RealVNC: case study

RealVNC uses C++ to build the desktop clients that form part of their VNC Connect secure remote access solution. As part of the Digital Security by Design (DSbD) Technology Access Programme, they have been experimenting with the CHERI Morello board and software.

As a SaaS business using desktop, mobile software, and cloud infrastructure, RealVNC faces a wide range of security issues, including bugs in others’ code and external threats. The C++ codebase has, in the past, faced security issues catalogued by the CVE Program, such as potentially exploitable buffer overflows and elevation of privilege exposure. Increasing cyber security through a change in hardware enables the prevention of memory-related cyber-attacks, which is where around 70% of exploits take place.

Compiling, running, and testing their software on the Morello platform should allow the RealVNC team to spot more obvious logic errors that have the potential to affect security. 

Digital Catapult is running the DSbD Technology Access Programme (TAP), and is supporting RealVNC throughout this project.

The CHERI based Morello evaluation board is a prototype System on Chip (SoC) and development board. Developed by UK-based Arm, the Morello board is a real-world test platform for Arm’s Morello prototype architecture, which is based on the University of Cambridge Computer Lab’s CHERI protection model. It is the first hardware implementation of DSbD technology. 

CHERI extends conventional hardware instruction-set architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalisation. This architecture, when deployed, could do away with whole classes of possible exploits, with a far lower chance of zero-day vulnerabilities being exploited. This would significantly reduce the ability of bad actors to capture user data, take over machines, or shut down critical systems – problems affecting most industries today.

RealVNC has ported its core codebase and all desktop applications to run on the Morello device using the CHERI ABI/pure capability mode (as far as possible within the current limitations of the environment). The company has begun performance and security testing: evaluating the pixel throughput of their remote desktop software with the new pure capability mode, and aiming to identify previously undetected programming errors. RealVNC is also evaluating whether CHERI would have effectively detected those legacy bugs catalogued previously by the CVE Program.

As a result of the programme, the company team now understands the CHERI architecture itself – the capabilities encoded into 128-bit pointers – and the implications this has for porting existing software. They also have a better understanding of what can be done in terms of mitigating diverse types of security error, and have learned more about FreeBSD as a platform. 

RealVNC will continue to evaluate the architecture against known security issues, as well as attempting to break their software on the platform to see what can be improved in the codebase. They are also looking at more of the CHERI-specific mechanisms to see where they could be best used within their software.

Digital Security by Design (DSbD) is a government led initiative to enable hardware and software developers to make their products more robust and resilient to cyber-attacks. Digital Catapult is running the Technology Access Programme on behalf of UKRI to facilitate experimentation and early adoption by UK companies. This includes implementing updated hardware architecture, developing the software and system development tools that will run on it, and demonstrating its application and value within different industry sectors.

Interested in getting involved? Learn more about Digital Security by Design.