David Chisnall

Bio: David Chisnall is an academic researcher from University of Cambridge. The author has contributed to research in topics: Compiler & Instruction set. The author has an hindex of 18, co-authored 53 publications receiving 1420 citations. Previous affiliations of David Chisnall include Swansea University & Microsoft.

The Definitive Guide to the Xen Hypervisor

Abstract: The Xen hypervisor has become an incredibly strategic resource for the industry, as the focal point of innovation in cross-platform virtualization technology. Davids book will play a key role in helping the Xen community and ecosystem to grow. Simon Crosby, CTO, XenSource An Under-the-Hood Guide to the Power of Xen Hypervisor Internals The Definitive Guide to the Xen Hypervisor is a comprehensive handbook on the inner workings of XenSources powerful open source paravirtualization solution. From architecture to kernel internals, author David Chisnall exposes key code components and shows you how the technology works, providing the essential information you need to fully harness and exploit the Xen hypervisor to develop cost-effective, highperformance Linux and Windows virtual environments. Granted exclusive access to the XenSource team, Chisnall lays down a solid framework with overviews of virtualization and the design philosophy behind the Xen hypervisor. Next, Chisnall takes you on an in-depth exploration of the hypervisors architecture, interfaces, device support, management tools, and internalsincluding key information for developers who want to optimize applications for virtual environments. He reveals the power and pitfalls of Xen in real-world examples and includes hands-on exercises, so you gain valuable experience as you learn. This insightful resource gives you a detailed picture of how all the pieces of the Xen hypervisor fit and work together, setting you on the path to building and implementing a streamlined, cost-efficient virtual enterprise. Coverage includes Understanding the Xen virtual architecture Using shared info pages, grant tables, and the memory management subsystem Interpreting Xens abstract device interfaces Configuring and managing device support, including event channels, monitoring with XenStore, supporting core devices, and adding new device types Navigating the inner workings of the Xen API and userspace tools Coordinating virtual machines with the Scheduler Interface and API, and adding a new scheduler Securing near-native speed on guest machines using HVM Planning for future needs, including porting, power management, new devices, and unusual architectures

The CHERI capability model: revisiting RISC in an age of risk

Abstract: Motivated by contemporary security challenges, we reevaluate and refine capability-based addressing for the RISC era. We present CHERI, a hybrid capability model that extends the 64-bit MIPS ISA with byte-granularity memory protection. We demonstrate that CHERI enables language memory model enforcement and fault isolation in hardware rather than software, and that the CHERI mechanisms are easily adopted by existing programs for efficient in-program memory safety. In contrast to past capability models, CHERI complements, rather than replaces, the ubiquitous page-based protection mechanism, providing a migration path towards deconflating data-structure protection and OS memory management. Furthermore, CHERI adheres to a strict RISC philosophy: it maintains a load-store architecture and requires only singlecycle instructions, and supplies protection primitives to the compiler, language runtime, and operating system. We demonstrate a mature FPGA implementation that runs the FreeBSD operating system with a full range of software and an open-source application suite compiled with an extended LLVM to use CHERI memory protection. A limit study compares published memory safety mechanisms in terms of instruction count and memory overheads. The study illustrates that CHERI is performance-competitive even while providing assurance and greater flexibility with simpler hardware

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Abstract: CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA soft-core processor, Free BSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.

Into the depths of C: elaborating the de facto standards

Abstract: C remains central to our computing infrastructure. It is notionally defined by ISO standards, but in reality the properties of C assumed by systems code and those implemented by compilers have diverged, both from the ISO standards and from each other, and none of these are clearly understood. We make two contributions to help improve this error-prone situation. First, we describe an in-depth analysis of the design space for the semantics of pointers and memory in C as it is used in practice. We articulate many specific questions, build a suite of semantic test cases, gather experimental data from multiple implementations, and survey what C experts believe about the de facto standards. We identify questions where there is a consensus (either following ISO or differing) and where there are conflicts. We apply all this to an experimental C implemented above capability hardware. Second, we describe a formal model, Cerberus, for large parts of C. Cerberus is parameterised on its memory model; it is linkable either with a candidate de facto memory object model, under construction, or with an operational C11 concurrency model; it is defined by elaboration to a much simpler Core language for accessibility, and it is executable as a test oracle on small examples. This should provide a solid basis for discussion of what mainstream C is now: what programmers and analysis tools can assume and what compilers aim to implement. Ultimately we hope it will be a step towards clear, consistent, and accepted semantics for the various use-cases of C.

Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine

Abstract: We propose a new memory-safe interpretation of the C abstract machine that provides stronger protection to benefit security and debugging. Despite ambiguities in the specification intended to provide implementation flexibility, contemporary implementations of C have converged on a memory model similar to the PDP-11, the original target for C. This model lacks support for memory safety despite well-documented impacts on security and reliability. Attempts to change this model are often hampered by assumptions embedded in a large body of existing C code, dating back to the memory model exposed by the original C compiler for the PDP-11. Our experience with attempting to implement a memory-safe variant of C on the CHERI experimental microprocessor led us to identify a number of problematic idioms. We describe these as well as their interaction with existing memory safety schemes and the assumptions that they make beyond the requirements of the C specification. Finally, we refine the CHERI ISA and abstract model for C, by combining elements of the CHERI capability model and fat pointers, and present a softcore CPU that implements a C abstract machine that can run legacy C code with strong memory protection guarantees.

The C programming language

Abstract: This ebook is the first authorized digital version of Kernighan and Ritchie's 1988 classic, The C Programming Language (2nd Ed.). One of the best-selling programming books published in the last fifty years, "K&R" has been called everything from the "bible" to "a landmark in computer science" and it has influenced generations of programmers. Available now for all leading ebook platforms, this concise and beautifully written text is a "must-have" reference for every serious programmers digital library. As modestly described by the authors in the Preface to the First Edition, this "is not an introductory programming manual; it assumes some familiarity with basic programming concepts like variables, assignment statements, loops, and functions. Nonetheless, a novice programmer should be able to read along and pick up the language, although access to a more knowledgeable colleague will help."

Cross-VM side channels and their use to extract private keys

Abstract: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen). Such systems are very common today, ranging from desktops that use virtualization to sandbox application or OS compromises, to clouds that co-locate the workloads of mutually distrustful customers. Constructing such a side-channel requires overcoming challenges including core migration, numerous sources of channel noise, and the difficulty of preempting the victim with sufficient frequency to extract fine-grained information from it. This paper addresses these challenges and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victim using the most recent version of the libgcrypt cryptographic library.

Density-Functional Theory with Screened van der Waals Interactions for the Modeling of Hybrid Inorganic/Organic Systems

Abstract: The electronic properties and the function of hybrid inorganic-organic systems (HIOS) are intimately linked to their interface geometry. Here we show that the inclusion of the many-body collective response of the substrate electrons inside the inorganic bulk enables us to reliably predict the HIOS geometries and energies. This is achieved by the combination of dispersion-corrected density-functional theory (the DFTþ van der Waals approach) [Phys. Rev. Lett. 102, 073005 (2009)], with the Lifshitz-Zaremba-Kohn theory for the nonlocal Coulomb screening within the bulk. Our method yields geometries in remarkable agreement (� 0:1 � A) with normal incidence x-ray standing wave measurements for the 3, 4, 9, 10-perylene-tetracarboxylic acid dianhydride (C24O6H8, PTCDA) molecule on Cu(111), Ag(111), and Au(111) surfaces. Similarly accurate results are obtained for xenon and benzene adsorbed on metal surfaces.

HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis

Abstract: Security is a major barrier to enterprise adoption of cloud computing. Physical co-residency with other tenants poses a particular risk, due to pervasive virtualization in the cloud. Recent research has shown how side channels in shared hardware may enable attackers to exfiltrate sensitive data across virtual machines (VMs). In view of such risks, cloud providers may promise physically isolated resources to select tenants, but a challenge remains: Tenants still need to be able to verify physical isolation of their VMs. We introduce Home Alone, a system that lets a tenant verify its VMs' exclusive use of a physical machine. The key idea in Home Alone is to invert the usual application of side channels. Rather than exploiting a side channel as a vector of attack, Home Alone uses a side-channel (in the L2 memory cache) as a novel, defensive detection tool. By analyzing cache usage during periods in which "friendly" VMs coordinate to avoid portions of the cache, a tenant using Home Alone can detect the activity of a co-resident "foe" VM. Key technical contributions of Home Alone include classification techniques to analyze cache usage and guest operating system kernel modifications that minimize the performance impact of friendly VMs sidestepping monitored cache portions. Home Alone requires no modification of existing hyper visors and no special action or cooperation by the cloud provider.

Distributed and Cloud Computing: From Parallel Processing to the Internet of Things

Abstract: From the leading minds in the field, Distributed and Cloud Computing is the first modern, up-to-date distributed systems textbook Starting with an overview of modern distributed models, the book exposes the design principles, systems architecture, and innovative applications of parallel, distributed, and cloud computing systems It will teach you how to create high-performance, scalable, reliable systems, providing comprehensive coverage of distributed and cloud computing, including: Facilitating management, debugging, migration, and disaster recovery through virtualization Clustered systems for research or ecommerce applications Designing systems as web services Social networking systems using peer-to-peer computing Principles of cloud computing using examples from open-source and commercial applications Using examples from open-source and commercial vendors, the text describes cloud-based systems for research, e-commerce, social networking and more Complete coverage of modern distributed computing technology including clusters, the grid, service-oriented architecture, massively parallel processors, peer-to-peer networking, and cloud computing Includes case studies from the leading distributed computing vendors: Amazon, Microsoft, Google, and more Designed to meet the needs of students taking a distributed systems course, each chapter includes exercises and further reading, with lecture slides and solutions available online