Beginners Guide to Developing on CHERI

Funding Call

About us

The Digital Security by Design (DSbD) Programme, supported by the UK Government, aims to radically update the global economy's digital infrastructure, making it secured against future threats.

The Discribe Hub+ is one part of this wider initiative, with a core mission to support the wider DSbD challenge by applying social and economic science to questions around the adoption and use of new secure technologies.

About DSbD and CHERI

The DSbD programme included working with ARM to develop a prototype system (called “Morello”) for IT class systems, as well as LowRISC to develop a RISCV embedded prototype (called “SONATA”) that together provide developer targeted implementations of the CHERI architecture in semi-conductors for the first time.

The CHERI (Capability Hardware Enhanced RISC Instructions) architecture extensions designed by the University of Cambridge and SRI International extends a CPU instruction set to enable it to access code and data using capabilities instead of machine-word memory pointers. Capabilities provide lost-cost, fine-grained, hardware-enforced access protection of objects in memory.

A program using capabilities is generally incapable of making out-of-bounds accesses, which means bugs can be caught and fixed instead of exploited. Applied to existing languages that lack memory safety, like C and C++, this technology has the potential to address memory safety issues without the overhead of software runtime checks while also increasing the resilience of software written in memory safe languages such as RUST. 

CHERI also provides the ability to create distinct compartments within one process which can be used to harden a system against attack. Compartments are a high-performance mechanism to subdivide an application into portions that can interact in a very controlled way. Sensitive subsystems can be segregated from the rest of an application, reducing the potential for exploitation.

What are we looking for?

Current documentation and training materials for CHERI (and Morello) currently take multiple disparate forms, including:

• https://www.dsbd.tech/technical-resources/

• https://linux.morello-project.org/docs/user-guide/

• https://github.com/lowRISC/sonata-system

• Technical reports outlining CHERI (Example) and Technical specifications (Example)

• Specific guidelines (Example 1, Example 2 and Example 3)

• Videos (Example 1, Example 2 and Example 3)

• FAQs (Example)

• Podcasts and Guides (Example)

We are interested in ways to develop material to make adoption of CHERI (and the development of skills) as easy as possible for developers new to CHERI and the DSbD ecosystem. More specifically, we are interested in how a software developer who is looking to get started with coding (or porting code) to a CHERI environment can be guided into the ecosystem, its tooling, documentation and code repositories. Sample projects we would want to fund include:

• A rapid evaluation of the usability of the documentation / tutorials / videos, and suggestions for ways to improve. This may also include studies of the common mistakes that developers working with CHERI make (see, for example, Porting to Morello: An In-depth Study on Compiler Behaviors, CERT Guideline Violations, and Security Implications, Sami Ullah, Awais Rashid, Proc. IEEE European Symposium on Security & Privacy 2024), or challenges that they encounter as they first begin using the technology. Studies of usability / barriers could make use of the Technology Access Programme (TAP) that has provided prototype CHERI systems to a range of organisations (https://www.dsbd.tech/whos-involved/technology-access-programme-participants/).

• Improving the existing support for new users, for instance, through tutorials or documentation on ‘getting started’, ‘fundamentals of capabilities’ or ‘porting code to CHERI’ (see, for example, Porting to Morello: An In-depth Study on Compiler Behaviors, CERT Guideline Violations, and Security Implications, Sami Ullah, Awais Rashid, Proc. IEEE European Symposium on Security & Privacy 2024), etc. Proposals could focus on the re-writing of existing documentation, or the development of new material / tutorials to support developers. We are interested in both static documentation and interactive tutorials (including example code / walkthroughs / web tutorials etc).

• Novel ways to support new users of CHERI through explainer videos / interactive resources. For instance, we would welcome proposals for animated videos that provide a ‘welcome to CHERI’.

• Guidelines and approaches to testing CHERI-based applications and best practices for programming conventions and mitigation of developer-induced vulnerabilities (see, for example, Porting to Morello: An In-depth Study on Compiler Behaviors, CERT Guideline Violations, and Security Implications, Sami Ullah, Awais Rashid, Proc. IEEE European Symposium on Security & Privacy 2024).  

• We are also open to other ways to improve the documentation and support for developers not outlined above. In this call we are not interested in funding projects designed to market CHERI or its benefits.

Proposal assessment criteria

Proposals will be assessed against the following criteria:

Understanding of the challenge: Give a brief description of your proposal and tell us how your work supports making CHERI easier to use for developers.  We expect the proposal team to have some experience and understanding of CHERI and/or CHERI-based code, and / or developer-centred security.

Target:  Who is your work targeted towards, and how will they benefit from it? Is the proposed work appropriate for the target audience and their needs. How do you know this is the case, and how will you check the suitability of this targeting as part of the development work?

Output: What will you provide as a deliverable? What is the format of the output(s)? What is the benefit you are providing to the wider DSbD / CHERI ecosystem?

Evaluation: How do you know your material is working? What measurements/metrics will you use to determine success?

Value for money: Does the proposed work represent value for money given the scale of work and proposed deliverable(s). The funding you request should be appropriate for the scope, ambition and expected deliverable(s).

Timeline

Call Opens: 10th July 2024 

Call Closes: 8th Sept 2024 

Earliest Project Start Date: 1st October 2024

Latest Project End Date: 31st March 2024 

Funding available and eligibility

A total fund of £100,000 is available for this call, and we expect to support 2-3 proposals. Funding will be provided at 100% of the Full Economic Cost (i.e. bidders are not required to subsidise any costs).

Funding is available to both researchers at UK Universities and within commercial organisations.

All spending on the proposed projects must be accounted for by the end of March 2025.

How to apply

Provide a brief description of your idea and how it meets the assessment criteria by filling our application form here.

Please complete the form using minimum font size 11 Arial. The completed form and short (2 page) CVs for applicants should be submitted in pdf format to discribehub@bath.ac.uk with subject title “Beginners Guides to Developing with CHERI Fund Application 2024”.

Please ensure your name is included in the filename of documents submitted.

In applying for this funding, you are agreeing to comply with our standard terms and conditions for funding (https://www.discribehub.org/terms).