lowRISC: case study

lowRISC is a Cambridge-headquartered not-for-profit organisation, focused on advancing open-source silicon-based hardware. lowRISC develops and maintains a number of open-source silicon designs that focus on in-built cyber security features at the hardware level, including implementation of the CHERI framework through its Sonata platform and FPGA boards.  

CHERI stands for Capability Hardware Enhanced RISC Instructions, and was developed by the University of Cambridge (in collaboration with SRI International and others) to make computer systems more secure at the hardware level. It introduces a new way of managing memory and enforcing security boundaries that could mitigate many common software vulnerabilities. 

Engagement with Digital Catapult 

lowRISC was one of the key industry partners for the sixth cohort of the Digital Security by Design Technology Access Programme (part of the wider government-funded ‘Digital Security by Design’ (DSbD) initiative), alongside UKRI and the University of Cambridge. This programme, delivered by Digital Catapult, allows innovative companies access to CHERI enabled hardware (provided by both lowRISC and ARM) to explore advanced memory-safety solutions in their respective markets.  

By providing access to CHERI enabled hardware, the DSbD Technology Access Programme addresses memory-safety issues in legacy coding languages like C/C++. These issues comprise bugs and security vulnerabilities, where the lack of adequate guardrails in these common coding languages can provide hackers the ability to access regions of memory and data that should be otherwise unreachable, which they can then view or tamper with at will.  

Using frameworks such as CHERI, these vulnerabilities can be mitigated with minimal overheads, essentially building safety into both the hardware and software levels of digital systems from the ground up. Memory-safety issues are widely understood to be the root cause of 70% of CVEs (critical computing vulnerabilities). Improving memory-safety helps to mitigate these issues and significantly reducing the likelihood data breaches and the operational, financial, and reputational damage, as well as reducing needs for emergency patching and associated developer costs. 

As part of its engagement with Digital Catapult, lowRISC provided hardware for cohort members in the form of Sonata FPGA boards and technical expertise. LowRISC also joined peer-to-peer learning opportunities coordinated by Digital Catapult and individual technical support sessions for the cohort companies that helped cohort members overcome any technical challenges within their projects, such as providing guidance on best practice for software porting, connecting the devices with peripheral interfaces, implementing compartmentalisation models, and performance testing.  

Impact and success 

The DSbD Technology Access Programme provided lowRISC with a unique opportunity to engage with end-users of its hardware and have its Sonata board tested in real-world environments when previously most testing had been conducted within lab settings. The programme allowed lowRISC to gather critical feedback on the usability of its hardware from experts across different industries and to understand which features worked well, and those that requires further development in the future (most notably, elements of its network stack and input/output interfaces were greatly enhanced due to cohort feedback).  

The programme also helped improve Sonata’s reach by expanding the open-source technical documentation around Sonata making it clearer and easier to navigate for future users, and published case-studies and articles to promote the Sonata board to new audiences.