Security Verification for CHERI Processors
A YouTube session delves into exhaustive verification strategies for capability-based security models in CHERI processors. The session details exhaustive verification strategies, which are increasingly used in aerospace and defense chip projects to meet stringent safety and security requirements.
The CHERI (Capability Hardware Enhanced RISC Instructions) architecture, a joint project by SRI International and the University of Cambridge since 2010, enhances RISC processors for improved security. It tackles memory safety issues prevalent in C and C++, responsible for approximately 70% of system vulnerabilities. CHERI introduces hardware-level access rules for data and system resources, preventing unauthorized program access. This technology extends instruction set architectures (ISAs) to enable fine-grained memory protection and scalable software compartmentalization. CHERI's memory-protection features adapt C and C++ to defend against exploited vulnerabilities. It allows decomposition of OS and application code, limiting security vulnerability effects, a feature unsupported by current architectures. CHERI implements privilege separation by dividing processes into compartments, minimizing bug damage. It's compatible with MIPS, AArch64, and RISC-V, suiting various platforms, though software recompilation is needed for memory-safety benefits. Governments recognize CHERI's importance in bolstering cybersecurity and protecting critical systems. Formal verification framework "VeriCHERI" targets security vulnerabilities in CHERI-enhanced processors. This framework uses abstract security requirements for confidentiality and integrity. VeriCHERI detected a Meltdown-style timing side channel attack, which previous ISA-based verification methods could not detect. Codasip released the X730, a RISC-V application processor, in 2024, implementing the draft RISC-V CHERI standard. SCI Semiconductor announced ICENI in 2024, a CHERIoT-compatible microcontroller for secure embedded systems. Arm shipped its CHERI-enabled Morello prototype processor, SoC, and board in January 2022. CHERI supports two modes of operation: Purecap, where all pointers are converted to capabilities, and Legacy, where standard RISC-V code can run alongside purecap code. CHERI capabilities replace pointers with more complex atomic tokens, including address, metadata, and a tag. Metadata includes buffer bounds, architectural permissions, and software-defined permissions.
