Article Details

FreeBSD Foundation hands out Beacon gongs for safer software. Multiple CHERI-related projects win money for important research that prizes safety over speed. The inaugural Beacon Awards has handed three prizes to projects working on safer software for CHERI-enabled hardware running on the CheriBSD operating system. For the unitiated, CHERI is an abbreviation of Capability Hardware Enhanced RISC Instructions. The Beacon Awards is a fresh scheme from the FreeBSD Foundation, in partnership with the UK government's Digital Security by Design initiative, to reward efforts at safer software. The Digital Security by Design initiative has been around for some six years now, and it funds multiple projects in the broader security R&D field. The Register reported on Arm jumping on board in early 2019. It worked: It was awarded £36 million ($45.43 million) at the gongs last week. Naturally, there were talks about much more money… but it's good to know that some real technological developments have come out of this. We've been reporting on the FreeBSD project's involvement for some years now. One notable achievement was getting the whole KDE stack running, as we covered in 2022, including a recap of the CHERI architecture. CHERI started at the University of Cambridge and there are versions for multiple architectures, including Arm's Morello program. One grand prize went to the Mojo JVM. This is a memory-secure Java runtime that "can run existing Java applications with no or minimal code changes," according to the awards page. Java isn't trendy any more and applets in web pages disappeared years ago, but it remains very significant in internal business-process apps in many large companies. Its development is sponsored by The Hut Group, an etailer which occasionally pops up on the Register. The team has a 17-minute Youtube video explaining how CHERI can bring greater memory-safety to the OpenJDK JVM. Youtube Video Another grand prize went to Intravisor, a new form of virtualization host for cloud software, which can run various kinds of VMs with greater isolation on CHERI-enabled hardware. This includes its own lightweight ones and unmodified Linux environments. There's more info on the GitHub page, and there was a talk about Intravisor at the 2022 FOSDEM conference. The third grand prize went to the appropriately named Capabilities Limited for its work refactoring 1.7 million lines of existing C++ web services software to CheriBSD on Morello. Honorable mentions went to two pieces of research by the University of Glasgow's Jeremy Singer. One is Morello Micropython, a research project that's produced a CHERI-enabled Micropython interpreter. He has also been studying adapting the Boehm garbage collector to CHERI, which he terms Capability Boehm [PDF]. The many strands of CHERI research don't get headlines in the same way as commercial R&D on fancy new GPUs – or the latest models of CPU which are a few percent faster than the previous kit. This is partly because those are commercial projects and their backers want to sell more hardware, and it's relatively easy to sell that something is faster than before. As the Reg FOSS desk's holiday feature explored at some length, in the course of developing inexpensive mass-market microcomputers, a lot of the security systems of earlier generations of computers were simply discarded, either for being too expensive or too much hard work. Capabilities were just one of them. The CHERI research is looking for ways to restore these to existing systems running current software, with minimal modifications. If they're successful, the resulting hardware and software will be slightly slower – but also immune, or at least far more robust against, all kinds of software vulnerabilities and exploits. As it is today, Linux has a bunch of performance-killing security features, whose impact you can see if you just turn them off temporarily. We're already paying the speed penalty for this stuff. CHERI could do better. It's a price worth paying.