Microsoft: CHERI architecture could slash the number of security patches we release a year
Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019.
As Microsoft has previously outlined, 70% of all security bugs over the past decade have been memory-safety bugs, which happen when software accesses system memory beyond its allocated size and memory addresses.
The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++. As Microsoft recently explained, it’s exploring Rust and other avenues because it’s reaching the limits of what it can do to prevent memory issues.
“We need to look out to the industry to see what the best alternative to C++ is. And it turns out that language is a language called Rust,” Microsoft Rust expert Ryan Levick said earlier this year in a talk about systems programming.
Rewriting old code in another language like Rust is one option. Another option in Microsoft’s “quest to mitigate memory-corruption vulnerabilities” is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.
Work on the CHERI Instruction-Set Architectures (ISAs) is underway at Cambridge University in partnership with RISC chip-designer Arm and Microsoft. CHERI has similar goals to Project Verona, Microsoft’s experimental Rust-inspired language development for safe infrastructure programming.
CHERI “provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits”, said Nicolas Joly, Saif ElSherei, Saar Amar of the Microsoft Security Response Center (MSRC).
The group assessed the “theoretical impact” of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have “deterministically mitigated” at least two-thirds of all those issues.
Cambridge University explains that “CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization”.
Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.
CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month’s Patch Tuesday update, which regularly exceed 100 patches a month.
Microsoft is open to the possibility that even when enabling CHERI’s strictest protections, it could be cheaper to make existing code CHERI-compatible than rewriting existing code in a memory-safe language, such as Rust or Project Verona’s Rust-inspired variant.
The Microsoft team reviewed the seventh version of CHERI ISA, the latest version of CHERI. The researchers also used CheriBSD, based on the FreeBSD operating system with memory protection and software compartmentalization features supported by the CHERI ISA.
“We conservatively assessed the percentage of vulnerabilities reported to the Microsoft Security Response Center in 2019 and found that approximately 31% would no longer pose a risk to customers and therefore would not require addressing through a security update on a CHERI system based on the default configuration of the CheriBSD operating system,” the Microsoft researchers wrote in the research paper.
With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.