All posts by Robert N. M. Watson

Google funding of open-source security projects

I was pleased to contribute to a recent blog article by Ben Laurie, a frequent collaborator with the Cambridge security group, on the Google Open Source Programs Office blog. We describe open-source security work OSPO has sponsored over the last couple of years, including our joint work on Capsicum, and its followup projects funded jointly by Google and the FreeBSD Foundation. He also talks about Google support for Certificate Transparency, OpenSSL, Tor, and Libpurple — projects focussed not just on communications security, but also communications privacy on the Internet.


Over the last decade or so, it has become increasingly (and painfully) apparent that ACLs and MAC, which were originally designed to protect expensive mainframes from their users, and the users from each other, are failing to secure modern cheap machines with single users who need protecting from the software they run.

Instead, we need fine-grained access control and strong sandboxing.
Continue reading Google funding of open-source security projects

Job ad: pre- and post-doctoral posts in processor, operating system, and compiler security

The CTSRD Project is advertising two posts in processor, operating system, and compiler security. The first is a research assistant position, suitable for candidates who may not have a research background, and the second is a post-doctoral research associate position suitable for candidates who have completed (or will shortly complete) a PhD in computer science or a related field.

The CTSRD Project is investigating fundamental improvements to CPU architecture, operating system (OS) design, and programming language structure in support of computer security. The project is a collaboration between the University of Cambridge and SRI International, and part of the DARPA CRASH research programme on clean-slate computer system design.

These positions will be integral parts of an international team of researchers spanning multiple institutions across academia and industry. Successful candidate will provide support for the larger research effort by contributing to low-level hardware and system-software implementation and experimentation. Responsibilities will include extending Bluespec-based CHERI processor designs, modifying operating system kernels and compiler suites, administering test and development systems, as well as performing performance measurements. The position will also support and engage with early adopter communities for our open-source research platform in the UK and abroad.

Candidates should have strong experience with at least one of Bluespec HDL, OS kernel development (FreeBSD preferred), or compiler internals (LLVM preferred); strong experience with the C programming language and use of revision control in large, collaborative projects is essential. Some experience with computer security and formal methods is also recommended.

Further details on the two posts may be found in job ads NR27772 and NR27782. E-mail queries may be sent directly to Dr Robert N. M. Watson.

Both posts are intended to start on 8 July 2013; applications must be received by 9 May 2013.

CACM: A decade of OS access-control extensibility

Operating-system access control technology has undergone a remarkable transformation over the last fifteen years as appliance, embedded, and mobile device vendors transitioned from dedicated “embedded operating systems” to general-purpose ones — often based on open-source UNIX and Linux variants. Device vendors look to upstream operating system authors to provide the critical low-level software foundations for their products: network stacks, UI frameworks, application frameworks, etc. Increasingly, those expectations include security functionality — initially, features to prevent device bricking, but also to constrain potentially malicious code from third-party applications, which engages features from digital signatures to access control and sandboxing.

In a February 2013 Communications of the ACM article, A decade of OS access-control extensibility, I reflect on the central role of kernel access-control extensibility frameworks in supporting security localisation, the adaptation of operating-system security models to site-local or product-specific requirements. Similar to device driver stacks of the virtual file system (VFS), the goal is to allow third-party developers or integrators to extend base operating system security models without being exposed to unstable programming interfaces or the risks associated with less integrated techniques such as system-call interposition.

Case in point is the TrustedBSD MAC Framework, developed and deployed over the 2000s with support from DARPA and the US Navy, in collaboration with several industrial partners. In the article, I consider our original motivations, context, and design principles, but also track the transition process, which relied heavily on open source methodology and community, to a number of widely used products, including the open-source FreeBSD operating system, Apple’s Mac OS X and iOS operating systems, Juniper’s Junos router operating system, and nCircle’s IP360 product. I draw conclusions on things we got right (common infrastructure spanning models; tight integration with OS concurrency model) and wrong (omitting OS privilege model extension; not providing an application author identity model).

Throughout, the diversity of approaches and models suggests an argument for domain-specific policy models that respond to local tradeoffs between performance, functionality, complexity, and security, rather than a single policy model to rule them all. I also emphasise the importance of planning for long-term sustainability for research products — critical to adoption, especially via open source, but also frequently overlooked in academic research.

An open-access (and slightly extended) version of the article can be found on ACM Queue.

Interviews on the clean-slate design argument

Over the past two years, Peter G. Neumann and I, along with a host of collaborators at SRI International and the University of Cambridge Computer Laboratory, have been pursuing CTSRD, a joint computer-security research project exploring fundamental revisions to CPU design, operating systems, and application program structure. Recently we’ve been talking about the social, economic, and technical context for that work in a series of media interviews, including one with ACM Queue on research into the hardware-software interface posted previously.

A key aspect to our argument is that the computer industry has been pursuing a strategy of hill climbing with respect to security; if we were willing to take a step back and revisit some of our more fundamental design choices, learning from longer-term security research over the last forty years, then we might be able to break aspects of the asymmetry driving the current arms race between attackers and defenders. This clean-slate argument doesn’t mean we need to throw everything away, but does suggest that more radical change is required than is being widely considered, as we explore in two further interviews:

CFP: Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2013)

This year, we presented two papers at RESoLVE 2012 relating to the structure of operating systems and hardware, one focused on CPU instruction set security features out of our CTSRD project, and another on efficient and reconfigurable communications in data centres out of our MRC2 project.

I’m pleased to announce the Call for Papers for RESoLVE 2013, a workshop (co-located with ASPLOS 2013) that brings together researchers in both the OS and language level virtual machine communities to exchange ideas and experiences, and to discuss how these separate layers can take advantage of each others’ services. This has a particular interest to the security community, who both want to build, and build on, security properties spanning hardware protection (e.g., VMs) and language-level protection.

Runtime Environments, Systems, Layering and Virtualized Environments
(RESoLVE 2013)

ASPLOS 2013 Workshop, Houston, Texas, USA
March 16, 2013


Today’s applications typically target high-level runtime systems and frameworks. At the same time, the operating systems on which they run are themselves increasingly being deployed on top of (hardware) virtual machines. These trends are enabling applications to be written, tested, and deployed more quickly, while simplifying tasks such as checkpointing, providing fault-tolerance, enabling data and computation migration, and making better, more power-efficient use of hardware infrastructure.

However, much current work on virtualization still focuses on running unmodified legacy systems and most higher-level runtime systems ignore the fact that they are deployed in virtual environments. The workshop on Runtime Environments, Systems, Layering, and Virtualized Environments (RESoLVE 2013) aims to brings together researchers in both the OS and language level virtual machine communities to exchange ideas and experiences and to discuss how these separate layers can take advantage of each others’ services.

Continue reading CFP: Runtime Environments, Systems, Layering and Virtualized Environments (RESoLVE 2013)

ACM Queue interview on research into the hardware-software interface

ACM Queue has posted my August 2012 interview on research into the hardware-software interface. We discuss the importance of a whole-stack view in addressing contemporary application security problems, which are often grounded in how we represent and execute software over lower-level substrates. We need to consider CPU design, operating systems, programming languages, applications, and formal methods — which requires building collaborations that span traditional silos in computer science research. I also consider the impact of open source on software security research methodology, and how we might extend those ideas to CPU research. A motivation for this investigation is our experimental CHERI hybrid capability processor, part of the CTSRD Project, a long-term research collaboration between the security, operating systems, and computer architecture groups at the University of Cambridge Computer Laboratory and the systems and formal methods groups SRI International Computer Science Laboratory.

Call for papers: Workshop on Adaptive Host and Network Security

Stu Wagner, Bob Laddaga, and I are pleased to announce the call for papers for a new Workshop on Adaptive Host and Network Security, to take place at the Sixth IEEE Conference on Self-Adaptive and Self-Organizing Systems in September 2012 in Lyon, France.

Over the past decade the threat of cyber attacks on critical commercial and government infrastructure has been growing at an alarming rate to a point where it is now considered to be a major threat in the world. Current approaches to cyber security involve building fast-growing multi-million line systems that attempt to detect and remove attacking software. Meanwhile, cyber exploits continue to multiply in number, but their size continues to be a couple of hundred lines of code. This disparity of effort means that the current defensive approaches to cyber security can at best fight a holding action. The workshop is intended to explore game-changing approaches to cyber security that focus on adaptation. There is a clear need to develop systems at both the host level and the network level to actively adapt to cyber attacks and to provide greater protection for networked computation at all levels. Topic of interest include:

  • Protecting the host
  • New OS models for secure hosts
  • Combining proof, model checking and dynamic monitoring techniques for host security
  • Meta-level control and monitoring of networks
  • Use of feedback mechanisms in network operations
  • Self-monitoring and self-explaining network systems
  • Self-adaptive and autonomic networking
  • Centralized versus distributed network control
  • Measurement of network properties in support of self evaluation
  • Programming language abstractions to support security
  • Computational models of network security
  • Self healing networks
  • Learning in adaptive networks
  • Dynamically reprogrammable switches
  • The use of a Policy-based Network Management system to build self-adaptively secure networks

Continue reading Call for papers: Workshop on Adaptive Host and Network Security

Job ad: post-doctoral researcher in security, operating systems, computer architecture

We are pleased to announce a job opening at the University of Cambridge Computer Laboratory for a post-doctoral researcher working in the areas of security, operating systems, and computer architecture.

Research Associate in compiler-assisted instrumentation of operating system kernels
University of Cambridge – Faculty of Computer Science and Technology
Salary: £27,578-£35,938 pa

The funds for this post are available for up to two years:

We are seeking a Post-doctoral Research Associate to join the CTSRD and MRC2 projects, which are investigating fundamental revisions to CPU architecture, operating system (OS), programming language, and networking structures in support of computer security. The two projects are collaborations between the University of Cambridge and SRI International, and part of the DARPA CRASH and MRC research programmes on clean-slate computer system design.

This position will be an integral part of an international team of researchers spanning multiple institutions across academia and industry. The successful candidate will contribute to low-level aspects of system software: compilers, language run-times, and OS kernels. Responsibilities will include researching the application of novel dynamic instrumentation techniques to C-language operating systems and applications, including adaptation of the FreeBSD kernel and LLVM compiler suite, and evaluation of the resulting system.

Continue reading Job ad: post-doctoral researcher in security, operating systems, computer architecture

Capsicum in CACM Research Highlights

The Research Highlights section of Communications of the ACM from March 2012 features two articles on Capsicum, collaborative research by the Cambridge security group and Google on capability-oriented security for contemporary operating systems. The first, Technical Perspective: The Benefits of Capability-Based Protection by Steven Gribble, considers the value of capability systems (such as Capsicum) in addressing current security problems. The second, A taste of Capsicum: practical capabilities for UNIX, is an abridged and updated version of our USENIX Security paper from 2010. These articles have since been picked up by Slashdot, Reddit, and others, and are linked to from the Capsicum publications, talks, and documentation page.

Three-paper Thursday: capability systems

This week, my contribution to our three-paper Thursday research reading list series is on capability systems. Capabilities are unforgeable tokens of authority — capability systems are hardware, operating, or programming systems in which access to resources can occur only using capabilities. Capability system research in the 1970s motivated many fundamental insights into practical articulations of the principle of least privilege, separation of mechanism and policy, and the interactions between program representation and security. They also formed the intellectual foundation for a recent renaissance in capability-oriented microkernels (L4, sel4) and programming languages (Joe-E, Caja, ECMAScript 5). Capability systems have a long history at Cambridge, including the CAP Computer, and more recently, our work on Capsicum: practical capabilities for UNIX. I’ve selected three “must read” papers, but there are plenty of other influential pieces that, unfortunately, space doesn’t allow for!
Continue reading Three-paper Thursday: capability systems