Our great sponsors
-
sonata-system
A full micro-controller system utilizing the CHERIoT Ibex core, part of the Sunburst project funded by UKRI
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
symphony-system
An integration of CHERIoT Ibex with OpenTitan Earl Grey, part of the Sunburst project funded by UKRI
-
This work comes from GitHub's Security Lab https://securitylab.github.com/
For anyone interested in CHERI for embedded/IoT and other similar use cases lowRISC (whom I work for) are building a couple of FPGA based evaluation platforms for CHERIoT (The Microsoft created CHERI variant referred to above): https://www.sunburst-project.org/
The first is the Sonata system: https://github.com/lowRISC/sonata-system. This comprises a dedicated PCB with an FPGA along with various peripherals and headers. The PCB design is done and will be available through Mouser (plus it's open source including the board layout so you can assemble your own if you like). We're currently working on the RTL for the FPGA. When complete you'll have a complete CHERIoT based microcontroller like system with documentation and tooling.
Additionally we're building the Symphony system, which combines Sonata with the OpenTitan Earl Grey root of trust: https://github.com/lowRISC/symphony-system
For anyone interested in CHERI for embedded/IoT and other similar use cases lowRISC (whom I work for) are building a couple of FPGA based evaluation platforms for CHERIoT (The Microsoft created CHERI variant referred to above): https://www.sunburst-project.org/
The first is the Sonata system: https://github.com/lowRISC/sonata-system. This comprises a dedicated PCB with an FPGA along with various peripherals and headers. The PCB design is done and will be available through Mouser (plus it's open source including the board layout so you can assemble your own if you like). We're currently working on the RTL for the FPGA. When complete you'll have a complete CHERIoT based microcontroller like system with documentation and tooling.
Additionally we're building the Symphony system, which combines Sonata with the OpenTitan Earl Grey root of trust: https://github.com/lowRISC/symphony-system
news.ycombinator.com/item?id=397522…
First an important point: we only research open source code, which means that many parts of your phone (for example most of your apps) are out-of-scope for us. That said, all open source code is in-scope, including projects that aren’t hosted on GitHub. (Quote tweet reply to this tweet [2])
In this particular case, @mmolgtm found a bug in Arm Mali, which is an open source GPU driver used on many Android phones. Android itself is open source. https://developer.arm.com/downloads/-/mali-drivers/valhall-k...
Open source software is the foundation of much of the world’s software. So when open source wins, we win. And that’s why @GitHub takes its responsibility seriously, to help make open source software more secure.
GitHub Security Lab sits within @GitHubSecurity, and we focus exclusively on open source security with four main priorities:
First, we run the GitHub Advisory Database, which is a comprehensive database of open source vulnerabilities. https://t.co/U4HlXO2l1G
Second, we share information around secure coding practices, through blogs and video content. https://t.co/EdO5SZtR0B
Third, we use GitHub’s CodeQL to scan thousands of open source repositories for common security mistakes, like SQL injections or path traversals. https://t.co/m72rt2a5RL
And fourth, we do deep research on critical open source projects. @mmolgtm’s recent work on Arm Mail is an example of this. https://t.co/jxVYeoJjtO
The work that we do feeds into GitHub’s security products. For example, the advisory database is used to generate Dependabot alerts. https://docs.github.com/en/code-security/dependabot/dependab...
Similarly, our work with CodeQL provides feedback to the code scanning team to help improve and further develop the feature so that more vulnerabilities are caught quickly and automatically. https://docs.github.com/en/code-security/code-scanning/intro...
And these activities also benefit open source, because GitHub security products, including Dependabot and CodeQL, are free for open source projects!
Our deep research work is primarily intended to inspire the community, so that we can improve open source security together. That’s why we publish detailed blog posts and proof-of-concept exploits.
https://github.com/github/securitylab/tree/main/SecurityExpl...
We’re big believers in Linus's law: “given enough eyeballs, all bugs are shallow”. Together, we’re making open source software secure. https://en.wikipedia.org/wiki/Linus%27s_law
[1]: https://x.com/ghsecuritylab/status/1770940743944720557
[2]: https://x.com/zemarmot/status/1681008991663423489