Welcome to the SAFE project.

homemade FPGA enclosure booting SAFE

SAFE is a secure computing platform built on a tagged hardware architecture that supports maintenance, propagation, and per-instruction checking of arbitrary per-word metadata. The metadata rule engine can enforce a wide range of security policies, including memory safety, control flow integrity, information flow secrecy, capabilities, software fault isolation, language-specific dynamic typing, and more. The least-privilege runtime separates computation into threads that do not share memory, and values are communicated across hardware-supported, tagged streams.

SAFE Video on YouTube

Check out our January 2014 video explaining the SAFE project, and why it is so important

PUMP: A Programmable Unit for Metadata Processing

Proceedings of the 3rd International Workshop on Hardware and Architectural Support for Security and Privacy, June 15, 2014, Minneapolis, MN USA.

We introduce the Programmable Unit for Metadata Processing (PUMP), a novel software-hardware element that allows flexible computation with uninterpreted metadata alongside the main computation with modest impact on runtime performance (typically 10–40% for single policies, compared to metadata-free computation on 28 SPEC CPU2006 C, C++, and Fortran programs). While a host of prior work has illustrated the value of ad hoc metadata processing for specific policies, we introduce an architectural model for extensible, programmable metadata processing that can handle arbitrary metadata and arbitrary sets of software-defined rules in the spirit of the time-honored 0-1-infinity rule. Our results show that we can match or exceed the performance of dedicated hardware solutions that use metadata to enforce a single policy, while adding the ability to enforce multiple policies simultaneously and achieving flexibility comparable to software solutions for metadata processing. We demonstrate the PUMP by using it to support four diverse safety and security policies—spatial and temporal memory safety, code and data taint tracking, control-flow integrity including return-oriented-programming protection, and instruction / data separation–and quantify the performance they achieve, both singly and in combination.


A Verified Information-Flow Architecture

In 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), San Diego, CA USA. January 22, 2014.

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model.