Partner: Arm

Architecting the future

Arm and Cambridge University are working together to make our phones and computers more secure, more efficient and ready for the digital revolution.

Self-driving vehicles, companion robots and supercomputers that can help to advance medicine, predict and mitigate natural disasters, solve energy problems, tackle climate change and study the origins of the universe.

What do all these things have in common? They are all being made possible by know-how and technology developed by Cambridge success story and leading semiconductor IP company, Arm.

Arm-based technology is used by billions of people in their phones and computers every single day. As 5G, the internet of things and AI become part of the fabric of our lives that number will only get bigger. However, while these advances promise huge benefits, they also bring with them significant risk – not least, greater exposure to cyber attacks.

“If you were starting from scratch, what would you need to do to both hardware and software to make computers more secure?”

Securing the future

Computer security is not a new problem. Microsoft has been publishing its annual Microsoft Digital Defense Report since 2005. This year’s edition makes particularly gloomy reading, as it describes how opportunistic cybercriminals have taken advantage of people’s emotional and computing vulnerabilities at this time of global pandemic.

For chief architect at Arm, Richard Grisenthwaite, “Computer security is the greatest problem computing has to address in order to reach its full potential.”

And that problem is one that the University of Cambridge and Arm have been working on together since 2014, through a project called CHERI.

The idea was first hatched in 2010, when researchers Dr Robert Watson and Professor Simon Moore at the University’s Department of Computer Science and Technology asked themselves a fundamental question: “If you were starting from scratch, what would you need to do to both hardware and software to make computers more secure?”

They were asking themselves this question because the computers we use today – and the programmes written for them - are rooted in the technology of the 1970s, a time, according to Professor Peter Sewell, another key player in the CHERI story, “when most people didn’t know how to design more securely and, even if they did, they had no clue that they needed to.” Back in the days of glitter and flares, computing had not yet become an adversarial enterprise.

Fifty years later, the situation could not be more different. Security is a huge challenge for organisations and individuals alike, and it’s a problem which will only be amplified by advances in AI and big data.

"But the hardware we use today has significant limitations," explains Sewell. "It doesn't give us good enough memory protection and it doesn't let us compartmentalise software sufficiently.”

"CHERI," Watson continues, "addresses both of these issues. It allows you both to isolate more programmes, more effectively and to protect and compartmentalise within a programme so that if, say, a virus gets into your mail, it would not be able to wreak havoc across all your accounts, folders, messages and attachments."

"To put this in context," Moore added, "Microsoft’s research of its own vulnerabilities from the last 10 years indicates that 70 per cent of them were memory safety bugs, the majority of which could have been mitigated if CHERI had been deployed.”

What's different about CHERI?

"Normally, in computer science," Watson explains, "we experiment by changing one thing at a time, keeping everything else the same and seeing what happens. For software researchers, that generally means sticking to the same hardware and for hardware researchers, sticking to the same software with both trying to limit the changes they have to make to the architecture (or interface) between them.

"The problem with that approach," he continues, "is that you can only make relatively narrow, incremental improvements. CHERI is so revolutionary because we are changing the architecture, hardware and software all at the same time. There are only a handful of research labs in the world with the breadth and depth of expertise to attempt this."

With funding from DARPA, and in close collaboration with Peter Neumann at SRI International (a non-profit research lab based in California), Watson and Moore made good progress with their ambitious plan over the next four years, working together on the architecture while Watson focused principally on the software and Moore on the hardware.

They were later joined in their endeavour by applied semantics expert, Sewell, who was already working with Arm on other aspects of its architecture. His role in CHERI is to ensure that the architecture is mathematically well-defined and that its security properties are mathematically provable.

How it happened

Like many collaborations, the circumstances in which CHERI came about were to some extent accidental.

By 2014, Watson and Moore were making good progress. From the start, they had thought that Arm would be the perfect commercialisation partner. Watson explains why: "We were proposing a fundamental change to architecture that requires new hardware and transforms the software that runs on it. Bringing new architecture to market is what Arm does."

However, at that stage, the pair felt they weren’t quite ready to make the first approach. Fate intervened, in the form of one of Moore’s PhD students whose next-door neighbour worked at Arm and suggested that he come along and give them an informal talk about his work. Mildly concerned, Moore decided he ought to go along.

This turned out to be a good decision, as the normally reliable student managed to get lost on the way, and Moore had to ad lib until he turned up. Moore explained, “It just so happened that, most unusually, Richard Grisenthwaite was not busy that lunchtime and was sitting at the back of the room. He was really interested in what we had to say.”

That was the start of a powerful collaboration, built on a convergence of mutual interests. For the Cambridge team, the potential scale of implementation was a hugely exciting prospect. The ubiquity of Arm IP means that CHERI, if adopted, will be guaranteed a near universal take-up.

However, Arm can only deploy a technology that is both desirable and beneficial to its ecosystem partners. And, although according to Grisenthwaite, “CHERI has been described by some of Arm's major partners as potentially the most interesting step forward in computer security under consideration” its deployment is not yet a given.

Graeme Barnes, lead architect and distinguished engineer at Arm said, “CHERI is potentially a very big deal but it’s also a big change. We need to prove to people that it brings significant benefits and is deployable.”

An academic prototype, however impressive and well-referenced in the literature is not going to cut it with companies that are being asked to make a significant investment - potentially tens or hundreds of millions of dollars - in this new approach.

Hardware designers in industry need to be convinced that CHERI is buildable. Software developers need to be able to try it out, and get excited about it. CHERI was going to need a proper, industrial quality prototype – and that would take tens of millions of pounds to develop.

An early CHERI prototype developed at the University of Cambridge

An early CHERI prototype developed at the University of Cambridge

Recognising the importance of security to its digital infrastructure, in 2019 the UK government backed a Digital Security by Design Challenge, which awarded £70 million in funding to the prototyping effort, which by now had acquired the name, Morello.

The £70 million was matched by a further £117 million from Arm and other industry partners including Microsoft and Google, enabling Barnes and his team – in close collaboration with Cambridge and the University of Edinburgh - to develop Morello, described by Grisenthwaite as “a ground-breaking and unprecedented industrial-scale prototype of the CHERI concepts in the context of the Arm architecture.”

"It's important to remember Morello has now become a national effort," says Watson. In 2020, £8 million of the Digital Security by Design programme’s funds went to support projects at eight UK universities (including Cambridge) carrying out Morello-related research over the next four years.

“Ultimately, you don’t want to just publish papers, you want to influence products."

An energy efficient, high performance future

CHERI and Morello are central to the University-Arm relationship right now but the partnership also encompasses a number of other long-term collaborations.

Separate to his involvement in CHERI, Sewell has been working with Arm for more than a decade trying to better define the memory model at the heart of Arm’s architecture. One of the reasons we have seen such huge advances in computing performance in recent years is because processors are now able to execute the tasks set by progammes out of order, as opposed to sequentially. This ‘concurrency’ makes processing much more efficient but it can also cause errors. 

Sewell's team, together with Arm and other colleagues, set about describing the memory model mathematically for the first time and, in doing so, revealed areas of ambiguity that could cause potential problems. This pioneering work enables these systems to achieve higher performance in a more reliable manner.

In 2011, Dr Timothy Jones joined the University on a Postdoctoral Fellowship from the Royal Academy of Engineering . “Fellowship holders are expected to find a mentor and most choose an eminent academic,” Jones explained. “I figured I could ask any professor in any university for advice any time I needed it so why don’t I find someone a bit different? I noticed that Warren East [CEO of Arm at the time] was on the list and thought why not?”

This was the start of a fruitful relationship. Initially, Jones spent two or three days a week at Arm, where he was given a desk, computer and “access to everything”.

Over time, as his departmental responsibilities increased, this was gradually scaled back but the deep engagement continued through Arm’s funding of PhD students: four fully-funded and two part-funded with EPSRC through its iCASE awards scheme.

Jones and his PhD students have been focusing on how to improve computing performance, particularly in this era of big data. One of the ways they have been doing this is through ‘prefetching’ – collecting data in advance and storing it close to where it will be needed. To optimise this process, they designed a new kind of architecture which spreads the workload across multiple small cores rather than concentrating it all through one large, high-performing core.

Having devised this novel approach, they then applied it to other problems such as reliability in safety critical systems. For example, the system that controls your anti-locking braking system runs the same programme twice, one very fractionally behind the other so that if an error occurs, it is logged and checked with the duplicate and remedial action taken.

“Our distributed architecture would produce the same results,” says Jones, but “with a fraction of the area and a fraction of the power overhead.”

Another productive area of investigation has been vectorisation – where a single stream of instructions runs on multiple streams of data at the same time – which also delivers important efficiency and performance benefits.

For Jones, the benefits of the collaboration have been huge: “Ultimately, you don’t want to just publish papers, you want to influence products. Our relationship with Arm means we can talk to people who can point you in the direction of interesting problems that you might not be aware of – or steer you away from problems which are either not very important or for which solutions already exist.”

Funded PhDs are also an important dimension of the relationship. Each of them has a mentor at Arm and regular contact. Thomas Grocutt, embedded research architect, explains that from Arm’s perspective this has a number of benefits: “As well as making the results of their work more applicable to the problems we are facing, we also see it as a great way of spotting really good talent."

"...part of our job is to anticipate what future problems or roadblocks to the success of the company are going to be.”

Future-proofing the future

Arm processors will need to cope with the advances in machine learning and robotics that are just round the corner.

Fellow and senior director of Research Technology at Arm Research, Stuart Biles explains: “We are tasked with essentially building future value for the company, in the technological sense. So part of our job is to anticipate what future problems or roadblocks to the success of the company are going to be.”

One of those future challenges - and opportunities - is around machine learning. In spite of all the hype around it, Richard Turner, Professor of Machine Learning in the Department of Engineering, cautions there is a still a long way to go before it can really work “in the wild”.

“There are two main reasons why self-driving cars haven’t happened yet,” says Turner.” The first is that machine learning methods have not yet learnt to deal with uncertainty. In fact, they are supremely overconfident. While it’s not a disaster if they tag a picture on your phone incorrectly, it is if they fail to spot a pedestrian about to step off a pavement.”

The second yet-to-be-solved problem is that “current methods are all trained in one go on handcrafted datasets which need an expert to set them up. If you come along a month later with a new model of car that you want it to recognise, it essentially has to be retrained from scratch.”

At the moment, according to Turner, that is a “cumbersome process which has to be done on a server somewhere. It can’t be done, for example, on a mobile phone.” But, he says, “as we enter an era of increasing personalisation, we need to move towards what’s known as ‘lifelong learning’.”

From a chip design perspective, that means an architecture that can handle the demands of modern AI algorithms. By working with experts like Turner, alongside its own dedicated machine learning business unit, Arm is able to get valuable insights into the latest techniques and their implications for its own products.

Advanced memories materials specialist, Judith Driscoll, Royal Academy of Engineering Professor of Emerging Technologies in the Department of Materials Science and Metallurgy, has also been exploring opportunities for collaboration with Arm. Her research group engineers oxide materials at the nanoscale with a wide range of industrial applications.

“Resistive switching effect could lead to new kind of low power, high performance computing,” the need for which is also being driven by advances in machine learning and big data. Driscoll points out that “Computing isn’t just about algorithms and things. You do actually need to make stuff – and what you make it out of is critical.”

"There’s a tremendous reality of engineering that most academic projects don’t attempt and can’t afford.” 

Why the partnership works today

For Sewell, working with Arm on the CHERI project provides “the opportunity to work on something which by academic standards is on a very large and serious scale. There’s a tremendous reality of engineering that most academic projects don’t attempt and can’t afford.”  

For Biles, there are number of factors that make the collaboration successful. Firstly, the quality of the research: “You know they are well-respected researchers in their fields. When we start following a particular track, we will see the papers they have published.”

Secondly, geographical proximity undoubtedly helps, except during a pandemic. “In normal circumstances, it does change the dynamic significantly in that people can jump into a car or get on their bikes and go for fairly impromptu meetings, just to chat over interesting topics. It introduces an ease into the relationship which makes it more likely to be perpetuated.”

Finally, Biles points to Cambridge’s interest in combining blue-sky thinking with real-world application. “The folks that we work with have a nice combination of following their own path but they are also interested and engaged with some of the constraints that industry bring them. They view it as an interesting challenge.” 

The future?

The Digital Security by Design project is a five-year undertaking that began in 2019. The Morello prototype is on track for completion in 2022, at which point it will be made available to Arm’s ecosystem of software companies, tool developers and academic institutions. They will have a further two and a half years to test, write code and provide critical feedback.

All of those involved at the University and Arm are eagerly awaiting the outcome of this process which has the potential to make all our digital lives safer and more secure.

As that story plays out, both parties continue to explore other areas of mutual interest: looking for new ways to improve the performance and efficiency of computing and sharing knowledge as the machine learning revolution unfolds.

Image credits from top: iStock: metamorworks, KrulUA, happyphoton, anyaberkut