Last year, 46% of UK businesses reported cyber-attacks or breaches. Cyber-attacks cost small/nano businesses £175m last year in Greater Manchester alone; 56,000 small businesses were attacked, of which 12,000 were attacked weekly. The MOJO project is motivated by the commitment of THG PLC to have the best possible security protection for its e-commerce and hosting business. This extends to wanting to understand how future Arm platforms, as represented by the Morello System-on-Chip (SoC), could improve the security of its business while contributing directly to the Morello software ecosystem. The project is led by THG, a world leader in the e-commerce sector, where it operates by ensuring that its e-commerce services and data centre hosting provide advanced security technologies. THG's e-commerce platform runs in data centers across the world, and it is under constant attack due to its prominent market position. THG has accumulated wide-ranging cybersecurity experience, and a growing volume of collected data from such attacks. THG is assisted by the University of Manchester (UoM). The team at UoM has unique research expertise on Java Virtual Machines and Arm systems. MOJO will enrich the Arm-developed technology platform (Morello platform and software stack) by developing an open source robust, mature and security-enhanced Java Virtual Machine (JVM). JVMs are of key importance for THG, as well as for most software developers. The Morello ecosystem lacks important software technology for data centres; for example Scala- and Java-based big data frameworks (such as Apache Spark, Flink, Kafka, Elasticsearch, Storm, Cassandra, Giraph, ...) which require a mature and robust JVM. The social and economic benefits of a security improved JVM are directly associated with reducing the potential impact of security breaches and attacks, and the costs required to secure digital businesses and services. The societal impacts are improved public perception to the benefits of technology, and less disruption to the daily activities of individuals in society due to security incidents, and service outages across public, government, and paid for digital services. Demonstrating the enhanced security capabilities in JVMs, strengthens the global and, especially, UK impact to online business, the public and government services and objectives. Finally, the proposed robust and mature JVM will enrich the Morello software ecosystem capable of protecting against future cyber-attacks.

This project is adapting a full-scale open-source desktop software environment for the ARM Morello board, making novel use of CHERI's fine-grained memory safety and scalable software compartmentalisation features to mitigate an expected three quarters of past software vulnerabilities in that software stack. This project will consist of three key elements combining practical engineering with empirical computer science: (1) Building on foundations laid in our prior DSbD 'de minimis' project, we will develop a memory-safe and compartmentalized desktop environment illustrating key CHERI protection properties on the Arm Morello board. Software components will include GPU device drivers, windowing system, KDE desktop environment, and Chromium web browser; (2) As well as developing this work as open source, we will produce software releases at regular intervals throughout the project to ensure that they are available for use by the broader DSbD community; and (3) We will thoroughly evaluate this work considering aspects such as adaptation and longer-term maintenance difficulty, performance overheads (especially user-facing latency), and security impact. The result will be an open-source desktop environment suitable for use on the Arm Morello board, demonstrating its hardware protection features with a CHERI software corpus exceeding 60MLoC, more than doubling the size of the 30MLoC corpus demonstrated to date. We will report on all aspects of the work and evaluation, seeking to publish via technical reports and, as appropriate, research publications.

This project is assessing the applicability and viability of DSbD technologies to a complete open-source desktop environment software stack. Through a blend of static and dynamic analysis, as well as prototyping, we will identify opportunities to deploy CHERI memory protection and software compartmentalization within software components such as window systems, desktop toolkits and environments, as well as key applications such as web browsers. We will assess the potential cost, complexity, and overheads associated with CHERI deployment in those software environments, and make recommendations for future work to deploy CHERI protection within these open-source stacks.