What is ARM Morello Project?

Is the end of many security software bugs coming?

NVIDIA is unlikely to go through with its purchase of ARM for $40 Billion in the end. Nvidia is reportedly backing out of the deal due to regulatory obstacles. That’s totally understandable given how Nvidia has become since that acquisition attempt back in 2020.

ARM however has some pretty interesting projects. Zdnet reports that Chip designer Arm has released a prototype of its Morello development board for researchers at Google, Microsoft and industry to test its goal for a CPU design that wipes out a chunk of memory-related security flaws in code.

Morello has a transformative goal to radically update the security foundations of the digital computing infrastructure that underpins the entire global economy. The main anticipated output of DSbD is a technology platform prototype, designed and produced by Arm: The Morello evaluation board. Read more about it from ARM here.

Could Software Bugs That Impact Security Have a Magical Fix?

Let’s be honest, when it comes to cybersecurity that’s bleeding edge, Microsoft is often involved.

The Morello board is the product of a collaboration between Arm, Cambridge University, Microsoft and others based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture.

What is CHERI?

CHERI stands for (Capability Hardware Enhanced RISC Instructions) protection model.

Microsoft says the board and system on chip (SoC) is the first high-performance implementation of CHERI, which provides "fine-grained spatial memory safety at a hardware level". If it proves successful after testing with legacy software, it could pave the way for future CPU designs.

Morello focuses on new ways of designing CPU architecture that can make processors more robust and deter certain key security breaches.

As part of an additional 5-year research program funded by UK Research and Innovation (UKRI), Morello will be used to produce and test a prototype technology that, if successful, could be implemented in future hardware.

Bleeding Edge Security Fix

CHERI was developed by the University of Cambridge and SRI International after it received funding from DARPA's Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) program.

• CHERI architectural extensions are designed to mitigate memory safety vulnerabilities.

• CHERI augments pointers – the variables in computer code that reference where data is stored in memory – with limits as to how those references can be used, the address ranges that they can use to access, and which functionality they can use. "Once baked into silicon, they cannot be forged in software," Arm explained.

The shear amount of collaboration here is astounding. The Morello architecture is based on CHERI. Arm kicked off work on hardware for the Morello program in 2019 with backing from the UK government's Digital Security by Design (DSbD) program and UK Research and Innovation (UKRI). Got that?

There has never been a silicon implementation of this hardware capability technology in a high-performance CPU," said Arm.

Technical Specs

The Morello demonstrator board is a tweaked Arm Neoverse N1, a 2.5GHz quad-core server core CPU with support for Armv8.2a 64-bit architecture that has extra features to enable CHERI-based "compartmentalization" to counter exploits against memory-related security flaws. 

Significant Advances in Security in Software

The CHERI and Morello architectures may be one way of tackling memory-related security flaws that stem from code written in programming languages like C and C++. Microsoft and Google say the majority of security bugs are memory safety issues and they're often due to coding issues written in these languages. 

Cybersecurity for Software

The volume of these bugs and patches they require has prompted major software firms like Microsoft, Google and Amazon to explore 'type safe' languages like Rust for systems programming. However, Rust is generally used to write new components because vast, existing code bases written in C or C++ are left in place, as Google is doing for Android's code base.     

Using this new technology, Arm has designed a prototype system-on-chip (SoC) and a development board, called the Morello board. This will enable industry and academic partners to test the new prototype architecture in real-world use cases.

Over 2022, hundreds of Morello boards will be shipped to companies, universities, and government labs for experimentation and evaluation. The remainder of the project time will be available for testing and feedback by the industry ecosystem.

Additional Notes

As detailed in a paper about CHERI by Google researcher Ben Laurie and peers, various CHERI modes can be more effective and efficient than mitigations in conventional memory management unit (MMU) hardware, which are used to translate virtual memory addresses to physical addresses. 

• CHERI allows for software compartmentalization in a similar way to process isolation in software for today's operating systems.

• The Arm Morello program is a research program led by Arm to create a more secure hardware architecture for processors of the future.

• Its unique architectural extensions are based on Arm’s work with the University of Cambridge since 2015 on the CHERI (Capability Hardware Enhanced RISC Instructions) protection model.

Security is the greatest challenge computing needs to address to reach its full potential. Even security vulnerabilities in software itself need to be addressed.

Challenge of Security in the Smart Device, IoT and 5G Era

From smartwatches to smart speakers, smartphones to laptops, we rely on these devices to store and share personal information, be they photographs or medical records. We perform financial transactions and make purchases.

Even third-party software make Teslas vulnerable to attacks, not to mention devices in the smart home.

Research by Microsoft and Google has shown that 70 percent of vulnerabilities addressed through a security update each year continue to be memory safety issues.

The Morello Project of ARM, made possible by DARPA, Microsoft and Cambridge University demonstrates key ways that software bugs and device vulnerabilities can be mitigated at scale.

If you enjoyed this article, you might enjoy my Newsletter on A.I. called AiSupremacy.

AI Supremacy

AI news, cold tech war, BigTech, AI regulation, trends, coding.

By Michael Spencer

If you want to support my writing, I can’t continue to write without extensive community support.

Thanks for reading!

Comments

[Joaquim Leão]

Always in front of news about most recent developments. Thanks Michael.