The continuous cycle of patching and mitigating vulnerabilities is at the core of an organization’s strategy to protect its cyber-attack surface. This cycle, however, constitutes an imbalance between attackers and targets, whereby cyber-criminals only need to be right once, while defenders need to be right all the time. To compromise an organization, attackers only need to identify and exploit a zero-day vulnerability before the security team has the chance to patch or mitigate it.
Throughout the years, the technology to mitigate and patch vulnerabilities has evolved greatly, with security teams aware of the importance of improving patch management. However, a fundamental change is needed. Continuous patching equates to treating the symptoms of a disease rather than finding the vaccine. Instead, blocking the exploitation of vulnerabilities would put defenders in a position of advantage and eradicate the issue at its core.
One reason why the threat of vulnerabilities was tackled by investment in vulnerability management tools, rather than eliminating the problem altogether, is that the way computer processors run software hasn’t evolved. New chips won’t be built unless they have software to run, and software will be designed to run on chips that are already built. Changes in processor architecture have not challenged the fundamental approach to how software runs on chips.
What if, instead, computers could be built to block vulnerabilities by design? The Digital Security by Design Challenge (DSbD) is rethinking how computers are built to be inherently secure from cyber-attacks without impacting overall performance, overly constraining the software or requiring a ground-up rewrite of code. DSbD takes a hardware-first approach because even with today’s advancement, software is still only as secure as the computer hardware it runs on.
The Morello Program and Capability Hardware Enhanced RISC Instructions (CHERI)
Changes to a processor’s architectural design need to be fundamental and incrementally deployable to ensure widespread adoption. For this reason, researchers at the University of Cambridge have been working on a program called Capability Hardware Enhanced RISC Instructions (CHERI), looking at inherently memory-safe processor designs.
The CHERI design principle differs from existing processors because, rather than having a software or an operating system manipulating substantial portions of the computer’s memory, it limits the access to only fine-grain regions specific software can access. This makes vulnerability exploits useless to cyber-criminals since the vulnerable code can no longer be used to inject attack code while also being able to ensure any other code no longer has the permission to access the protected regions of the application’s memory
The Morello program is looking at the CHERI concepts and is producing a development board to enable software developers to investigate a new processor design. The ultimate goal is to make the DSbD security by design concepts integral to all mainstream processor designs.
Fine-Grained Compartmentalization
The CHERI researchers also proposed the compartmentalization of code, libraries and data within a single application process. Compartmentalization allows developers to enable different parts of a program’s code access only to the memory it needs, bringing performance benefits and making the overall application more secure by default.
The difference in CHERI’s approach is the granularity at which the compartmentalization can happen. With today’s hardware, it’s impossible, for example, to isolate every code block within a browser, but that is precisely what CHERI could do and how DSbD’s technologies could transform trust and resilience, blocking vulnerabilities and delivering security by design.
To make this work, computers need new processor chips that include the DSbD features, and operating systems need to enable the features while delivering and compartmentalizing its services. Software applications could then benefit from the memory safety features. New software designs will benefit from compartmentalization, realizing the increased resilience and safety of being more secure by default.
What Next?
If existing code becomes memory-safe, the impact of vulnerabilities will be dramatically reduced. Zero-day attacks will not have the same impact on an organization’s productivity. The reduction of cyber-attacks and increased resilience of applications will happen on an even bigger scale with compartmentalized software. This ecosystem won’t develop overnight, but DSbD is accelerating the process by reducing the barriers, complexity and risks of adoption.
As people’s lives become more inextricably linked to the digital realm, now is the time to move forward with digital safety in mind. This can only be done by designing resilience and security into technology, making components secure by design and systems protected by default. With the collaboration of key businesses and researchers, DSbD is creating the infrastructure to answer this challenge and build a brighter digital future for everyone.
