Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Abstract Memory safety bugs continue to be a major source of security vulnerabilities in our critical infrastructure. The CHERI project has proposed extending conventional architectures with hardware-supported capabilities enable fine-grained memory protection and scalable compartmentalisation, allowing historically memory-unsafe C C++ adapted deterministically mitigate large classes vulnerabilities, while requiring only minor changes existing system software sources. Arm is currently designing building Morello, CHERI-enabled prototype architecture, processor, SoC, board, the high-performance Neoverse N1, industrial evaluation pave way for potential mass-market adoption. However, such new security-oriented architecture feature, it important establish high confidence that does provide intended protections, cannot done engineering techniques. In this paper we put Morello on solid mathematical footing from outset. We define fundamental property aims provide, reachable capability monotonicity, prove definition satisfies it. This proof mechanised Isabelle/HOL, applies translation official specification instruction-set (ISA) into Isabelle. main challenge handling complexity scale production architecture: 62,000 lines specification, translated 210,000 do so by factoring via narrow abstraction capturing essential properties arbitrary ISAs, expressed above monadic intra-instruction semantics. also develop model-based test generator, which generates instruction-sequence tests give good coverage, used early testing implementation QEMU development, use Arm’s internal suite validate model. gives us machine-checked proofs whole-ISA full-scale industry at design-time. To best knowledge, first demonstration feasible, significantly increases Morello.