Systems Security Consulting: case study

The Systems Security Consulting team were already involved in the Digital Security by Design (DSbD) community, having previously contributed to projects like implementing CHERI RISC-V (Capability Hardware Enhanced RISC Instructions) and participating on the CHERI-CPU, University of Cambridge’s Slack workspace.

In 2023, they expanded their involvement by joining the DSbD Technology Access Programme (TAP). This initiative built upon their earlier academic research at Imperial College London, now focusing on utilising the Arm Morello prototype board, which incorporates CHERI technology.

While it is possible to port software to CHERI with minimal or no changes, exploiting its potential further requires the use of fine-grained compartmentalisation models. Remodelling can involve time-consuming and labour-intensive decomposition and porting. Systems Security Consulting had already designed their solution, Intravisor, to solve this problem for CHERI users. By focusing on application-level containerisation, the end result could be a much more efficient and cost-effective form of virtualisation than the industry standard, the Open Container Initiative (OCI), used by Docker.

Joining TAP has given the team access to actual hardware. Previously, they had relied on AWS F1 field-programmable gate array (FPGA) instances while working on CHERI RISC-V. Arm Morello is the first piece of hardware that natively supports rich operating systems with the CHERI protection model. Through TAP, the Systems Security Consulting team were able to evaluate Intravisor and demonstrate their academic research to the wider community, including to potential customers.

Both isolation and sharing are crucial to cloud solutions. Each tenant’s code and data must be separately secured, in isolation from others as well as the hosting provider. At the same time, sharing is essential for the inter-process communication (IPC) of tenant services. Usually, using virtual machines and containers means choosing between a solution with strong isolation but inefficient sharing, or having a huge trusted computing base (TCB) for efficient and unified communications, but weak isolation.

Intravisor adopts a different compartmentalisation model, using hardware memory capabilities as the foundation for isolation and sharing. This uses intra-process compartments, comprising code and data capabilities constrained by the same borders as well as efficient IPC mechanisms to enable communication between the compartmentalised services. This results in a low-TCB solution with strong isolation and fast communication.

Containerised virtual machines (cVMs) in Intravisor do not rely on the host OS, and require only a few essential kernel mechanisms, such as input/output access, threads, locks and time. Intravisor can be used for secure solutions based on microkernels, enabling the implementation of full-fledged Linux environments, partitioned pure-capability applications, and even rack-scale cloud services. It provides a type-three hypervisor, which is more granular than type-one (used at system level) or type-two used for OCI-style containers. Its economy and all-round low footprint could make it better suited to functions-as-a-service, for example AWS Lambda or Azure Functions.

Through TAP, the Systems Security Consulting team not only evaluated their research prototype on real hardware, they were also able to extend Intravisor’s functionality by integrating Libvirtd cloud orchestration software – an open source virtualisation management toolkit – as a standalone cVM. Porting libvirt to support CHERI required only a few dozen changes to its source code (measured in lines of code). Similarly, their modifications to libvirt to support the team’s product, Intravisor, amounted to about 2,790 lines of code. These are modest changes (<1.0%), compared to the size of libvirt itself (435,238 lines).

Systems Security Consulting is open to contracting work for porting specific applications or developing solutions based on Morello and Intravisor.