CHERI within Defence and Security: Competition Document
Updated 14 November 2022
1. Introduction
This Defence and Security Accelerator (DASA) competition seeks proposals to experiment and trial the effects of the CHERI (Capability Hardware Enhanced RISC Instructions) based architecture extensions within Arm’s Morello prototype System on Chip (SoC). This competition is funded by the Defence Science and Technology Laboratory (Dstl) Cyber Programme, which hopes to assess a wide selection of software applications and platforms. The aim is to grow our understanding of the potential benefits or challenges of deploying such processor technologies within Defence and Security systems. We also seek to increase the base of potential defence suppliers with experience of Morello, to provide a pool of future innovation the UK can draw on.
2. Competition key information
2.1 Submission deadline
Midday on Monday 14 November 2022
Collaboration Survey will close on Friday 28 October.
2.2 Where do I submit my proposal?
Via the DASA Online Submission Service for which you will require an account. Only proposals submitted through the DASA Online Submission Service will be accepted.
2.3 Total funding available
The total possible funding available for this competition is £1.5M (ex VAT), and we expect to fund a number of proposals of up to £100k (Exc. VAT) each in value. However, DASA reserves the right to fund one outstanding bid up to £1.5M (Exc. VAT) that demonstrates value for money, provides high quality supporting evidence of platform performance to date and a detailed project plan to deliver on the competition challenges. Contracts will be awarded for a duration of up to 10 months and must complete by January 2024 (although proposals of shorter duration will also be accepted).
2.4 Eligibility
The CHERI within Defence and Security themed competition is a UK initiative and is only open to submitters based within the UK. We welcome proposals from across the full range of UK based suppliers including academia, individuals (i.e. sole traders), small and medium-sized enterprises (SMEs) and large companies. If you are an international company, to be eligible to apply, you will need to have a registered UK office at Company House. This is to enable submitters to fully participate and receive the Morello boards due to existing terms.
3. Supporting events
3.1 Industry Collaboration Survey during Proposal Preparation - Now closed.
We encourage collaboration between organisations for this competition. To support this, we have a short survey to collect details of those who wish to explore collaboration possibilities. If you are interested in a collaboration, please complete the survey and your details will be circulated among other potential suppliers who have completed the survey and are interested in collaborating.
If you choose to complete the supplier collaboration survey, please be aware all the information you submit in the survey will be provided to other suppliers who also complete the survey. All industry collaboration for proposal submissions is on an industry-industry basis. Inclusion or absence of any individual supplier organisation will not affect assessment, which will be solely on technical evidence in the proposal.
4. Competition Scope and Challenge
4.1 Background: Arm Morello and CHERI
Building systems that are “Secure by Design” (software, hardware and systems that have been designed from the ground up to be secure) is a strategic priority for the UK.
The Cyber Resilience Strategy for Defence outlines the Ministry of Defence’s (MOD) vision to build a stronger, cyber-resilient Defence. Realising this vision has become more important than ever, in an increasingly uncertain world with fast evolving technological and military challenges. In fact, analysis has shown that 70% of ongoing software vulnerabilities are due to memory safety issues. Utilising technologies that are inherently more secure are fundamental to the delivery of cyber-resilient systems.
Digital Security by Design (DSbD) is a UK Research and Innovation initiative supported by the UK Government to transform digital technology and create a more resilient, secured foundation for a safer future. The DSbD funded, Arm Morello Program, is a collaboration between academia, industry and government, that researches and develops the underpinning capabilities will pave the way business and people will use and trust technology.
A key element of the Morello research programme is the prototype SoC and associated Morello development Board, platform software and tools that together implement the principles of the innovative CHERI security architecture. This SoC is the first mainstream chip to include hardware features to address memory safety issues, while also providing developers with innovative new tools and methods to enable fine grain protection of their applications. Further details can be found here: https://www.dsbd.tech/how-it-works/
4.2 Scope
This competition is aimed at seeding the Morello SoC into the Defence and Security sector for research, evaluation and experimentation. Highly resilient embedded systems such as those that support aviation will be favoured as part of this competition, although any Defence and Security related system will be considered.
4.3 Morello Boards
Successful projects will be provided with an Arm Morello Board, with its cutting-edge CHERI enabled Arm CPU architecture SoC, platform software, technical guides and community support, to trial and evaluate the effect of the new technologies within their software systems.
5. Competition Challenges
The competition has three challenge areas. Your proposal may seek to address more than one challenge.
Code Porting
This challenge area seeks to port an existing codebase or tool (e.g. compiler) into the Morello environment and strengthen its security by using the Morello enhanced security features.
Software Compartmentalisation
This challenge area seeks to refactor an existing application to employ fine grain software compartmentalisation.
Innovation
This challenge area seeks to conduct research in an area in line with competition scope, such as a security enhancing innovation, now enabled by the availability of the Morello features
We welcome proposals from across the full range of UK based suppliers including academia, individuals (i.e. sole traders), small and medium-sized enterprises (SMEs) and large companies.
5.1 Challenge Considerations
At the conclusion of the project, a report will need to be produced detailing experimental outcomes and learnings. Aspects considered could include:
-
what are the performance and storage effects of implementing memory safety?
-
are you able to replace all pointers by capabilities or just some of them?
-
what are the performance implications of implementing compartmentalisation?
-
how did CHERI enable new fine grain isolations within a single application process?
-
how do these benefits compare to contemporary established code and data isolation and protection practices?
-
how do existing assurance/verification methodologies evolve as a result of having CHERI features available?
-
what was the impact on known vulnerabilities and attack techniques?
- Comparative assessment against the Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses list.
- Relevant components of the MITRE ATT&CK knowledge base.
-
how might a Morello aware attacker change their behaviour?
The minimum output shall be a report that will be shared with Arm to inform their Morello Evaluation programme. An additional classified report may be produced if the output requires it to be so and the proposer has the means to handle sensitive material, for example, List X.
6. Clarification of what we want
6.1 Your proposal should include:
-
clear demonstration of how the proposed work applies to a Defence and Security context.
-
evidence that the proposal will have suitably qualified and experienced personnel delivering it.
-
detail of the experimentation, testing and performance evaluation strategy that will provide the evidence for the final report
6.2 Proposers should consider:
-
the availability of programming language translators and tools. At the time of writing, only CHERI-enabled C/C++ (Clang/LLVM) toolchains are currently available. However this may change. For up-to-date information on the development status of Morello support, please see https://developer.arm.com/architectures/cpu-architecture/a-profile/morello/development-tools/gnu-tools
-
application-level projects must be able to utilise the evolving maturity of the Morello supported operating systems. (Morello is currently only supported by CHERI-adapted versions of evolving maturity of the open-source Linux/Android/FreeBSD Operating Systems distributed and maintained by Arm and the University of Cambridge)
-
operating System level projects must support boot from an UEFI/Arm SystemReady ES certified platform
7. Accelerating and commercially exploiting your innovation
It is important that over the lifetime of DASA competitions, ideas are matured and accelerated towards appropriate end-users to enhance capability. How long this takes will depend on the nature and starting point of the innovation.
7.1 A clear route for commercial exploitation
For DASA to consider routes for commercial exploitation, ensure your deliverables are designed with the aim to make it as easy as possible for collaborators/stakeholders to identify the innovative elements of your proposal.
Whilst early identification and engagement with potential end users during the competition and subsequent phases are essential to implementing an exploitation plan, during the competition phase there should be no correspondence between innovators and DASA other than via the Accelerator email or Commercial team.
All proposals to DASA should articulate the expected development in technology maturity of the potential solution over the lifetime of the contract and how this relates to improved operational capability against the current known (or presumed) baseline.
7.2 How to outline your exploitation plan
A higher technology maturity is expected in subsequent phases. Include the following information to help the assessors understand your exploitation plans to date:
-
the intended defence or security users of your final product and whether you have previously engaged with them, their procurement arm or their research and development arm
-
awareness of, and alignment to, any existing end user procurement programmes
-
the anticipated benefits (for example, in cost, time, improved capability) that your solution will provide to the user
-
whether it is likely to be a standalone product or integrated with other technologies or platforms
-
expected additional work required beyond the end of the contract to develop an operationally deployable commercial product (for example, “scaling up” for manufacture, cyber security, integration with existing technologies, environmental operating conditions)
-
additional future applications and wider markets for exploitation
-
wider collaborations and networks you have already developed or any additional relationships you see as a requirement to support exploitation
-
how your product could be tested in a representative environment in later phases
-
any specific legal, ethical, commercial or regulatory considerations for exploitation
7.3 Is your exploitation plan long-term?
Long-term studies may not be able to articulate exploitation in great detail, but it should be clear that there is credible advantage to be gained from the technology development.
Include project specific information which will help exploitation. This competition is being carried out as part of a wider MOD programme and with cognisance of cross-Government initiatives. We may collaborate with organisations outside of the UK Government and this may provide the opportunity to carry out international trials and demonstrations in the future.
8. How to apply
8.1 Submission deadline
Midday on Monday 14 November 2022
Collaboration Survey now closed.
8.2 Eligibility
The CHERI within Defence and Security themed competition is a UK initiative and is only open to submitters based within the UK. We welcome proposals from across the full range of UK based suppliers including academia, individuals (i.e. sole traders), small and medium-sized enterprises (SMEs) and large companies. If you are an international company, to be eligible to apply, you will need to have a registered UK office at Company House. This is to enable submitters to fully participate and receive the Morello boards due to existing terms.
8.3 Where do I submit my proposal?
Via the DASA Online Submission Service for which you will be required to register.
Only proposals submitted through the DASA Online Submission Service will be accepted.
8.4 Total funding available
The total funding available for Phase 1 of this competition CHERI within Defence and Security is £1.5m (ex VAT).
Additional funding for further phases may become available. If there is a future phase, it will be run as a separate future DASA competition and be open to applications from all innovators and not just those who submitted successful Phase 1 bids.
8.5 For further guidance
Click here for more information on our competition process and how your proposal is assessed.
Queries should be sent to the DASA Help Centre – accelerator@dstl.gov.uk.
9. What your proposal must include
-
the proposal should focus on the Phase 1 requirements but must also include a brief (uncosted) outline of the next stages of work required for commercial exploitation
-
when submitting a proposal, you must complete all sections of the online form, including an appropriate level of technical information to allow assessment of the bid and a completed finances section
-
completed proposals must comply with the financial rules set for this competition. The upper-limit for this competition is £1.5m (ex VAT). Proposals will be rejected if the financial cost exceeds this capped level
-
you must include a list of other current or recent government funding you may have received in this area if appropriate, making it clear how this proposal differs from this work
-
a project plan with clear milestones and deliverables must be provided. Deliverables must be well defined and designed to provide evidence of progress against the project plan and the end-point for this phase; they must include a final report
-
you should also plan for attendance at a kick-off meeting at the start of Phase 1, a mid-project event and an end of project event at the end of Phase 1, as well as regular reviews with the appointed Technical Partner and Project Manager; all meetings will be in the UK. Meetings may also take place virtually.
-
your proposal must demonstrate how you will complete all activities/services and provide all deliverables within the competition timescales (complete project by 31 January 2024). Proposals with any deliverables (including final report) outside the competition timeline will be rejected as non-compliant
10. What your resourcing plan should include
Your resourcing plan must identify, where possible, the nationalities of proposed employees that you intend to work on this phase.
10.1 If your proposal is recommended for funding
In the event of a proposal being recommended for funding, the DASA reserves the right to undertake due diligence checks, including the clearance of proposed employees. Please note that this process will take as long as necessary and could take up to 6 weeks, in some cases for non-UK nationals.
You must identify any ethical/legal/regulatory factors within your proposal and how the associated risks will be managed, including break points in the project if approvals are not received.
MODREC approvals can take up to 5 months therefore you should plan your work programme accordingly. If you are unsure if your proposal will need to apply for MODREC approval, then please refer to the MODREC Guidance for Suppliers or contact your Innovation Partner for further guidance.
Requirements for access to Government Furnished Assets (GFA), for example, information, equipment, materials and facilities, may be included in your proposal. The Morello board(s) will be considered GFA, please state within your proposal if you will be requesting additional GFA over and above the supply of the Morello board(s). DASA cannot guarantee that GFA will be available. If you apply for GFA, you should include an alternative plan in case it is not available.
Failure to provide any of the above listed will automatically render your proposal non-compliant.
11. Cyber risk assessment
11.1 Supplier Assurance Questionnaire (SAQ)
On receipt of a ‘Fund’ decision, successful suppliers must submit a Supplier Assurance Questionnaire (SAQ). The SAQ allows suppliers to demonstrate compliance with the specified risk level and the corresponding profile in Def Stan 05-138 , the levels of controls required will depend on this risk level.
-
DASA has completed a Cyber Risk Assessment (CRA) for this competition. Successful Suppliers will be emailed when to complete a SAQ here, using the DASA Risk Assessment Reference (RAR) for this competition: RAR-220901401 and answer questions for risk level “N/A”.
-
If selected for funding, the innovator must prove cyber resilience before a contract will be awarded. Further guidance can be found at: DCPP: Cyber Security Model industry buyer and supplier guide.
-
If you have any questions please contact accelerator@dstl.gov.uk
12. Public facing information
When submitting your proposal, you will be required to include a title and a short abstract. The title and abstract you provide will be used by DASA, and other government departments, to describe your project and its intended outcomes and benefits. They may be included at DASA events in relation to this competition and in documentation such as brochures. The proposal title will be published in the DASA transparency data on GOV.UK, along with your company name, the amount of funding, and the start and end dates of your contract. As this information can be shared, it should not contain information that may compromise Intellectual property.
13. How your proposal will be assessed
At Stage 1, all proposals will be checked for compliance with the competition document and may be rejected before full assessment if they do not comply. Only those proposals that demonstrate compliance against the competition scope and DASA mandatory criteria will be taken forward to full assessment.
14. Mandatory Criteria
The proposal outlines how it meets the scope of the competition | Within scope (Pass) / Out of scope (Fail) |
The proposal fully explains in all three sections of the DASA submission service how it meets the DASA criteria | Pass / Fail |
The proposal clearly details a financial plan, a project plan and a resourcing plan to complete the work proposed in Phase 1 | Pass / Fail |
The proposal identifies the need (or not) for MODREC approval | Pass / Fail |
The proposal identifies any GFA required for Phase 1 - The Morello board(s) will be considered GFA. Please state within your proposal if you will be requesting additional GFA over and above the supply of the Morello board(s). | Pass / Fail |
Maximum value of proposal is £100k | Pass / Fail |
The proposal demonstrates how all research and development activities / services (including delivery of the final report) will be completed within 12 months from award of contract (or less) | Pass / Fail |
The bidder has obtained the authority to provide unqualified acceptance of the terms and conditions of the Contract. | Pass / Fail |
Proposals that pass Stage 1 will then be assessed against the standard DASA assessment criteria (Desirability, Feasibility and Viability) by subject matter experts from the MOD (including Dstl), other government departments and the front-line military commands. You will not have the opportunity to view or comment on assessors’ recommendations.
DASA reserves the right to disclose on a confidential basis any information it receives from innovators during the procurement process (including information identified by the innovator as Commercially Sensitive Information in accordance with the provisions of this competition) to any third party engaged by DASA for the specific purpose of evaluating or assisting DASA in the evaluation of the innovator’s proposal. In providing such information the innovator consents to such disclosure. Appropriate confidentiality agreements will be put in place.
Further guidance on how your proposal is assessed is available on the DASA website
After assessment, proposals will be discussed internally at a Decision Conference where, based on the assessments, budget and wider strategic considerations, a decision will be made on the proposals that are recommended for funding.
Innovators are not permitted to attend the Decision Conference.
Proposals that are unsuccessful will receive brief feedback after the Decision Conference.
15. Things you should know about DASA contracts: DASA terms and conditions
Please read the DASA terms and conditions which contain important information for innovators. For this competition we will use the Innovation Standard Contract (ISC) Terms and Schedules. We will require unqualified acceptance of the terms and conditions; if applicable, please ensure your commercial department has provided their acceptance.
Funded projects will be allocated a Project Manager (to run the project) and a Technical Partner (as a technical point of contact). In addition, the DASA team will work with you to support delivery and exploitation, including, when appropriate, introductions to end-users and business support to help develop their business. We will use deliverables from DASA contracts in accordance with our rights detailed in the contract terms and conditions.
For this competition, £1.5m is currently available to fund proposals. There may be occasions when additional funding may become available to allow us to revisit proposals deemed suitable for funding. Therefore, DASA reserves the right to keep such proposals in reserve. In the event that additional funding becomes available, DASA may ask whether you would still be prepared to undertake the work outlined in your proposal under the same terms.
16. Phase 1 key dates
Competition closes | Midday on 14 November 2022 |
Decision release | 15 December 2022 |
Feedback release | 6 January 2023 |
Contracting | Aim to start 20 February 2023. Projects need to end by 31 January 2024 |
17. Help: Contact the DASA Help Centre
Competition queries including on process, application, commercial, technical and intellectual property aspects should be sent to the DASA Help Centre at accelerator@dstl.gov.uk, quoting the competition title. If you wish to receive future updates on this competition, please email the DASA Help Centre.
While all reasonable efforts will be made to answer queries, DASA reserves the right to impose management controls if volumes of queries restrict fair access of information to all potential innovators.