£2.2m for CHERI automotive, embedded security projects

£2.2m for CHERI automotive, embedded security projects

Business news |
By Nick Flaherty

The UK’s Digital Security by Design (DSbD) programme has commissioned two projects on more secure automotive and embedded systems.

The projects are testing the CHERI (Capability Hardware Enhanced RISC Instructions) architecture which it says could reduce the exploitation of around 70% of ongoing vulnerabilities.

DSbD has announced £1.2m funding for a consortium led by Thales UK to develop a demonstrator called RESAuto with an Automotive Braking System integrated with a real-time monitoring and compliance system.

ARM has developed a secure chip called Morello that uses the technology and this is heading for security testing later this month.

A further £993k invested into Cambridge-based organisation, lowRISC, for a RISC-V core with security extensions for embedded platforms called CHERIoT.

RESauto is looking at how CHERI can be used across automotive supply chain where international regulatory and legal controls conflict with through-life objectives of safety, privacy, and access to data. The demonstrator will focus on quantifying the advantages of CHERI in complex interconnected systems with sophisticated supply ecosystems and liability models.

“The RESAuto consortium is delighted to be given this opportunity to examine in the context of a complex global supply ecosystem, where safety is a paramount public expectation, how the characteristics of a CHERI- based solution might benefit the achievability, including economically, of resilient outcomes including in the face of cyber threats. Demonstrating both the economic benefits compared to other potential solutions and the demand lines through the supply ecosystem will be critical if CHERI-based solutions are to become significant in the coming decade,“ said Peter Davies, Director Security Concepts at Thales UK.

RESAuto joins the existing DSbD AutoCHERI project led by Beam Connectivity which has integrated CHERI into automotive grade Telematics Control Units (TCUs) and is testing the cyber security enhancements in the real world.

“All new vehicles will be connected which is driving the need for higher levels of security to support the adoption of features such as over-the-air software updates, Vehicle-to-everything (V2X) applications and remote teleoperations. In the AutoCHERI project we are looking at innovations which will support vehicle manufacturers meet these emerging challenges for improved resilience,” said Thomas Sors, Cofounder and CEO of Beam Connectivity.

LowRISC is a not-for-profit based in Cambridge which creates open source tools for communities to promote collaborative engineering. Microsoft has recently extended the popular RISC-V Ibex core, maintained by lowRISC, with prototype CHERI support and released this work to the open source community as CHERIoT. This project will see the LowRISC create two prototypes around the CHERIoT core and the open source OpenTitan root of trust which has been developed by lowRISC, in partnership with Google and other major commercial and academic partners.

Dr Gavin Ferris, CEO, lowRISC CIC said: “As a UK non-profit silicon engineering company, lowRISC is very excited to be participating in this innovative — and fully open source — project in partnership with Microsoft. We believe it will help establish the value of the RISC-V CHERIoT embedded platform in the challenging domain of operational technology, where critical security requirements must be achieved within extremely tight power, area and financial budgets.”

While researching advances in DSbD software tooling as part of a GE Aerospace-led consortium, AdaCore found a memory-safety bug during the development of a compiler feature that eluded industry standard validation and verification tools within an existing DevOps pipeline. The bug was discovered while adapting the GNAT Ada runtime code to take advantage of CHERI and the subsequent use of a recently devised sanity check test using an emulated Morello target, catching it before being merged into a released product.

Paul Butcher, UK Programme Manager, AdaCore said: “AdaCore provides high-assurance software development tools for safety and security-critical platforms. We’ve been closely following the Morello CHERI work and are now involved in the Digital Security by Design initiative via the GE Aerospace primed Edge Avionics project. This has allowed AdaCore engineering to explore CHERI’s benefits fully.

“Moving forward, we see two clear benefits for CHERI-based ISAs. The first is safeguarding against memory corruption-related vulnerability exploits by ensuring deployed applications fail secure. The second is an advanced vulnerability detection mechanism that pushes the state-of-the art with dynamic analysis testing; we’ve seen examples of where CHERI can find vulnerabilities that Valgrind-related tooling and other runtime tools like AddressSanitizer (ASan) cannot. In addition, we’re also predicting low effort in porting existing Ada code over to CHERI-based architectures. The utilisation of advanced CHERI hardware instruction set architectures ensures security by design and adds an invaluable low-level security layer to platform development.”;;


If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :    eeNews on Google News


Linked Articles