The recent Synology Diskstationis just the latest in a long line of criminal and state security hacks of computer systems. Or it was a couple of weeks ago.
According to Microsoft some 80+ percent of security problems in the wild are memory-based. Buffer overflows, initialization errors, DMA bugs, firmware updates and more manipulate memory to get malware loaded.
This has been understood for decades. The Burroughs B5000 architecture, designed in 1961, contained a flag bit that tagged control words to stop programs from corrupting OS commands.
This idea was extended in the later B6500 to give more granular control. These machines were popular in financial services and descendents are still available today.
Fast-forward to today. In the paper The CHERI capability model: Revisiting RISC in an age of risk, presented at the 2014 International Symposium on Computer Architecture (ISCA) broadly expands on these ideas. The core idea: control memory access through instruction set extensions.
CHERI stands for Capability Hardware Enhanced RISC Instructions. Let's parse that.
- Capability. An unforgeable token of authority.
- Hardware. Capability support built into hardware.
- Enhanced RISC Instructions. For machines based on RISC principles, such as the MIPS processor, adding new instructions that compilers, language runtimes and OSs - not user programs - can access.
Their goal: create an implementable and cost-effective path to much greater system security, without requiring user space software recompilation. That last is key for migration to more secure computing.
Security isn't free
The researchers implemented CHERI as an extension to with widely used 64 bit MIPS IV instruction set. The capability coprocessor was implemented on a second chip.
In addition to comparing CHERI to other existing protection schemes - where it excelled - they also measured the overhead compared to a base MIPS CPU. The worst case benchmark - Bisort - incurred about a 20% cost. Not bad, and they suggested techniques that could improve that.
The Storage Bits take
It should be clear to all that aftermarket security isn't good enough. The good news: we know how to do much better. The bad news: it will take work.
But the basic memory protection ideas of CHERI should be more widely adoptable, especially for vendors who use MIPS or ARM today. While processor speeds aren't rising, the costs of poor security are.
Just ask Target. Or Synology.
The only way we will achieve Internet privacy and personal freedom - including, possibly, election security - is through truly secure infrastructure. CHERI is not the last word on the problem, but it points the way forward.
Comments welcome, or course. What's it worth to you to defeat malware?
The authors of the paper are Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Robert Norton, Michael Roe and Jonathan Anderson the University of Cambridge; Brooks Davis and Peter G. Neumann of SRI International; and Ben Laurie of Google UK.