Title: Using Morello technology to enable much better software security

Abstract: Morello is an industrial-scale experiment, funded under UKRI’s Digital Security by Design (DSbD) initiative, to implement Cambridge University’s CHERI technology in a realistic Mobile/Server multi-core ASIC. CHERI is a modern “take” on the late 1960’s concept of capabilities. (A seminal paper was R.S. Fabry’s Capability-based addressing, published in 1974). Morello adds CHERI-style capabilities and capability instructions to Arm’s 64-bit architecture. For more than five years, I have been thinking on and off about how this technology might be used to secure software against adversaries. In retrospect, the answers look obvious, but as with all research and early development, hindsight is a wonderful thing. In this presentation I will give an overview of how to deploy Morello (or any CHERI-enabled architecture) against (a) adversaries able to execute their chosen code and (b) remote adversaries able to control data inputs and seeking to achieve execution of their chosen code. With Morello, resistance is far from futile!