UK government gives £36 million to Arm to develop secure chips

Amongst all the Brexit activity, the UK Government announced late last week that it would invest £36 million in helping develop a new secure chip architecture. The money, being given to semiconductor intellectual property (IP) provider Arm, aims to “help make the UK a world leader in tackling many forms of cyber threats to online products and services” as part of its Digital Security by Design initiative.

While the severity of some hardware-based vulnerabilities in recent years highlights that chip security is an issue that needs addressing, some in the industry argue this isn’t the best way the government could be supporting better cybersecurity in the UK, especially given the money involved.

Government funding cyber-threat resistant chips

The announcement itself is vague, simply saying it is working with Softbank-owned Arm to “develop new chip technologies that are more resistant to cyber threats.” It doesn’t say what the government’s money will be used for, and details of the project it is funding have to be found elsewhere.

The money is funding the Capability Hardware Enhanced RISC Instructions (CHERI) Project, a new chip architecture designed by Cambridge University. The money will help Arm develop a working board using the CHERI architecture.

“Security in chipsets is a national and strategic requirement, and so it’s positive to see the government investing,” says Marc Canel, vice president of strategy – security at UK chipmaker Imagination Technologies. “Improvements to chip security are an important complement to the software work that needs to embrace security for all connected devices through their lifecycles. This is being quite well done by tier-1 OEMs today but is difficult for the lower tiers to invest sufficiently in hardware and software to deliver.”

While investing in better chip security is no doubt a good thing, the announcement also pitches this investment like it is entirely for the benefit of UK businesses and not funding a research project for a global chip company owned by an $80 billion-plus Japanese conglomerate that will likely see a commercial benefit from this news. 

While many in the technology space welcomed the news, others were more measured in their response. Ilia Kolochenko, CEO of web security company ImmuniWeb, says he is “cautiously optimistic” over this news. “First of all, the number of attacks and exploitation vectors that are reliably addressable on a hardware level remains pretty narrow. In addition, the time UK business require to migrate to the new hardware platforms will be quite long.”

What is CHERI and why is the UK government funding it?

Around 70% of vulnerabilities addressed through security updates each year are memory safety issues. CHERI is a new architecture that, in part, is designed to help mitigate some of those issues by better walling-off and securing memory.

“The CHERI project is an excellent and ambitious initiative that emphasizes a solution to the most common problems of memory management to inject malware in devices,” says Canel. “We anticipate CHERI or at least ideas aligned with CHERI to become part of compute in future generations of mobile devices. This will take some years to percolate through from IP to silicon to OEM to Consumer.”

Created by the University of Cambridge and mainly funded by the US Defense Advanced Research Projects Agency (DARPA) and Google, it aims to provide greater memory protection and scalable software compartmentalization within chip architecture. The project has been in development since around 2012, and The university has been working with Arm since 2014 developing a CHERI-ARM processor.

As part of the announcement, Arm Chief Architect and Fellow Richard Grisenthwaite said that research into more cyber-resilient chip platforms is critical. “Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.”

Funding for the CHERI project has totaled more than £117 million, according to Arm, and part of this announcement is to further work on creating the Arm Morello board, a prototype 7nm ARMv8-A processor (based on Arm’s Neoverse N1), SoC, and board implementing CHERI, which the company says will be available from 2021.

“The CHERI initiative may improve chip security in theory, but its new model of memory protection and compartmentalization will take extensive software engineering efforts to make full use of it,” says Ville Baillie, embedded Linux programmer at embedded electronics consultancy ByteSnap Design. “It’s true they have been able to adapt some ABIs to transparently improve security through modifying the compiler and operating system, but many existing ABIs and libraries will not be improved without significant re-engineering.”

Semiconductor industry should be doing more

The UK government has been highly active in recent years around efforts to improve the nation’s cyber security posture. It released an official National Cyber Security Strategy, which acknowledges the common cybersecurity issues many businesses face and the threat actors targeting the country, and looks to remediate them where possible. No. 10 also claims that it intends to invest £1.9 billion in funding as a part of that strategy. The NCSC was created as part of that that strategy, and has been forthcoming with information around how to keep data and systems secure, as well as developing the Cyber Essentials certification scheme.

However, some experts question the whether the UK government should be pumping money into such a mature and well-funded industry. According to IC Insights, total US semiconductor industry investment in R&D totaled $38.7 billion in 2018. Arm’s own financials show its R&D expenditure in was $713 million in 2017 and $773 million in 2018. The £36 million looks little more than a drop in the ocean in comparison, and some say the industry as a whole should be doing more around the issue.

Chip security is a major issue. Recently discovered hardware vulnerabilities such as Meltdown and Spectre are difficult or even impossible to patch. With the internet of things (IoT) explosion on the horizon, having billions of poorly secured devices is a risk to businesses, national infrastructure and personal health.

“Regarding chip innovation and security, one of the first things we need to tackle as an industry is creating more robust processors,” says Yossi Naar, co-founder and chief visionary officer at Cybereason. “We haven’t been paying enough attention to potential vulnerabilities in chips and that resulted in attacks such as Spectre, Meltdown and newer variations. So first let’s ensure the chips themselves aren’t open to exploitation. I think the UK government’s effort to help secure our future is commendable.”

While chip designers and makers obviously have other technical issues such as performance and energy efficiency to contend with, security should be front and center of how chips are designed. Perhaps even more so than beating Moore’s Law, given their pervasiveness in the modern world and the difficultly in fixing issues that do arise.

“The government absolutely should not be financing research projects of well-funded chip companies to the tune of millions of public money,” says ByteSnap Design’s Baillie. “That money should be used to put into more funding for the sciences at the university level, where research becomes available for all.”