Prototypes now available for testing Arm has made available for testing prototypes of its Morello architecture, aimed at bringing features into the design of CPUs that provide greater robustness and make them resistant to certain attack vectors. If it performs as expected, it will likely become a fundamental part of future processor designs.…Arm rages against the insecure chip machine with new Morello architecture — The Register
Being a fanboi/supporter of Wikipedia.org, I’ve had occasion to spend long hours, Saturday afternoons, tripping through the wires and links of articles on the History of Computing. You can bet I stumbled into more than a few interesting sidelines, dead-ends, and orphaned ideas and projects along the way. One of them was interesting in that it was “later” when Mini computers were on the verge of being eclipsed, meaning after Intel+MS+IBM were beginning to create a new industry called “desktop computing”.
An idea that had been bouncing around as more Time-shared, mainframe computing was sweeping through Academia and Business was a way to stop those pesky “hackers” and internal threats from savaging the Data Center computers. Grand efforts in past had included the idea of “shells” within the OS. Multics was both plauded and derided for its attempt at architecting in privilege and security levels. Especially since the target was being a compute “utility” like a power/gas company where users from ANYWHERE could all get a time-slice of a giant GE645 dual-cpu mainframe. The question was how can you get 1,000 users on one machine and not have someone ‘sploiting the computer and it’s time-sharing users? One possible solution was to define “capabilities” rather than the Multics idea of shells. Capabilities were somewhat like a Kerberos style ticket/privilege based on the function of what you had access to. Login, that’s a ticket, File System, that’s a ticket, printer, that’s a ticket. And to me “capabilities” are reminiscent of clearly defined and narrowly scoped privileges. Whether it was as explicitly laid out as Kerberos, or as vague as “shells” didn’t matter. Capability could be given/rescinded independent of the users group memberships, and can be logged/monitored in real time independent of user running any commands during a live login session. It’s pretty robust. But it was really just a research area originally: https://en.wikipedia.org/wiki/Capability-based_security.
Some attempts were made to put Capabilities based security into the software. But one interesting example built it into hardware as well to reinforce and parallel capabilities throughout the whole computer: https://en.wikipedia.org/wiki/CAP_computer. Cambrige built the CAP computer to prove out the ideas. Capabilities were engineered into the registers of the CPU! Talk about level of detail. The central thesis being that if the CPU depended on capabilities to function, the ability to circumvent, and override would be much lower. One could not load anything into a memory address anywhere without first having the defined “capability”. So processes couldn’t really masquarade or “overflow” as such, the way that C/C++ programs allocate/de-allocate and pointer to locations in memory. First you have the capability. THEN you perform the action. Likely this will slow performance say versus and unbridled, machine code driven OS where instructions per clock cycle are of utmost importance. But in an environment where separation/security/privilege levels is of utmost imporance, capabilities is the way to go. When I read this about the new ARM Morello chip, I immediately went back to Wikipedia to remember, lookup what I had bumped into re: Capability computing.
In recent times Rust programming language has captured a lot of imaginations when it comes to securing OS level code and eliminating the many exploits possible with C/C++ memory allocation and overflows. Rust has been touted and recognized as less susceptible to the past, historical pathways of exploitation at the OS/driver levels. But there’s still the matter of the BIOS/Firmware and the novel ways exploits have been found in Intel’s own implementation of firmware on the CPU. Obfuscation of the Intel firmware has only made it more frustrating as new CVEs get announced of a SPECTRE/MELTDOWN style exploit that seizes control of the cpu, and bypasses all hardware security much less software security on the system. I’m glad to see capability based security at a hardware level being researched. And if we can pair this effort of ARM Morello with new work being done re-writing critical OS kernel and driver software in Rust, we may “just” start to turn things in the right direction of protecting systems by default. Too often the exploits are remediated after they’re discovered, and not engineered out from the start. And then, mostly ‘cuz “performance” being the only measure by which a silicon integrated circuit is judged, we don’t get security by default. Can’t wait to see what ARM comes up with and who decides to license the new design.