Microsoft: CHERI architecture could slash the number of security patches we release a year

Microsoft reckons experimental architecture CHERI would have had a big impact on the number of bugs fixed in 2019.
Written by Liam Tung, Contributing Writer

Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019.  

As Microsoft has previously outlined, 70% of all security bugs over the past decade have been memory-safety bugs, which happen when software accesses system memory beyond its allocated size and memory addresses.   

The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++. As Microsoft recently explained, it's exploring Rust and other avenues because it's reaching the limits of what it can do to prevent memory issues. 

"We need to look out to the industry to see what the best alternative to C++ is. And it turns out that language is a language called Rust," Microsoft Rust expert Ryan Levick said earlier this year in a talk about systems programming.

SEE: 10 ways to prevent developer burnout (free PDF) (TechRepublic)

Rewriting old code in another language like Rust is one option. Another option in Microsoft's "quest to mitigate memory-corruption vulnerabilities" is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.

Work on the CHERI Instruction-Set Architectures (ISAs) is underway at Cambridge University in partnership with RISC chip-designer Arm and Microsoft. CHERI has similar goals to Project Verona, Microsoft's experimental Rust-inspired language development for safe infrastructure programming.

CHERI "provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits", said Nicolas Joly, Saif ElSherei, Saar Amar of the Microsoft Security Response Center (MSRC)

The group assessed the "theoretical impact" of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have "deterministically mitigated" at least two-thirds of all those issues. 

Cambridge University explains that "CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization".

Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.  

CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month's Patch Tuesday update, which regularly exceed 100 patches a month.    

Microsoft is open to the possibility that even when enabling CHERI's strictest protections, it could be cheaper to make existing code CHERI-compatible than rewriting existing code in a memory-safe language, such as Rust or Project Verona's Rust-inspired variant.  

SEE: Programming language Rust: Mozilla job cuts have hit us badly but here's how we'll survive

The Microsoft team reviewed the seventh version of CHERI ISA, the latest version of CHERI. The researchers also used CheriBSD, based on the FreeBSD operating system with memory protection and software compartmentalization features supported by the CHERI ISA.

"We conservatively assessed the percentage of vulnerabilities reported to the Microsoft Security Response Center in 2019 and found that approximately 31% would no longer pose a risk to customers and therefore would not require addressing through a security update on a CHERI system based on the default configuration of the CheriBSD operating system," the Microsoft researchers wrote in the research paper

With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.

More on Microsoft, programming language Rust and Project Verona

  • Oracle's Java 15: New features aim to keep millions away from languages like Rust, Kotlin  
  • Programming language Rust: Mozilla job cuts have hit us badly but here's how we'll survive
  • Rust programming language: Crates package API tokens revoked over serious security flaw  
  • Programming languages: Now Rust project looks for a way into the Linux kernel  
  • Programming languages: Rust enters top 20 popularity rankings for the first time  
  • Microsoft: Here's why we love programming language Rust and kicked off Project Verona  
  • Programming language Rust: 5 years on from v1.0, here's the good and the bad news
  • Microsoft: Here's how we're killing a class of memory security bugs in Windows 10  
  • Programming language Rust's adoption problem: Developers reveal why more aren't using it  
  • Google programming language scorecard: How C, C++, Dart, Rust, Go rate for Fuchsia
  • Developers love Rust programming language: Here's why
  • Microsoft: We're creating a new Rust-like programming language for secure coding
  • Programming languages: Kotlin rises fastest but JavaScript lures millions more developers
  • Microsoft opens up Rust-inspired Project Verona programming language on GitHub
  • Brave defies Google's moves to cripple ad-blocking with new 69x faster Rust engine
  • How to install Rust on Linux TechRepublic 
  • Editorial standards