Security beyond software: The open source hardware security evolution

Mention IT security, and most people immediately think of software-based protections against software-based threats: ransomware, viruses, and other forms of malware. But recognition of the importance of hardware security—upon which all software security is built—is (thankfully) also growing.

Established hardware security standards such as Secure Boot and Trusted Platform Module (TPM) ensure that computer systems aren’t tampered with or get compromised during bootup. Hardware-based encryption is widely used to protect data on hard drives and networks.

But to fight increasingly sophisticated security threats, more advanced security safeguards are expected to emerge at the hardware level. Ultimately, organizations that pursue comprehensive strategies and integrate the latest hardware and software protections will achieve the best security posture. Open source will continue to play a pivotal role in this evolution.

Instruction set architectures (ISAs) lay the foundation for secure software behavior

Established and emerging instruction set architectures offer powerful and promising hardware-based security technologies.

Some ISAs include built-in security features to mitigate vulnerabilities and attacks, such as hardware-based encryption, memory protection, and data execution prevention.

Several popular ISAs are in wide use today. x86 has been around for decades, and security features in the x86 ISA may protect you if you’re reading this on an Intel-based desktop or laptop. Arm also has ISA-level security features, making it the ISA of choice for mobile devices (and is likely behind the scenes if you’re reading this on a phone or tablet). RISC-V is a newer ISA that stands apart as a 100% free and open source option that’s earning remarkably rapid adoption because of its flexibility and capabilities as a research platform.

An organization selecting an ISA should consider its compatibility with other security tools and software to ensure a cohesive security posture.

The buzz about open source CHERI, and how it demonstrates ISAs’ high potential

CHERI has emerged as an exciting hardware-based security project under joint development by the University of Cambridge and SRI International.

CHERI covers several ISAs, including CHERI MIPS and CHERI Arm. The open source research project is earning attention for its unique protection model, which introduces hardware-enforced bounds and permissions that control access to memory regions. CheriBSD, a capability-enabled extension of open FreeBSD, implements the CHERI ISA’s memory protection and software compartmentalization features.

CHERI is still in the R&D phase, but existing prototypes show promise.

Arm’s Morello platform—the most advanced CHERI prototype—pairs CheriBSD’s latest release with a high-performance core to create a powerful system-on-chip and a development board. This platform offers a memory-safe desktop environment for software development. FPGA implementations exist for open source RISC-V, with work progressing on standardizing CHERI for RISC-V. Partners, including Google, Microsoft, and many others, have been actively and eagerly exploring CHERI-RISC-V and the Morello platform.

The emergence of CHERI and similar projects represent a potential revolution in IT security. The memory protection and data access control CHERI offers can grant organizations broad immunity to attacks and vulnerabilities. Memory-based attacks like buffer overflows and use-after-free exploits become preventable. CHERI-type projects also deliver high-performance compartmentalization, addressing organizations’ critical need for preventing attackers from accessing sensitive data.

Open source accelerates hardware security’s evolution

The collaboration and knowledge-sharing intrinsic to open source projects accelerate how well new and existing hardware security technologies develop. With source code and hardware designs open for developers and security experts to review, test and report weaknesses, and work together to patch and improve, open source hardware-based security innovation brings a level of creative contributions and testing that closed-source development cannot match.

In the case of CheriBSD (an adaption of the FreeBSD OS), the ability to build on an open source Unix-like operating system has played an essential role in the progress the solution has achieved.

Hardware security’s growing role

As security threats increase in sophistication and the sheer danger they pose, organizations must harness every protection available to defeat this rising challenge.

Emerging hardware-based security solutions such as CHERI and other new open-source-powered ISAs offer compelling advances in the fundamental protections an organization can employ. Deployed as part of a comprehensive security strategy, these tools represent a welcome and needed sea change in the strength and possibilities of enterprise security postures going forward.