Welcome to the SAFE project.

homemade FPGA enclosure booting SAFE

SAFE is a secure computing platform built on a tagged hardware architecture that supports maintenance, propagation, and per-instruction checking of arbitrary per-word metadata. The metadata rule engine can enforce a wide range of security policies, including memory safety, control flow integrity, information flow secrecy, capabilities, software fault isolation, language-specific dynamic typing, and more. The least-privilege runtime separates computation into threads that do not share memory, and values are communicated across hardware-supported, tagged streams.

SAFE Video on YouTube

Check out our January 2014 video explaining the SAFE project, and why it is so important

Architectural Support for Software-Defined Metadata Processing

Accepted into 20th International Conference on Architectural Support for Programming Languages and Operating Systems, March 14-18, 2015, Istanbul, Turkey.

Hardware for propagating and checking software-programmable metadata tags can achieve low runtime overhead when carefully implemented. We generalize prior work on hardware tagging by considering a generic architecture that supports software-defined policies over metadata of arbitrary size and complexity. We introduce several novel microarchitectural optimizations that keep the overhead of this rich processing low. Our model thus achieves the efficiency of previous hardware-based approaches with the flexibility of the software-based ones. We demonstrate this by using it to enforce four diverse safety and security policies—spatial and temporal memory safety, taint tracking, control-flow integrity, and code and data separation —plus a composite policy that enforces all of them simultaneously. Experiments on SPEC CPU2006 benchmarks show modest impact on runtime (typically under 10%) and power ceiling (less than 10%), in return for some increase in energy usage (typically under 60%) and area for on-chip memory structures (110%).


A Verified Information-Flow Architecture

In 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), San Diego, CA USA. January 22, 2014.

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model.