Spoken like someone who has no idea about the market at the time. The PowerPC was introduced in 1992, announced in 1991. At the time, Intel's flagship x86 part was the 486 but they were trying to kill the x86 line. They'd released the i860 (RISC, not x86-compatible) in 1989 and tech magazines were saying it would kill x86. Windows NT was originally written for the i860 and only later ported to x86, so even Windows looked like it might not be tied to x86 in the long term.

1992 saw the launch of the Alpha and MIPS R4K, and 1993 saw the SPARCv9 ISA. It didn't look like a 32-bit architecture that was hacked onto a legacy 16-bit ISA had much of a long-term future. IBM and Motorola were two of the biggest players in CPU manufacturing and they teamed up to produce something that would provide a migration path for m68k and i386 software. The PowerPC architecture was based on IBM's POWER architecture but extended to make it easy to emulate m68k and i386 at reasonable speeds. Microsoft was signed up to port Windows NT and it looked like you'd be able to run Windows and MacOS (the two most popular desktop operating systems) and possibly some of the other less-popular ones (most of which were m68k-based) on the same hardware. IBM and Motorola were both going to produce chips, so there was guaranteed to be competition, which would bring down prices, and they were soliciting other companies to produce implementations of the architecture. Within a few years, PowerPC would be faster and cheaper than x86 and would run more software. At least, that was the theory. It sounded quite plausible, but history didn't quite work out like that.

Those numbers don't tell the whole story. iBooks doesn't exist to make a profit selling books, it exists to make the iPad seem like a plausible platform for reading books. Similarly, Amazon gets a significant benefit from locking people into the Kindle ecosystem. The $180M in cash that Apple gets is nice, but it's nothing compared to having a load of people who have bought books that will only work on an Apple device.

PowerPC was pushed by the AIM alliance: Apple, IBM, Motorola. The latter two developed and produced chips. Apple had some input. The goal was an ISA that made it easy to emulate both m68k and i386.

Yup, it's on GitHub in two repositories, one for LLVM and one for clang. We've been pushing the fixes for MIPS IV upstream, but there are some changes to the mid-level optimisers to make them aware that not all pointers are integers and some extensions to the platform-independent code generators for the same.

We've upstreamed all of the FreeBSD changes required for the base processor (BERI) and the development boards, so FreeBSD 10 will run out of the box on CHERI (it just won't expose any of the capability features). The CHERI-enabled version of FreeBSD is also on GitHub.

The code for the processor is just in a tarball at the moment. We're going to move it to some sensible public revision control system once we've worked out how much of our internal svn history wants to be included in the public release.

Yes, we're looking forward to the seL4 release. Somewhat cautiously, as there's no mention of a license (if it's GPL'd, we probably won't put any effort into it). In CHERI, we have store-capability and load-capability permissions on both capabilities and pages. To implement the seL4 model (where capabilities are stored in special pages), we'd only need to use the TLB-grandularity protections, but it would be more interesting to provide fine-grained capability storage, which would reduce a bit of the difficulty in programming for seL4.

We're also interested in the impact on the proofs in seL4. For example, seL4 currently assumes that the TLB is correct as an axiom (read the errata sheet for any production CPU to see how valid that is). With CHERI, we have some proofs extending down into the ISA and into the implementation and it would be interesting to see how these could be coupled to have a proven-secure systems. The folks at UT Austin and Centaur are (independently of us, but we talk to them periodically) working hard on proving that properties of higher-level HDLs are mapped correctly to gate layouts, so in a few years it may be possible to have a microkernel with security properties proven correct right down to the gate level.

Ilya Bakulin is currently working on porting FreeBSD to run atop L4 and is interested in extending this port to run on seL4. That would also be an interesting approach when combined with CHERI, allowing a full FreeBSD to run with some critical services moved out and into a tiny TCB.

We haven't specifically looked at key storage, but we are looking at potential ways of extending the approach to heterogeneous multicore systems, so that access to main memory could be delegated to accelerators (at varying levels of coupling) via capabilities and capabilities could be used to mediate access to accelerators. In this scheme, it would be possible to provide an encryption coprocessor that would store keys internally and perform encryption and decryption operations on blocks of memory delegated to it from userspace.

This is part of a more general problem, which is that most accelerator designs currently follow the model of a device, which requires kernel mediation to use and don't really support virtualisation well. The design you want is a resource that's cheap to access from userspace and easy to multiplex. Once you have that, it's easy to have useful crypto coprocessors (i.e. ones that cause a speedup for everything, rather than a slowdown for anything smaller than a few tens of KBs).

I hope no one misses the irony of using a DARPA-funded network protocol to post about how evil DARPA is...

A lot of routers actually run FreeBSD/MIPS. The FreeBSD MIPS port was jointly done by Juniper and Cisco. The CHERI project is jointly funded by two DARPA programs, CRASH and MRC. The MRC-focussed part is looking as software-defined networking and switch fabrics. Part of this includes putting CHERI on the NetFPGA 10G boards (which have 4 10GigE ports, so can do a reasonable amount of packet pushing). For a switch, you typically want some hardware acceleration of lookup tables for routing and so on, but CHERI might make sense for isolating flows from each other. We'll see over the next year...

Yes, that's one of the motivations for our work. Now seems to be the time when it's possible to persuade CPU vendors that dedicating a little bit more hardware to security is valuable. It isn't quite the dichotomy that you describe though, because you can either implement security features in software or hardware and doing so in hardware can mean that you see a performance improvement for the sorts of use cases that people increasingly care about.

Currently, Ohloh.net is aware of around 11 billion lines of C/C++ code. I'm including C++ because, while it's possible to write memory-safe C++, all of the evil pointer tricks that are permitted in C are also allowed in C++. Rewriting 11 billion lines of code, even in a language that is 100 times more expressive than C, would be a daunting task. Note that Ohloh only tracks open source code in public repositories: there's a lot more that's in private codebases.

For a fully memory-safe language, you need things like bounds checks on array accesses. Some research from IBM about 10 years ago showed that, with JVMs of the time, the cost of bounds checks accounted for the vast majority of the difference in performance between C++ and Java implementations of the same algorithms. They did some nice work on abstractions that allowed most bounds checks to be statically elided, but their approach never made it into the language. The overhead is somewhat hidden by superscalar architectures (the bounds check is done in parallel and the branch is predicted not-taken), but not on low-power in-order chips like the Cortex A7 that you'll find in a lot of modern mobile phones.

Note that, in our implementation, capabilities are orthogonal to paged memory management. CHERI's capabilities are within a virtual address space. The MMU is a really useful abstraction for an OS wanting to isolate processes from each other and implement things like swapping, lazy allocation, and so on. It's a pretty poor abstraction for implementing memory safety and sandboxing within an application. We regard the two as complementary: CHERI provides both a traditional MIPS TLB and capabilities, and the FreeBSD port uses them both.

We hope so too. One of the things on my short-term todo list is define a set of requirements for our extensions to C so that we can have source compatibility across different CPUs implementing similar ISA extensions. Of course, this is (optimistically) assuming that other CPUs are going to provide similar extensions...

There's a little bit of comparison to the Burroughs architecture that was one of the forerunners of the Unisys architecture in the paper. I'm not overfly familiar with the later Unisys MCP, so this may be wrong:

Our approach was explicitly intended to work with language that are not memory safe (i.e. C and friends). If you have a memory-safe language, then there is some cost associated with enforcing the memory safety in software, which CHERI can assist with, but you don't see much of a win.

As soon as you start mixing languages, you get the worst of all worlds. A typical Android application is written in C and Java (and some other things) and so gets all of the memory safety of C, plus all of the performance of Java. A single pointer error in the C code can corrupt the Java heap. One of my students last year implemented a modified JNI on CHERI that allows this sort of mixing but without the disadvantages. Java references are passed to C code as sealed capabilities, so the C code can pass them back to the JVM, but can't dereference them. The C code itself runs in a sandbox (C0 - the capability register that identifies the region of memory that normal MIPS loads and stores can use - is restricted to a smallish subset of the total [virtual] address space) so any pointer errors inside the C are constrained to only touch the C heap (of that particular sandbox - there can be a lot). He demonstrated running buggy and known-exploitable code in the JNI, without it compromising the Java code, with a very small overhead for calling in and out of the sandbox. Most interestingly, he was also able to enforce the Java security model for native code: the sandboxed code couldn't make system calls directly and had to call back into the currently active Java security monitor to determine whether it was allowed to.

Another of my students implemented an accurate (copying, generational) garbage collector for capabilities. This can be used with C code, as long as the allocator is outside of the normal C0-defined address space (otherwise pointers can leak as integers into other variables and be reconstructed). In particular, you can use this to track references to high-level language objects as they flow around C code and either invalidate them or treat them as GC roots, so you don't get dangling pointer errors. Or you can just use his allocator in C and have fully GC'd C code...

My understanding of MCP is that it uses high-level languages in the kernel, but does nothing to protect (for example) typesafe ALGOL code from buggy C code within the same userspace process.

That's not what he's arguing, he's arguing that having more efficient versions of things can save you money. Replacing lightbulbs with CFLs in my house paid for itself purely in terms of energy cost after a few months, and those bulbs lasted several years. Replacing an ancient fridge with a newer, more efficient one, took a couple of years to save enough to offset the cost, but after that it was another saving. Improving the insulation on a house will save you money and increase your comfort.

There's a reason that a lot of the companies that want to sell you power and the companies that want to sell you energy-efficient gadgets find themselves on opposite sides of this debate.

The processor is implemented as a softcore in BlueSpec SystemVerilog, which is a high-level hardware description language (HDL). The source code can be compiled to C for simulation, so you can run it on a general-purpose CPU. We get around 30K instructions per second doing this. It can also be compiled to verilog and then synthesized into gate layouts for an FPGA. We can run at 100MHz (probably 125MHz, but we don't push it) in an Altera Stratix IV FPGA, with around 1 instruction per clock (a bit less), so around 3000 times faster than simulation.

In theory, you could also take the verilog and generate a custom chip. In practice, you wouldn't want to without some tweaking. For example, our TLB design is based on the assumption that TCAMs are very expensive but RAM is very cheap. This is true in an FPGA, but is completely untrue if you were fabbing a custom chip.

Although we use the term 'source code', it's perhaps better to think of it as the code for a program that produces a design of a processor, rather than the source code for a processor.

In terms of software patents, there's some annoying precedent that a software implementation of a architectural patent can be infringing. The MIPS architecture that we implement has LWR and LWL instructions that accelerate unaligned loads and stores. These were patented (the patents have now expired) and the owners of the patent won against someone who created a MIPS implementation where these two instructions caused illegal instruction traps and were emulated in software. The software implementations were found to infringe the hardware patent.