CHERI: a research platform deconflating hardware virtualisation and protection

Contemporary CPU architectures conflate virtualization and protection, imposing virtualization-related performance, programmability, and debuggability penalties on software requiring finegrained protection. First observed in micro-kernel research, these problems are increasingly apparent in recent attempts to mitigate software vulnerabilities through application compartmentalisation. Capability Hardware Enhanced RISC Instructions (CHERI) extend RISC ISAs to support greater software compartmentalisation. CHERI’s hybrid capability model provides fine-grained compartmentalisation within address spaces while maintaining software backward compatibility, which will allow the incremental deployment of fine-grained compartmentalisation in both our most trusted and least trustworthy C-language software stacks. We have implemented a 64-bit MIPS research soft core, BERI, as well as a capability coprocessor, and begun adapting commodity software packages (FreeBSD and Chromium) to execute on the platform

CHERI: A hybrid capability-system architecture for scalable software compartmentalization

CHERI extends a conventional RISC Instruction- Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin, Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln, Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W. Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell, Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and Bjoern Zeeb, our anonymous reviewers, and shepherd Frank Piessens, for their feedback and assistance. This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C- 0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this paper are those of the authors and should not be interpreted as representing the official views or policies, either expressed or implied, of the Department of Defense or the U.S. Government. We acknowledge the EPSRC REMS Programme Grant [EP/K008528/1], Isaac Newton Trust, UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.

Fast Protection-Domain Crossing in the CHERI Capability-System Architecture

Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. We also acknowledge the Engineering and Physical Sciences Research Council (EPSRC) REMS Programme Grant [EP/K008528/1], the EPSRC Impact Acceleration Account [EP/K503757/1], EPSRC/ARM iCASE studentship [13220009], Microsoft studentship [MRS2011-031], the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version of the article can be found at: http://ieeexplore.ieee.org/document/7723791

CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment

The CHERI architecture allows pointers to be implemented as capabilities (rather than integer virtual addresses) in a manner that is compatible with, and strengthens, the semantics of the C language. In addition to the spatial protections offered by conventional fat pointers, CHERI capabilities offer strong integrity, enforced provenance validity, and access monotonicity. The stronger guarantees of these architectural capabilities must be reconciled with the real-world behavior of operating systems, run-time environments, and applications. When the process model, user-kernel interactions, dynamic linking, and memory management are all considered, we observe that simple derivation of architectural capabilities is insufficient to describe appropriate access to memory. We bridge this conceptual gap with a notional \emph{abstract capability} that describes the accesses that should be allowed at a given point in execution, whether in the kernel or userspace. To investigate this notion at scale, we describe the first adaptation of a full C-language operating system (FreeBSD) with an enterprise database (PostgreSQL) for complete spatial and referential memory safety. We show that awareness of abstract capabilities, coupled with CHERI architectural capabilities, can provide more complete protection, strong compatibility, and acceptable performance overhead compared with the pre-CHERI baseline and software-only approaches. Our observations also have potentially significant implications for other mitigation techniques.This work was supported by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (``CTSRD'') and HR0011-18-C-0016 (``ECATS''). The views, opinions, and/or findings contained in this report are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government. We also acknowledge the EPSRC REMS Programme Grant (EP/K008528/1), the ERC ELVER Advanced Grant (789108), Arm Limited, HP Enterprise, and Google, Inc. Approved for Public Release, Distribution Unlimited

The Genomics of Speciation in Drosophila: Diversity, Divergence, and Introgression Estimated Using Low-Coverage Genome Sequencing

In nature, closely related species may hybridize while still retaining their distinctive identities. Chromosomal regions that experience reduced recombination in hybrids, such as within inversions, have been hypothesized to contribute to the maintenance of species integrity. Here, we examine genomic sequences from closely related fruit fly taxa of the Drosophila pseudoobscura subgroup to reconstruct their evolutionary histories and past patterns of genic exchange. Partial genomic assemblies were generated from two subspecies of Drosophila pseudoobscura (D. ps.) and an outgroup species, D. miranda. These new assemblies were compared to available assemblies of D. ps. pseudoobscura and D. persimilis, two species with overlapping ranges in western North America. Within inverted regions, nucleotide divergence among each pair of the three species is comparable, whereas divergence between D. ps. pseudoobscura and D. persimilis in non-inverted regions is much lower and closer to levels of intraspecific variation. Using molecular markers flanking each of the major chromosomal inversions, we identify strong crossover suppression in F1 hybrids extending over 2 megabase pairs (Mbp) beyond the inversion breakpoints. These regions of crossover suppression also exhibit the high nucleotide divergence associated with inverted regions. Finally, by comparison to a geographically isolated subspecies, D. ps. bogotana, our results suggest that autosomal gene exchange between the North American species, D. ps. pseudoobscura and D. persimilis, occurred since the split of the subspecies, likely within the last 200,000 years. We conclude that chromosomal rearrangements have been vital to the ongoing persistence of these species despite recent hybridization. Our study serves as a proof-of-principle on how whole genome sequencing can be applied to formulate and test hypotheses about species formation in lesser-known non-model systems

Alcohol dehydrogenase activities and ethanol tolerance in Anastrepha (Diptera, Tephritidae) fruit-fly species and their hybrids

The ADH (alcohol dehydrogenase) system is one of the earliest known models of molecular evolution, and is still the most studied in Drosophila. Herein, we studied this model in the genus Anastrepha (Diptera, Tephritidae). Due to the remarkable advantages it presents, it is possible to cross species with different Adh genotypes and with different phenotype traits related to ethanol tolerance. The two species studied here each have a different number of Adh gene copies, whereby crosses generate polymorphisms in gene number and in composition of the genetic background. We measured certain traits related to ethanol metabolism and tolerance. ADH specific enzyme activity presented gene by environment interactions, and the larval protein content showed an additive pattern of inheritance, whilst ADH enzyme activity per larva presented a complex behavior that may be explained by epistatic effects. Regression models suggest that there are heritable factors acting on ethanol tolerance, which may be related to enzymatic activity of the ADHs and to larval mass, although a pronounced environmental effect on ethanol tolerance was also observed. By using these data, we speculated on the mechanisms of ethanol tolerance and its inheritance as well as of associated traits

CHMP1A encodes an essential regulator of BMI1-INK4A in cerebellar development

Charged multivesicular body protein 1A (CHMP1A; also known as chromatin-modifying protein 1A) is a member of the ESCRT-III (endosomal sorting complex required for transport-III) complex but is also suggested to localize to the nuclear matrix and regulate chromatin structure. Here, we show that loss-of-function mutations in human CHMP1A cause reduced cerebellar size (pontocerebellar hypoplasia) and reduced cerebral cortical size (microcephaly). CHMP1A-mutant cells show impaired proliferation, with increased expression of INK4A, a negative regulator of stem cell proliferation. Chromatin immunoprecipitation suggests loss of the normal INK4A repression by BMI in these cells. Morpholino-based knockdown of zebrafish chmp1a resulted in brain defects resembling those seen after bmi1a and bmi1b knockdown, which were partially rescued by INK4A ortholog knockdown, further supporting links between CHMP1A and BMI1-mediated regulation of INK4A. Our results suggest that CHMP1A serves as a critical link between cytoplasmic signals and BMI1-mediated chromatin modifications that regulate proliferation of central nervous system progenitor cells

Use of Carboxymethyl Cellulose and Collagen Carrier with Equine Bone Lyophilisate Suggests Late Onset Bone Regenerative Effect in a Humerus Drill Defect – A Pilot Study in Six Sheep

We assessed the use of a filler compound together with the osteoinductive demineralized bone matrix (DBM), Colloss E. The filler was comprised of carboxymethyl-cellulose and collagen type 1. The purpose of the study was to see if the filler compound would enhance the bone formation and distribute the osteoinductive stimulus throughout the bone defect. Six sheep underwent a bilateral humerus drill defect. The drill hole was filled with a compound consisting of 100 mg CMC, 100 mg collagen powder, and 1 ccm autologous full blood in one side, and a combination of this filler compound and 20 mg Colloss E in the other. The animals were divided into three groups of two animals and observed for 8, 12 and 16 weeks. Drill holes was evaluated using quantitative computed tomography (QCT), micro computed tomography (µCT) and histomorphometry. Mean total bone mineral density (BMD) of each implantation site was calculated with both QCT and µCT. Bone volume to total volume (BV/TV) was analyzed using µCT and histomorphometry. Although not statistically significant, results showed increased bone BMD after 16 weeks in µCT data and an increased BV/TV after 16 weeks in both µCT and histology. Correlation between QCT and µCT was R2 = 0.804. Correlation between histomorphometry and µCT BV/TV data was R2 = 0.8935 and with an average overrepresentation of 8.2% in histomorphometry. In conclusion the CMC-Collagen + Colloss E filler seems like a viable osteogenic bone filler mid- to long term. A correlation was found between the analytical methods used in this study

Low linkage disequilibrium in wild Anopheles gambiae s.l. populations

<p>Abstract</p> <p>Background</p> <p>In the malaria vector <it>Anopheles gambiae</it>, understanding diversity in natural populations and genetic components of important phenotypes such as resistance to malaria infection is crucial for developing new malaria transmission blocking strategies. The design and interpretation of many studies here depends critically on Linkage disequilibrium (LD). For example in association studies, LD determines the density of Single Nucleotide Polymorphisms (SNPs) to be genotyped to represent the majority of the genomic information. Here, we aim to determine LD in wild <it>An. gambiae s.l</it>. populations in 4 genes potentially involved in mosquito immune responses against pathogens (<it>Gambicin</it>, <it>NOS</it>, <it>REL2 </it>and <it>FBN9</it>) using previously published and newly generated sequences.</p> <p>Results</p> <p>The level of LD between SNP pairs in cloned sequences of each gene was determined for 7 species (or incipient species) of the <it>An. gambiae </it>complex. In all tested genes and species, LD between SNPs was low: even at short distances (< 200 bp), most SNP pairs gave an r²< 0.3. Mean r²ranged from 0.073 to 0.766. In most genes and species LD decayed very rapidly with increasing inter-marker distance.</p> <p>Conclusions</p> <p>These results are of great interest for the development of large scale polymorphism studies, as LD generally falls below any useful limit. It indicates that very fine scale SNP detection will be required to give an overall view of genome-wide polymorphism. Perhaps a more feasible approach to genome wide association studies is to use targeted approaches using candidate gene selection to detect association to phenotypes of interest.</p

Understanding Plant-Microbe Interactions for Phytoremediation of Petroleum-Polluted Soil

Plant-microbe interactions are considered to be important processes determining the efficiency of phytoremediation of petroleum pollution, however relatively little is known about how these interactions are influenced by petroleum pollution. In this experimental study using a microcosm approach, we examined how plant ecophysiological traits, soil nutrients and microbial activities were influenced by petroleum pollution in Phragmites australis, a phytoremediating species. Generally, petroleum pollution reduced plant performance, especially at early stages of plant growth. Petroleum had negative effects on the net accumulation of inorganic nitrogen from its organic forms (net nitrogen mineralization (NNM)) most likely by decreasing the inorganic nitrogen available to the plants in petroleum-polluted soils. However, abundant dissolved organic nitrogen (DON) was found in petroleum-polluted soil. In order to overcome initial deficiency of inorganic nitrogen, plants by dint of high colonization of arbuscular mycorrhizal fungi might absorb some DON for their growth in petroleum-polluted soils. In addition, through using a real-time polymerase chain reaction method, we quantified hydrocarbon-degrading bacterial traits based on their catabolic genes (i.e. alkB (alkane monooxygenase), nah (naphthalene dioxygenase) and tol (xylene monooxygenase) genes). This enumeration of target genes suggests that different hydrocarbon-degrading bacteria experienced different dynamic changes during phytoremediation and a greater abundance of alkB was detected during vegetative growth stages. Because phytoremediation of different components of petroleum is performed by different hydrocarbon-degrading bacteria, plants’ ability of phytoremediating different components might therefore vary during the plant life cycle. Phytoremediation might be most effective during the vegetative growth stages as greater abundances of hydrocarbon-degrading bacteria containing alkB and tol genes were observed at these stages. The information provided by this study enhances our understanding of the effects of petroleum pollution on plant-microbe interactions and the roles of these interactions in the phytoremediation of petroleum-polluted soil