Memory Safety Is Key to Preventing Hardware Hacks

The Spectre and Meltdown vulnerabilities in 2018 exposed computer memory as an easy target for hackers to inject malicious code and steal data. The aftermath spurred the adoption of memory-safe chips and programming tools to secure a computer's cache and RAM, where data is temporarily stored as programs are being executed.

Microsoft is accelerating efforts to protect memory in its Windows systems from errors such as buffer overflows, which allow hackers to inject malicious code or steal data from memory. The company is transitioning many system applications to the Rust programming language, which the company hopes will solve memory-safety issues caused by code written in C++. C++ is not memory-safe and can create buffer overflows.

Separately, a group of chip makers in June established a consortium named the CHERI Alliance, which is creating a secure hardware architecture to protect data stored in memory.

Memory-safe architectures and programming languages eliminate potential avenues for human programmer error, says James Sanders, an analyst at TechInsights.

"It's exceedingly easy in languages like C and C++ to inadvertently introduce a memory-safety-related vulnerability, even for highly skilled, formally educated programmers, in development scenarios that enforce 'best practices'," Sanders says.

About three-quarters of the bugs that Microsoft fixes are from the memory safety category, says Dave Weston, vice president of enterprise and OS security at Microsoft.

Microsoft is initially transitioning system firmware and software that manages PC hardware from C++ to Rust. The shift to Rust is part of a program called Secure Future Initiative, which intends to make hardware reliable and safe, Weston says.

The company has made a security chip called Pluton — which authenticates users and protects biometric data — mandatory in its new artificial intelligence (AI) PCs.

"We have ported our real-time operating system that runs on top of Pluton to be Rust based," Weston says.

CHERI's Goal to Mitigate Risks

The CHERI (Capability, Hardware, Enhanced RISC Instructions) Alliance creates a hardware and software protection model for memory. The alliance's goal is to mitigate risks of memory errors and hacks, which are commonly patched by software and hardware makers.

CHERI creates a memory audit layer by encoding data that is verified every time memory is accessed, said Franz Fuchs, a researcher at the University of Cambridge, during a presentation at the RISC-V Summit Europe in June.

The tagged data describes the memory region, the type of memory, the capabilities, and other information based on what it verifies and authorizes access to data in memory.

The University of Cambridge has developed memory-safe chip architectures based on these designs. It has also developed memory-safe operating systems and programming tools.

"CHERI gives you a lot of primitives for building a memory safe operating system, regardless of the language you're building," Microsoft's Weston says.

But the challenges include developers not having a security-first mindset, experts say. Windows was built on C++, and developers are not motivated to shift to Rust.

Also, side-channel attacks on CPUs and GPUs won't go away, which will leave memory vulnerable, says Daniel Gruss, professor in information security at the Graz University of Technology.

"As much safety as Rust in the kernel will bring us, we'll just move on to the next type of bug," Gruss says. "We still have memory safety bugs today."

Hackers are also finding ways to break into newer memory types used in modern processors, such as GPUs, says Jim McGregor, principal analyst at Tirias Research.

"The instruction set is different for GPUs, which might pose some challenges," he says. "However, memory is memory, so reading memory contents would be the same."The Spectre and Meltdown vulnerabilities in 2018 exposed computer memory as an easy target for hackers to inject malicious code and steal data. The aftermath spurred the adoption of memory-safe chips and programming tools to secure a computer's cache and RAM, where data is temporarily stored as programs are being executed.

Microsoft is accelerating efforts to protect memory in its Windows systems from errors such as buffer overflows, which allow hackers to inject malicious code or steal data from memory. The company is transitioning many system applications to the Rust programming language, which the company hopes will solve memory-safety issues caused by code written in C++. C++ is not memory-safe and can create buffer overflows.

Separately, a group of chip makers in June established a consortium named CHERI Alliance, which is creating a secure hardware architecture to protect data stored in memory.

Memory-safe architectures and programming languages eliminate potential avenues for human programmer error, says James Sanders, an analyst at TechInsights.

"It's exceedingly easy in languages like C and C++ to inadvertently introduce a memory-safety-related vulnerability, even for highly skilled, formally educated programmers, in development scenarios that enforce 'best practices'," Sanders says.

About three-quarters of the bugs that Microsoft fixes are from the memory safety category, says Dave Weston, vice president of enterprise and OS security at Microsoft.

Microsoft is initially transitioning system firmware and software that manages PC hardware from C++ to Rust. The shift to Rust is part of a program called Secure Future Initiative, which intends to make hardware reliable and safe, Weston says.

The company has made a security chip called Pluton — which authenticates users and protects biometric data — mandatory in its new artificial intelligence (AI) PCs.

"We have ported our real-time operating system that runs on top of Pluton to be Rust based," Weston says.

CHERI's Goal to Mitigate Risks

The CHERI (Capability, Hardware, Enhanced RISC Instructions) Alliance creates a hardware and software protection model for memory. The alliance's goal is to mitigate risks of memory errors and hacks, which are commonly patched by software and hardware makers.

CHERI creates a memory audit layer by encoding data that is verified every time memory is accessed, said Franz Fuchs, a researcher at the University of Cambridge, during a presentation at the RISC-V Summit Europe in June.

The tagged data describes the memory region, the type of memory, the capabilities, and other information based on what it verifies and authorizes access to data in memory.

The University of Cambridge has developed memory-safe chip architectures based on these designs. It has also developed memory-safe operating systems and programming tools.

"CHERI gives you a lot of primitives for building a memory safe operating system, regardless of the language you're building," Microsoft's Weston says.

But the challenges include developers not having a security-first mindset, experts say. Windows was built on C++, and developers are not motivated to shift to Rust.

Also, side-channel attacks on CPUs and GPUs won't go away, which will leave memory vulnerable, says Daniel Gruss, professor in information security at the Graz University of Technology.

"As much safety as Rust in the kernel will bring us, we'll just move on to the next type of bug," Gruss says. "We still have memory safety bugs today."

Hackers are also finding ways to break into newer memory types used in modern processors, such as GPUs, says Jim McGregor, principal analyst at Tirias Research.

"The instruction set is different for GPUs, which might pose some challenges," he says. "However, memory is memory, so reading memory contents would be the same."