] IP 1        | 192.168.50 | .2 > 192.  | 168.50.1:  | ICMP echo   | o reply, i | d 36           |
| 770, seq 10, length 64                                                                                                                | 4                |            |            |            |             |            |                |
| 08:19:23.262518 [sand                                                                                                                 | box] IP 1        | 192.168.50 | 1 > 192.   | 168.50.2:  | ICMP echo   | request,   | id             |
| 36770, seq 11, length                                                                                                                 | 64               |            |            |            |             |            |                |
| 08:19:23.262928 [sand]                                                                                                                | box] IP 1        | 192.168.50 | 1.2 > 192. | 168.50.1:  | ICMP echo   | o reply, i | .d 36          |
| 770, seq 11, length 64                                                                                                                | 4                |            |            |            |             |            |                |
| 08:19:24.255013 [sand]                                                                                                                | box] IP 1        | 192.168.50 | 1 > 192.   | 168.50.2:  | ICMP echo   | o request, | id             |
| 36770, seq 12, length                                                                                                                 | 64               |            |            |            |             |            |                |
| 08:19:24.255390 [sand                                                                                                                 | box] IP 1        | 192.168.50 | 1.2 > 192. | 168.50.1:  | ICMP echo   | o reply, i | .d 36          |
| 770, seq 12, length 64                                                                                                                | 4<br>1           |            |            |            | 7.000       |            | 1.4            |
| 08:19:25.259223 [sand                                                                                                                 | DOX] IP I        | 192.168.50 | .1 > 192.  | 168.50.2:  | ICMP echo   | ρ requesτ, | 10             |
| 30/70, Seq 15, Cength                                                                                                                 | 04<br>boyl TD 1  | 02 169 54  | 2 ~ 102    | 160 50 1.  | TCMD only   |            | 4 36           |
| 770 seg 13 length 6                                                                                                                   | A THE PARTY OF A | .92.100.96 | 192.       | 100.00.11  | Tenir ecile | , tehchi I |                |
| A8-19-27 435610 [candl                                                                                                                | TR 1             | 192 168 54 | 1 17500    | > 192 168  | 58 255 17   | 500 · UDP  | lon            |
| ath 102                                                                                                                               | •••×] -: .       |            |            | - 10111001 | 50.1255.125 |            |                |
| 08:19:42.874340 [sand]                                                                                                                | boxl IP 1        | 192.168.50 | .1 > 192.  | 168.50.2:  | >>> ATTA(   | KER OUTPU  | IT <<          |
| <icmp echo="" id<="" request,="" th=""><th>d 37282,</th><th>seq 0, le</th><th>ngth 64</th><th></th><th></th><th></th><th></th></icmp> | d 37282,         | seq 0, le  | ngth 64    |            |             |            |                |
| 08:19:42.874745 [sand]                                                                                                                | box] IP          | 192.168.50 |            |            |             | reply, i   | d 37           |
| 282, seq 0, length 64                                                                                                                 |                  |            |            |            |             |            |                |
| 08:19:55.059711 [sand                                                                                                                 | box] IP 1        |            |            |            |             |            | id             |
| 37794, seq 0, length (                                                                                                                | 64               |            |            |            |             |            |                |
| 08:19:55.060122 [sand                                                                                                                 | box] IP 1        |            |            |            |             |            | .d 37          |
| 794, seq 0, length 64                                                                                                                 |                  |            |            |            |             |            |                |
| 08:19:57.454239 [sand]                                                                                                                | box] IP 1        |            |            |            | 50.255.17   |            | len            |
| gth 102                                                                                                                               |                  |            |            |            |             |            | 1.4            |
| 08:19:57.819304 [sand                                                                                                                 | DOX 1 IP :       |            |            |            | TCMb ecuc   |            | 10             |
| 49,10,57 910676 [cond                                                                                                                 |                  |            |            |            | TCMP och    |            | 4 30           |
| 858, seg 8, length 64                                                                                                                 |                  |            |            |            |             |            | .u 30          |
| 08:19:59.638755 [sand]                                                                                                                | box1 IP 1        |            |            |            | ICMP echo   | request.   | 4.6            |
| 38306, sea 0, length (                                                                                                                | 64               |            |            |            |             |            |                |
| 08:19:59.639241 [sand                                                                                                                 | box] IP 1        | 192.168.50 |            |            |             | reply, i   | d 38           |
| 306, seq 0, length 64                                                                                                                 |                  |            |            |            |             |            |                |
| 08:20:02.179228 [sand                                                                                                                 | box] IP 1        |            |            |            |             |            | id             |
| 38562, seq 0, length (                                                                                                                | 64               |            |            |            |             |            |                |
| 08:20:02.179672 [sand                                                                                                                 | box] IP 1        |            |            |            |             |            | .d 38          |
| 562, seq 0, length 64                                                                                                                 |                  |            |            |            |             |            |                |
| 08:20:14.834395 [sand]                                                                                                                | DOX] IP 1        | 192.168.50 |            | 168.50.2:  | ICMP echo   |            | 10             |
| 38818, seq 0, length (                                                                                                                | 04               |            |            |            |             |            | 4.90           |
| 08:20:14.834/98 [sand                                                                                                                 | DOXI Th :        | 192.108.50 | .2 > 192.  |            | TCMP echo   |            | .u 36          |
| 88-20-27 469241 [sand                                                                                                                 | HOY1 TP 1        |            |            |            | 58 255 17   |            | len            |
| ath 102                                                                                                                               |                  |            |            |            |             |            | COL            |
|                                                                                                                                       |                  |            |            |            |             |            |                |
| [0] 0:bash- 1:berictly                                                                                                                | * 2:bash         |            |            |            | buntu" 09   | -30 14-1a  | n-14           |





Software analysis and transformation

#### SOAAP AND TESLA





# Security-oriented analysis of application programs (SOAAP)



- Static and dynamic analysis tools to assist programmers when compartmentalizing applications
- Come see demo at poster session!





CTSR



#### TESLA

- Pragmatic validation of run-time security properties
- LTL-like assertions embedded in code
- Compiler-generated instrumentation
- Significant outreach to potential open-source and corporate consumers
- Come see demo at poster session!



#### **TESLA** since last time



- Applied TESLA to OpenSSL, FreeBSD, Objective-C
- Found subtle bugs that eluded traditional debug tools
- Build cost: rebuilds less
  incremental
- Significant runtime cost optimizations





#### Conclusion

- Three years into the five-year project
- Mature CHERI hardware platform
- CheriBSD operating system
- CHERI Clang/LLVM/LLDB/SDK
- CHERI application exploration in progress
- SOAAP and TESLA tools maturing
- Smten, architectural extraction, and formal ISA models bearing early verification results





#### (MRC)<sup>2</sup> sister project

NetFPGA10G and CHERI-NetFPGA

Recently ported CHERI processor platform

We are pushing NetFPGA10G infrastructure to enable

high performance trusted

programmable switch controllers.



Modular Research-based Composably trustworthy Mission-oriented Resilient Clouds



(MBC)<sup>2</sup> replaces Internet-based datacenter exitching and CPU interconnect technologies with munications primitives that accept multi-tenancy and untrustworthy data as basic ment mission security policies, and offer introspective systemic responses to attacks, (MRC)<sup>2</sup> alians security with the physical topology of datacenter communication improving security robustness, resilience, performance, and power use. Cross-cutting themes in

(MRC)<sup>2</sup> includes: Datacenter switchin; Convergence of traditional netwo switching and CPU interconnects Distributed resilience throughout
 Algning algorithm and network topology
 Security/resilience/scalability/energy tradeoffs · Multi-scale computing technique Capability system security models
 Formal grounding



SDN challenges current network-security: how can we reconcile the need for consistent eable network security policy? How will new adversary models and opportunities to infiltrate, manipulate, or disrupt affect SDN deployments? SDN also presents new opportunities for intelligent response via application-driven networking.

\* Security Enhanced (SE) Floodlight - a reference implementation of an OpenFlow security mediation service to enforce urity policies at the Control Layer · Security Actuator - an OpenFlow security directive actuation service: network security tools invoke security remediation logic rewriting the network flow paths of tack sources and infected host \* OpenFlow BotHunter - network-based ssive analysis that detects when systems are producing communication atterns consistent with coordination entric malurate (horners, stram , spiware, worms, etc.) Avant-Guard - OpenFlow extensions t improve switching performance for SDN stity applicat ns; to be prototyped on BlueSwitch/NetFPGA 10C



100 Marting

100 20



600 400 SDNain Sid Minnet Real 10800

#### BlueSwitch: trustworthy resilient switches and switch controllers BlueSwitch is a high-performan OpenFlow Ethernet switch targeted at the NetFPGA 10G platform. It is



- Heavy use of CTSRD-derived CHERI ullet
- Multithreaded and multicore CHERI prototypes •
- CHERI on NetFPGA 10G •









from Altera based tablet platform to Xilinx based NetFPGA10G platform including: NC لمعمعا + Avalon to AXI bridge · AXI DRAM controller · PCIe based debug interface + RS232 UART console · Network interface integration Status: Booting ChrriBSD on NetEPGA10G Switch Fabric Next: Network driver and further refinement DMA

#### Significant contributions to the NetFPGA10G release · Reference network interface card Reference simple Tahernet writch Reference IPv4 router Leading NSF and Xilinx funded outreach activities

Resilient, rack-scale, capability-based distributed memory for CHERI We are inv HINSI HINSI HINSI f the CHERI processor developed in DARPA CRASH as the foundation for a rack-scal server. The CHERI ISA provides fine-grained memo protection and compartmentalization within conventional MMU-based processes. We hope to 12 cache extend these concepts to rack-scale CPU



behaviour. We also hope to explore convergence between conventional memory design and local-area Ethernet switching technology, blurring the boundary etween two traditionally distinct design genres. Multithreaded CHERI designs will allow accelerated of object-capability invocation, and experimentation with alternative execution models.

We are refining multithreaded and multicor ors of CHERL We are also bringing up th CheriBSD operation system on multicore CHERI Then we will eaploit reliable FPGA-to-FPGA lin technology developed under an EPSRC funded project to prototype rack-scale systems



2 2 2 2

BERI

÷

----



#### R2D2 Networking Brailisen ratio data delvery (R2D2) network architecture is exploring buffrekss and surichkes network architecture focused on bounded latency. Bounded latency improves fund-hermoric decisions and quorans operation, For cloud "pod" networks, our pru type arkhiters ratio - una latencies of under 35µs with 99.395% probability.

Secure cloud operating systems

Core - Deal - Marach - Dever

New work exploring how we can us data centre as one distributed fault-

Our emphasis is on using capabilities to

mlessly straddle hardware, software

tolerant real-time computer.

MirageOS

Secure cloud operating systems The IMC/2 environment provide according training and the security facilities both within and between individual "compares". To popely explot these facilities, we require new programming and commanications models, encopulated in operating systems and distributed computation frameworks. We are developing the trainers were shown and distributed provided in the Unitamed design physics (pdf). Advances were also do a concerning systems grounded in the Unitamed design physics (pdf). By advances were shown and our characteristics of the outcometers, and the systems and

cluster extensions to CheriftSD, our adaptation of the FweeBSD OS to the CHERI CPU architecture, We are targeting distributed computation in a multi-tenant cloud fabric throughout



Rec / JAM /

Sie sched stack desktop 05 kernel

He / JAN / CLR

ached net stack

Machine A Machine B





#### CAMBRIDGE













#### **CTSRD** at the PI Meeting



Dr Peter G. Neumann



Dr Robert N. M. Watson



Dr Simon W. Moore



Dr Jonathan Anderson



Dr David Chisnall



Dr Nirav Dave



Mr Brooks Davis



Mr Rance DeLong



Dr Khilan Gudka



Dr Theo A. Markettos



Mr Ed Maste



Dr Michael Roe



Rothwell

Mr Stacey Son





