BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Hardware Support for Compartmentalisation - Robert Norton
DTSTART:20150915T130000Z
DTEND:20150915T140000Z
UID:TALK60812@talks.cam.ac.uk
CONTACT:Peter Sewell
DESCRIPTION:Compartmentalisation is a technique to reduce the impact of se
 curity bugs by enforcing the ‘principle of least privilege’ within app
 lications. Splitting programs\ninto separate components that each operate 
 with minimal access to resources means that a vulnerability in one part is
  prevented from affecting the whole.\nHowever\, the performance costs and 
 development effort of doing this have so far prevented widespread deployme
 nt of compartmentalisation\, despite the increasingly apparent need for be
 tter computer security. A major obstacle to deployment is that existing co
 mpartmentalisation techniques rely either on virtual memory hardware or pu
 re software to enforce separation\, both of which have severe performance 
 implications and complicate the task of developing compartmentalised\nappl
 ications.\n\nCHERI (Capability Hardware Enhanced RISC Instructions) is a r
 esearch project which aims to improve computer security by allowing softwa
 re to precisely express its memory access requirements using hardware supp
 ort for bounded\, unforgeable pointers known as capabilities. One conseque
 nce of this approach is that a single virtual address space can be divided
  into many independent compartments\, with very efficient transitions and 
 data sharing between them.\n\nIn this talk I will describe the compartment
 alisation features of CHERI and present the results of benchmarks comparin
 g them to traditional techniques.
LOCATION:FW26
END:VEVENT
END:VCALENDAR