Software Integrated with Secure Hardware (SWISH)

Abstract

Approved for Public ReleaseMIT, Draper, and Cambridge University will develop novel privilege separation frameworks and apply them t,o state-of-the-art hardware security mechanisms on complex, real-world software stacks. Performance is almost always the limiting fa,ctor in scoping compartmentalization policies for software, and the hardware mechanisms developed at Draper and Cambridge (the PIPE,and CHERI architectures) offer order-of-magnitude decreases in enforcement costs.PIPE and CHERI are both novel tagged architectures,exploring markedly different approaches to processor-based protection and software compartmentalization: PIPE is a flexibly tagged a,rchitecture implementing software-defined policies, and CHERI is a hardware capability system hybridized with contemporary RISC ISAs,. Both were originally developed in the DARPA I2O CRASH program (2010-2015), and matured in the recently completed DARPA MTO SSITH p,rogram (2017-2021).By combining our experience in secure hardware design with our compartmentalization and privilege analysis experi,ence, we are well positioned (1) to develop models and frameworks for specifying, reasoning about, and implementing application comp,artmentalizations on complex software, and (2) to exploit state-of-the-art secure architectures on complex software to achieve unpre,cedented levels of privilege separation.

Document Details

Document Type

DoD Grant Award

Publication Date

Jul 13, 2022

Source ID

N000142212463

Entities

Tags