The EPSRC Call for Proposals for Digital Security by Design invites research projects focused on capability hardware and its impact on software verification and security, with up to £8 million available for funding. The call includes objectives centered on hardware/software verification, system software impact, and future implications of capability hardware, and aims to investigate new opportunities and threats introduced by fine-grain data protection. The proposals are due by January 7, 2020, and a workshop will be held in November 2019 for potential applicants.

1. Digital Security by Design
EPSRC Call for Proposals:
ISCF Digital Security by Design Research Projects
Opening date: 26 September 2019
Closing date: 07 January 2020
Panel meeting: April 2020
Grants start date: June 2020

2. • Leveraging the Capability Hardware concepts and approaches
investigated by the CHERI program (led by the University of
Cambridge), a consortium led by Arm is investigating a prototype
silicon-based solution based on Arm AArch64 architecture.
• This prototype solution will be made openly available to academics
and businesses across the UK, so as to provide early access,
evaluation, and the opportunity to feed back on the proposed major
change to the instruction set architecture of a processor, while
investigating the broader impact to various aspects of computer
science and ICT in general.
Background

3. Challenge Activities
Technology Platform
Prototype: deliver a proven
secure-by-default hardware
evaluation board and
system software
Collaborative R&D to enable
market use: tooling and
processes to utilise the new
security capabilities; community
engagement
Business-led demonstrators: sector-
specific adoptions e.g. IoT, connected
vehicles, AI, and/or financial services to
show-case real-world impact and move
the accepted norm
£9m£49.8m £11.2m
1. Enable 2. Use 3. Impact

4. • The University of Cambridge have published a descriptive article:
‘Introduction to CHERI’ – available at
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/dsbd.html.
• (Link is accessible from the EPSRC Call webpage and the Call
document)
Capability Hardware: CHERI

5. • Up to £8M (at 80% FEC) available to support academic research
projects across all three of the objectives within the scope of the Call
• Timeline:
Opening date: 26 September 2019
Workshop/webinar: November 2019
Closing date: 07 January 2020
Panel meeting: April 2020
Grants start date: 1 June 2020
EPSRC Call for Proposals

6. Activity
1.1:
• Delivering a devboard through a direct grant to a business-led
consortium. The results will be openly available.
Activity
1.2:
• Academic-led white-hat testing and proof of platform/architecture
Activity
1.3b:
• Academic-led projects to broaden the system software and
approaches enabled by the new platform
Activity
1.4:
• Academic research into the longer term impacts and
consequences of the resulting changes
Challenge activities relevant to the Call

7. Objective 1:
• Capability
enabled
hardware
proof and
software
verification
Objective 2:
• Impact on
system
software
and libraries
Objective 3:
• Future
implications
of Capability
Hardware
Call Objectives

8. • Despite the historical best efforts of hardware to execute software as
expected by software, it became impossible to reason on its completeness
given the lack of formal specification of the hardware architecture and the
complexity of any specific design.
• Various advances are being made with respect to the formal proof of
hardware resulting in the increasing accuracy and formal specification of
the hardware architecture. However, linking the work of hardware proof
with software reasoning and verification in the context of Capability
Hardware needs significant research to find a methodology by which the
final intent of an application can be understood and verified, including side-
channel effect in the hardware, and the limited specification for data
encapsulation and privilege in software.
Objective 1: Capability enabled hardware
and software verification

9. • Through the introduction of Capability enabled Hardware, what tools or techniques can
be applied in limiting and/or identifying leakage of information, including but not limited
to, containment analysis and various forms of information flow within software?
• Can (and if so, how can) the formal specifications of hardware be extended to include
microarchitectural artefacts beyond the architectural specification often responsible for
side-channel or inference-based information leakage?
• How can a system dynamically learn and monitor the correct operation of a platform’s
intent, to provide necessary information to mitigate inappropriate operations potentially
identified as a divergence from a runtime specification or a learning associated with
historic operation?
• Given a formal executable hardware architectural specification, how can we increase the
capabilities and understanding of formal method and proof with respect to the expected
execution of software, its proof and verification?
Objective 1: Example research questions

10. • There are various implications and potential solutions to extending current software
and “end-2-end” security schemes to include the movement of data with fine grain
protection and inherited rights. For example, how to extend cryptography frameworks to
extend the protection of information from the point of encryption to the point of use in an
application, through the application of Capability Hardware.
• Existing platforms support various software and hardware assisted mechanisms to
encapsulate the various states of an application as an aid towards increasing security or
limiting visibility of data. Whether this is through a managed runtime, a trusted execution
engine, the interpretation and translation of binaries, or larger grain hardware protection
schemes, the introduction of fine grain data containerisation and access privilege will
bring new opportunities and new threats. Investigations are required to understand these
implications and to propose how existing system software and libraries will adapt to such
new hardware mechanisms.
Objective 2: Impact on system software
and libraries

11. • How can existing managed runtimes, high-level languages or systems
leveraging binary translation of code benefit from the introduction of
Capability enabled Hardware and improve the security of applications
and services?
• What are the impacts and opportunities from Capability Hardware to
increase the security between and within platforms, using a trusted
execution engine (TEE) or other virtualization technologies? How will
the delivery or use of such technologies change?
• How can the increased security provided by Capability Hardware be
extended robustly to operate security over a distributed system?
Objective 2: Example research questions

12. • When virtual memory was first introduced, the ways in which this
coarse grain memory partitioning and access privilege would be used
was unknown. Although various characteristics of how virtual
memory is managed by a processor has evolved, the fundamental
concepts remain unchanged.
• Given the wider challenge objective to introduce fine grain
compartmentalisation and inherited privilege capabilities to a
processor, the future implications and potential use cases are
unknown. The aim of this objective is to fund early stage research
into the longer term implications of the new memory projection
paradigm.
Objective 3: Future implications of
Capability Hardware

13. • Today’s operating systems use virtual memory for the protection of code
and data, process isolation and the associated scheduling mechanisms.
Since a Capability enabled processor offers stronger and more fine
grained protection than current systems, what might the implications and
opportunities be when reconsidering these requirements of an operating
system?
• What are the implications and opportunities of Capability Hardware
existing in the central processing unit (CPU) on other hardware devices
such as direct memory access (DMA) devices and processors of a digital
system and their associated software stacks?
Objective 3: Example research questions

14. • Applicants invited to submit proposals that meet one of the three
objectives within the Call
• Eligibility: any single investigator can only apply once, as either a PI
or Co-I
• Postal peer review followed by prioritisation panel (if reviews are
sufficiently supportive)
• Portfolio approach will be taken to final funding decisions to ensure
coverage across, and within, the three objectives
Call structure and format

15. • Event before the Call closes - to allow for further discussion between
potential applicants/collaborators, and with the CHERI investigators
and Arm representatives
• Format tbc – face to face workshop or webinar
• To be held November 2019
Workshop / webinar

16. Thank you