The modern semiconductor supply chain uses overseas foundries, third-party IP and third-party test facilities. However, with so many different untrusted entities, this design and fabrication outsourcing has exposed silicon chips to a range of hardware-based security threats such as counterfeiting, IP piracy, reverse engineering and hardware Trojans (HT). A hardware Trojan is a malicious modification of a circuit in order to control, modify, disable, monitor or affect the operation of the circuit. Although there have been no public reports of HTs detected in practice, in 2020, the cybersecurity company F-Secure published a report on their investigation into a pair of counterfeit Cisco Catalyst 2960-X series switches . While these devices did not have back-door functionality, they did employ measures to bypass processes that authenticate system components and F-Secure stated that motivated attackers use the same approach to insert hardware trojans to stealthily backdoor companies. Such hardware threats are major security threats for safety-critical and embedded systems applications, for e.g in the medical, automotive or transport sectors. Due to the nature of this clandestine industry, it is very difficult to ascertain the true scale of the problem. However, in recent years both the sovereignty and cyber security of the semiconductor supply chain have become significant concerns for many countries. The recently published EU Cyber Resilience Act (September 2022) outlines essential cybersecurity requirements for products with digital elements and states that such produced ''shall be delivered without any known exploitable vulnerabilities'. In addition, the 2022 National Cyber Strategy 2022 outlines the need to 'ensure that wherever possible the next generation of connected technologies are designed, developed and deployed with security and resilience in mind and ... embrace a 'secure by design' approach'. The overall goal of the TruDetect project is to develop a trustworthy DL-based HT detection system that can be easily integrated into a security verification framework in EDA tools. This will include the design of novel countermeasures that ensure trustworthiness of the DL-based HT detection system against adversarial HTs and the use of Explainable AI to offer a comprehensive analysis of the DL system behaviour.

The Chrompartments project will explore hybrid compartmentalisation for web browsers using Chrome as a concrete example. Browsers are systemically important but present a large attack surface due to their scale and complexity: they are a magnet for attackers with frequent published attacks. Chrompartments will use CHERI to split browsers into mutually distrusting compartments, making them more resilient and performant. We will use Chrome (in the form of its open-source variant Chromium) as the vehicle for our experimentation because it is the most widely used browser and it is already partially compartmentalised in a way that we can build upon. Chrome tries when possible to split itself into process-based compartments (roughly speaking: 1 process per tab; and some core components such as graphics are split into separate processes). However, this model is heavyweight: OS processes consume considerable resources and many devices (particularly phones) quickly hit their process limits, forcing the browser to merge multiple tabs in a single process; and communication between processes is painfully slow. Some security-critical components (e.g. V8, Chrome's JavaScript engine) would ideally be split out too, but resource and performance constraints make this impractical. We will use CHERI's "hybrid mode" (i.e. where both traditional width pointers can be used alongside capabilities) to split Chrome into process-like compartments. Most code will use traditional width pointers and will be boxed into compartments; pure capabilities will allow us to emulate various forms of inter-compartment communication. We hypothesise that this will lead to greater practical security, and require fewer changes, than the ideal pure-capability-based compartmentalisation. Our overall aim is thus first to replace Chrome's process-based model with CHERI compartments, and then break those crude compartments into finer-grained compartments, enhancing security without significantly affecting performance. As well as significant engineering, there is also important research: processes give some guarantees (e.g. against some side-channel attacks) that CHERI compartments do not currently give. We will explore these guarantees and replicate them for CHERI compartments where their existence is necessary for browser security. After converting process-based isolation to CHERI compartmentalisation, Chrompartments will operate in two strands: V8, the JavaScript engine; and the graphics stack. Both strands contain significant challenges: for example, the graphics stack is currently contained within a single process no matter how many sites are using it. Understanding the right compartmentalisation points will be critical to Chrompartments' success and lead to a much greater understanding of how to use CHERI on large-scale systems.

Modern big-data workloads are currently run on processors that are ill suited to extracting high performance from them. These workloads request data from DRAM main memory in unpredictable patterns, and so existing hardware and software solutions are ineffective at anticipating the high-latency work that is necessary. Today's computer processors are constantly stalled waiting for data to return from memory, with low throughput and inefficient execution. The untapped potential is significant. Many big-data workloads show potential forms of memory-level parallelism, where complex sequences of operations can be reordered and overlapped to hide much of the latency, and thus achieve high throughput. While compute-bound workloads have been greatly aided by special vector instructions, which calculate many operations simultaneously, the same cannot yet be said for memory-bound big-data workloads. This project seeks to marry compute parallelism with memory parallelism. We will redesign memory access methods with vectorisation in mind. This will allow us to prefetch, or anticipate the demands of, many complex sequences of compute and memory access all at once. We believe it is possible to make high-performance, efficient software mechanisms for prefetching that are as performant as dedicated hardware. Our new mechanisms will exploit a new concept called gather-level parallelism, by utilising and redesigning vector methods to achieve extreme memory-level parallelism without breaking the bank on programmable compute. To succeed, we will require new changes throughout both the compiler and the underlying hardware architecture. Gather-level parallelism stands to bring about a paradigm shift in how memory is accessed in today's systems. This is particularly pressing in an era where big-data workloads are already inefficient, and threatened further by the security mitigations necessary to eliminate the recently discovered Spectre vulnerabilities in today's computer processors. These cause even greater challenges in memory latency due to the restrictions used to hide vulnerabilities, thus making high-performance memory techniques even more pressing. The status quo, a choice between performance and security, on big data that is often sensitive, cannot be allowed to continue.

Our society is increasingly reliant on digital devices that are capable of performing several tasks at the same time: tablets, smartphones, our personal computers, they all contain processors capable of executing multiple instructions concurrently. Bugs in these processors, such as the recent Meltdown and Spectre, can seriously compromise the security and safety of their users. As the complexity of these systems increases, there is a pressing need to automate the assessment of their correctness, especially with respect to concurrency-related aspects. Formal verification is a highly effective technique to automatically check important properties of systems. It relies on a machine-readable abstraction of the actual system---a model. A key strength of formal verification is that, when the model is accurate enough, it is able to find bugs that would be hard to find and reproduce using traditional testing alone. However, these models are usually built by humans and as such can be error-prone and inaccurate. Moreover, sophisticated concurrent behaviours such as weak-memory concurrency make modelling even more challenging. The overall goal of this project is to develop a verification framework for hardware systems that uses artificial intelligence to automatically build and verify better models. Ultimately, this will lead to lower production costs and more reliable hardware. This is particularly important for companies that design hardware units destined to large-scale production, such as ARM: a bug in the design may lead to millions of faulty units being manufactured. The novel idea behind this project is to rely on the model learning paradigm, originally proposed in AI, to automatically build a model of a running system in a black-box fashion---from a series of observations of the behaviour of the system. This approach can be very effective in taming complexity and achieving scalability: by treating the whole system, or some of its components, as black-boxes, one can fine-tune the level of detail of the model and focus the analysis on specific features. In recent years model learning has started to be successfully applied in a variety of academic and industrial contexts. However, the models developed using this approach are all inherently sequential. The verification of concurrent behaviour in hardware systems is an unexplored, challenging, and potentially rewarding application that this project proposes to explore.

The 'Capabilities for Coders' project involves the creation and curation of a set of freely available Morello coding resources for system developers. Standard developer behaviour involves interactive searching through online forums like StackOverflow and web tutorials like W3Schools. Currently there are no relevant targeted resources available for the Arm Morello system, and very few sites covering CHERI concepts in a developer-friendly style. This project will set up a one-stop shop for Morello programming, in the form of an open-access, online, interactive textbook called 'Capabilities for Coders'. This will be in the best tradition of programming language books - written by coders for coders. The unique appeal of this learning resource will be the inclusion of a large set of open-source code templates and fragments, effectively a library of reusable software samples for Morello applications written in C and C++ with assembler code where necessary. The textbook and accompanying code samples will serve to enrich understanding of the current and evolving Morello stacks, providing support for existing developers and new arrivals in this domain. Because the learning resources are hosted online, it will be straightforward to keep them up-to-date (unlike hardcopy textbooks). Because the learning resources will be developed using the github platform, any user will be able to submit corrections and change requests. This will ensure the ongoing relevance of the project as the Morello technology evolves over time. The project outputs will be open-access and freely available online. There will be no registration requirement or paywall. The site will be indexed by all major search engines. The resources will be clear, globally visible and highly accessible. These resources will provide direct, immediate benefit to the Morello ecosystem of developers. At this stage, it is not possible to give a full table of contents for the online textbook. However, topics broadly covered will include: motivating the need for memory safety in systems code, hardware capabilities for memory safety, motivating compartmentalization in modern systems software, hardware capabilities for compartments, porting legacy applications to Morello, debugging capability-based code, performance engineering for capability-based code, and future directions. Each topic will be accompanied by an extensive range of open-source code examples to illustrate the various concepts. These software samples will be easily reusable by developers in their own code projects. Additionally, the 'Capabilities for Coders' project will serve the community by posting relevant answers on StackOverflow and producing a podcast series.