Enhancing Memory Safety in Programming: Insights from the FreeBSD Vendor Summit

Imagine a world where common programming errors like buffer overflows are a thing of the past. As cybersecurity threats evolve, ensuring memory safety in programming is more crucial than ever. Memory safety vulnerabilities have been a persistent challenge since the early days of network computing, exemplified by the infamous Morris worm attack over three decades ago. Let’s explore groundbreaking advancements to address these issues, as highlighted at the FreeBSD Vendor Summit in November 2023. 

At the summit, Brooks Davis from SRI International revisited key moments in cybersecurity history. “35 years ago today, the Morris worm spread throughout the entire internet, taking down a whole bunch of systems…one of the several attacks that were used was a buffer overflow,” Davis remarked, underscoring the enduring threat of memory safety vulnerabilities.

Buffer overflows, first documented in 1972, have been exploited for decades, causing significant security breaches. Despite extensive efforts to combat these vulnerabilities, they remain prevalent and pose substantial risks to systems globally.

In response to these challenges, SRI International and the University of Cambridge developed the Capability Hardware Enhanced RISC Instructions (CHERI), an innovative instruction set architecture extension designed to enhance memory safety. CHERI is based on a capability-based protection model, a concept with a long history in computer science. On a CHERI-enabled architecture, memory can only be accessed via capabilities. These capabilities are unforgeable tokens of authority, which specify the rights to access memory and other resources, providing fine-grained control over memory access and significantly reducing the risk of unauthorized access and corruption.

FreeBSD leads the way in integrating CHERI through its CheriBSD variant, designed to explore and demonstrate CHERI’s architectural features. Beginning development in 2010, CheriBSD uses the CHERI Clang/LLVM compiler suite, supporting multiple ABIs—pure-capability, benchmark, and hybrid—to evaluate CHERI software stack security and performance. This variant includes a spatially memory-safe UNIX kernel, a memory-safe userspace with over 10,000 third-party memory-safe packages (including a KDE desktop), and a default-enabled heap temporal safety mechanism.

The recent focus has been extending CHERI support to the Arm architecture, particularly through the Morello board, developed in collaboration with the UKRI Digital Security by Design (DSbD) program. The Morello board is a research and development platform that enables practical evaluation of CHERI’s memory safety features on a widely used architecture.

CheriBSD is the first memory-safe operating system and the fully memory-safe desktop environment built on CHERI. In fact, Brooks used a PDF on a CheriBSD on a Morello-powered computer during his presentation.

Utilizing the Arm Morello platform allows the CHERI team to test and validate their security enhancements in real-world scenarios. This integration enables developers to experiment with CHERI’s capabilities in a controlled setting, identifying and resolving potential issues before broader deployment. The collaboration with Arm and the DSbD program underscores the industry’s recognition of the need for improved memory safety and represents a significant step towards mainstreaming CHERI’s innovations.

The team has also extended CheriBSD to support CHERI-RISC-V, aiming for full feature parity with the original implementation. CheriBSD/RISC-V is experimental but has shown significant progress, booting to multiuser mode with statically and dynamically linked CheriABI userspace. This development highlights CHERI’s adaptability and potential across different architectures.

Since 2017, the team has been DARPA-supported and has adapted CHERI to the 32-bit and 64-bit RISC-V ISAs. This includes FPGA prototypes based on Bluespec and MIT BSV-language cores: 3-stage, 32-bit MMU-free RISC-V; 5-stage, 64-bit RISC-V; and superscalar 64-bit RISC-V. Full support for CHERI-RISC-V was first introduced in CHERI ISAv7.  The latest version (ISAv9) forms the basis for an effort to standardize CHERI-RISC-V under the auspices of RISC-V International..

Adapting CHERI to RISC-V leverages the openness and collaborative potential of the RISC-V ecosystem, encouraging broader adoption and innovation. FPGA prototypes facilitate rapid iteration and testing, ensuring CHERI’s robustness across different hardware configurations.

While CHERI offers enhanced security, integrating this architecture into existing systems requires specific changes to support and thus benefit from memory capabilities. Software must be recompiled to take advantage of CHERI’s security features. This involves some modification of the codebase to support CHERI capabilities. How much modification depends on the type of software with systems software such as kernel, language runtimes, and browsers requiring changes on the order of a few percent of lines of code and others requiring few or none (and initial port of KDE required <0.03% changes)  To support a gradual transition, current C and C++ codebases can operate on CHERI-enabled processors without modification.  Fully benefiting from CHERI requires both recompilation and software porting.

The implications of CHERI extend beyond technical enhancements, suggesting a shift towards regulatory mandates in cybersecurity. Reflecting on governmental responses to the escalating need for memory safety, Davis noted, “Governments are taking note of this…the US Cybersecurity and Infrastructure Security Agency (CISA), along with 10 other agencies across seven countries, endorsed this guidance… which is to move to modern memory safe programming languages.” This endorsement could herald a future where such safety measures are not merely recommended but required, influencing both public and private sector software development.

The introduction of CHERI represents a pivotal advance in the ongoing battle against memory safety vulnerabilities. As we reflect on the discussions at the FreeBSD Vendor Summit, it becomes clear that while cybersecurity challenges are steeped in history, the solutions must evolve continually. Innovations like CHERI, exemplified by the practical applications in CheriBSD and its expansion to Arm and RISC-V platforms, highlight the technical strides made and underscore the broader shifts toward integrating these advancements into policy and practice.

In a digital age defined by rapid technological change, the fusion of innovation with regulation will be the key to securing the future of programming.