Introduction

The Digital Security by Design (DSbD) Technology Access Programme (TAP) is designed to give UK-based companies access to lowRISC’s Sonata board, Arm’s Morello board, the CHERI stack, and technical support to trial these technologies within their systems, products, and applications.

Through the DSbD Technology Access Programme, companies will be able to experiment with and validate the prototype cyber security technology and feedback their findings to influence its future development before it enters commercialisation.

Watch this introduction video to learn more

Programme brief

Through the DSbD Technology Access Programme (TAP), qualifying UK-based companies will have access to lowRISC’s Sonata and Arm Morello evaluation board, with its cutting-edge CPU architecture. 

A Sonata board is a secure-by-design, embedded micro-controller,  developed by lowRISC to implement CHERIoT-Ibex, which is itself based on Capability Hardware Enhanced RISC Instructions (CHERI). CHERI is a protection model, like virtual memory that can be integrated into different ISAs, including Arm Morello, CHERI RISC-V, and CHERIoT. This model is a project from the University of Cambridge and SRI International. Both technologies serve to prevent and mitigate common memory-safety issues in C/C++ via their use of capabilities. Participants are encouraged to experiment with these technologies to uncover security vulnerabilities in their own products, using a combination of (1) spatial and temporal safety mechanisms, and (2) novel compartmentalisation models for shared libraries or coprocesses.

In addition to receiving a lowRISC Sonata board or Morello evaluation board, participating companies will get access to the CHERI software stack, technical guides, and expert support to get started and trial these new technologies within their systems. The duration of the Technology Access Programme is 5 months. After successful completion of the programme, participating companies will be permitted to keep the Sonata or Morello evaluation board.

The TAP is a tiered programme; qualifying companies will receive a £15,000 grant during the experimentation period. The programme is administered by Digital Catapult on behalf of UK Research and Innovation (UKRI).

Programme benefits

Companies will have exclusive access to cutting-edge cyber security technology, capable – if implemented correctly – of preventing around two thirds of hacks, cyber attacks and data breaches. This technology, when fully mature and market-ready, has the potential to open up whole new markets for cyber secure by design products, providing competitive advantage to companies who are already familiar with it.

These technologies can mitigate spatial and temporal memory-safety vulnerabilities in C/C++, and participants will be able to identify such issues in their own product code. CHERI has C/C++ language variants (CHERI C/C++) that require minimal change to an existing code base, approximately <0.5% LOC. CHERI also enables a second feature, a set of compartmentalisation models, to enrich the security guarantees provided by the architecture’s memory capabilities.

Further, individuals involved with the programme will become part of a vibrant community of like-minded professionals where they’ll be able to share ideas, forge new relationships and collaborations, as well as growing their knowledge and influence product development.

Companies sharing their programme related work will benefit from media exposure through DSbD as well as Digital Catapult communication channels.

Key benefits:

  • Experiment with prototype, cutting-edge technology and be ahead of the game
  • Build unique knowledge within your company and stay competitive
  • Improve your product by identifying cyber security vulnerabilities in your systems/software
  • Become part of a vibrant community of cyber security pioneers
  • Receive a £15,000 grant (Tier 1 companies only) 
  • Get access to experts at lowRISC, Arm, University of Cambridge, and Digital Catapult
  • Become part of the TAP Alumni upon successful completion of the experimentation period

Watch this video to understand the benefits, timelines and commitment required

Who is it for?

The programme is open to UK-based companies that have a company culture of exploring, experimenting and inventing with new technologies. Companies with an R&D department and a strong focus on cyber security are encouraged to apply. Applicants must be registered on Companies House and also have a business bank account.

Companies within the following industries should apply:

  • Information Technology and services
  • Computer software
  • Industrial automation
  • Computer hardware
  • CPU semiconductors
  • Energy
  • Automotive
  • Telecoms
  • Manufacturers of connected consumer / industrial electronics (IoT & IIoT)

Your company would ideally operate within or supply to the following sectors: utilities, healthcare, transportation, telecommunications, automotive, energy & mining, and all other sectors serving the Critical National Infrastructure.

Programme tiers and requirements

TAP is a tiered programme. Tier 1 is for UK-based companies with under 250 employees while Tier 2 is for UK-based companies with more than 250 employees.

Tier 1

  • Receive £15,000 in funding during the course of the 5 month programme.
  • Gain access to a Sonata board (and Morello board if required), with possibility to keep the hardware following successful completion of the programme
  • Participate in one-to-one check-in sessions, group learning sessions, practical demonstrations and focused activities for the experimentation programme.
  • Receive technical guidance and support from the Digital Security by Design programme team and experts at lowRISC, Arm and University of Cambridge.

 

Tier 2

  • Gain access to a Sonata board (and Morello board if required), with possibility to keep the hardware following successful completion of the programme
  • Receive technical guidance and support from the Digital Security by Design programme team and experts at lowRISC, Arm and University of Cambridge.
  • Participate in one-to-one check-in sessions, group learning sessions, practical demonstrations and focused activities for the experimentation programme (optional).

 

Programme requirements

Over the five month period, successful applicants will be expected to:

  • Participate in one onboarding day at the start of the programme [Tier 1 & 2] 
  • Write two technical reports –a short interim report based on progress and findings, and a final report based on your experience within the programme [Tier 1 & 2]
  • Participate in monthly online peer-to-peer knowledge sharing sessions [Tier 1]
  • Attend monthly online one-to-one progress-update and technical support sessions with the Digital Security by Design team [Tier 1]
  • Participate in the end-of-programme Showcase event and provide a demonstration or presentation on their experimental outcomes or learnings [Tier 1 & 2]

Technical Details

Please be aware of the following:

  • CHERIoT could involve C/C++, MicroPython, Verilog and RUST.
  • CHERIoT RTOS is recommended, but businesses are free to repurpose the FPGA is required.
  • CHERIoT LLVM toolchains are currently available. Additional operating system enablement is currently being addressed by a joint development between Arm, University of Cambridge, Microsoft and Google.
  • Several Morello emulators are available: Arm’s Fixed Virtual Platform, the Morello Integrated Environment, and the CHERI-QEMU fork maintained by the University of Cambridge and SRI International. There is also a Verilator-based simulator for CHERIoT: cheriot-safe.
  • This technology it’s not secure ‘out of the box’, there’s work to do in order to turn on security features. It’s not enough to just put your code on the board, because security is implemented by following a series of steps. Familiarity with FPGAs is invaluable.

Watch this video to learn more about CHERIoT and Sonata

FAQs

Find answers to frequently asked questions relating to the Technology Access Programme

  • What are the programme obligations?

    Tier 1 Participants 

    • Participate in the onboarding day (October 2024 )
    • Participate in 5 peer-to-peer sessions throughout the Technology Access  programme
    • Alignment and 1:1 tech sessions each month (a technical member of your team must join these)
    • Provide an updated project plan in Month 1, based on the use case/experimentation in the application (any subsequent changes in plan must be documented and agreed upon with the DSbD team)
    • Provide an interim technical report in Month 3 based on the experience gained from the project
    • Present a demo of your work
    • Provide a final technical report based on the experience gained from the project
    • Provide a final case study for marketing purposes
    • Participate in the final demo day in early March 2025 (exact date TBC)

    Tier 2 Participants

    • Participate in the onboarding day (October 2024)
    • Provide an interim technical report in Month 3 based on the experience gained from the project
    • Provide a final technical report based on the experience gained from the project
    • Participate in the final demo day in early March 2025 (exact date TBC)

    Please check the T&Cs page for more details about the programme obligations

  • What’s the duration of the programme?

    The Technology Access Programme is set to last 19 weeks, after which, depending on successful completion, you may keep your Sonata and (where applicable) Morello board.

  • What are the key dates for the programme?

    Intended notification of all applicants: 4 October 2024

    Intended public announcement of successful participants: October 2024

    Project start date: 30th October 2024 (programme onboarding day)

    End date: March 2025

     

  • What are the eligibility criteria for the programme?

    All applications will be assessed on the following criteria:

    Relevance – The proposed use case or experimentation is relevant to DSbD technologies, CHERI, and the capabilities of the Sonata board.

    Innovation – The proposed use case is novel and will provide valuable insights for the DSbD programme.

    Impact and scalability – The proposed use case or experimentation has the potential to scale and create impact beyond the immediate demonstrator.

    Expertise and commitment of team – The applicant has the relevant expertise to undertake their proposed work and adequate resources committed to the programme.

    Technical feasibility – The experimentation and project plan presented is technically feasible within the timeframe, budget, and resource available.

  • If selected, what required knowledge should I have?

    A familiarity with C/C++ code and OS compiling would greatly help, but not strictly a necessity. In addition, this programme is focused on two highly novel technologies, and therefore requires time to be spent on background reading. We suggest you take a look at the following links before the programme starts, to provide you with a better baseline understanding of the technologies and to familiarise yourself with the steps that will be required for you to get your Sonata Board up and running (it will not arrive pre-configured):

    Sonata – Technical Details 

    Sonata System 

    Sonata – Quick Start 

    CHERIoT 

    CHERI

  • If I am selected to join this programme, can I use the Morello board outside the UK?

    No, all participating companies must comply with export control requirements, in particular by not exporting the Morello evaluation boards outside of the UK. However, this export control does not apply to the Sonata board.

  • Does my organisation need to be registered in the UK to enter?

    Yes, your company has to be registered with Companies House and must be based in the UK. We will consider applicants with any legal structure (e.g. limited company, sole trader, consortium).

  • As a startup or scaleup, do I need to be working in cyber security already?

    No, but you will need to provide detail on the security threat that you would like to experiment against and how CHERI can be used to mitigate such risk.

  • What if I am involved in another accelerator programme, or have been involved in a previous Digital Catapult programme?

    Participation in another accelerator or in a start-up support programme does not preclude you from taking part in the Digital Security by Design TAP.

    If you have been part of any previous Digital Catapult programme you are welcome to join; for other programmes your participation will be dependent on the terms of the programme itself and what you have agreed to in the terms and conditions. De minimis funding will also need to be considered when applying to join the programme if you apply for Tier 1.

  • Who runs the Technology Access Programme?

    Digital Catapult, the UK’s leading authority in digital technologies, administers the Technology Access Programme.

  • How are applications selected?

    The judging criteria will be presented as statements within the application itself (as set out in the section above titled ‘What are the eligibility criteria for the programme’) . Each of the criteria has the same weighting. The judges will respond by indicating how strongly they accept these statements.

    During the application process we reserve the right to conduct enhanced financial or legal due diligence to ensure applicants will be able to meet all commitments.

     

  • Who are the judges, and when will I hear back about my application?

    Applications will be judged by a team of DSbD experts from Digital Catapult, UK Research and Innovation, and other organisations specialising in this technology. Successful applicants will be informed on the result of their applications after the end of the judging period.

  • What if my application is not successful to join the cohort of Tier 1 companies?

    If you are not successful you may still be able to take part in the programme through the Tier 2 route, but will not receive funding or have mandatory 1:1 check-in sessions with DSbD experts. You may also find another Digital Catapult programme of relevance, check the Digital Catapult website for all our programmes.

  • Is there an application fee for the programme?

    No, the programme is free to take part for applicants. Tier 1 companies who are selected and successfully complete the programme will receive £15,000 for their experimentation work. Tier 2 companies are not eligible to receive such grant funding.

  • How is the programme funded?

    The programme is funded by UKRI through the Industrial Strategy Challenge Fund, as part of the Digital Security by Design initiative.

  • What if I run over budget?

    The Technology Access Programme funding is £15,000 for Tier 1 successful applicants (broken down into 3 milestone payments). Further expenditure incurred by companies during the experimentation period will have to come from their own budget.

  • As an applicant, what’s the contracting process and terms and conditions to be on the programme?

    Applications are governed by the competition rules. If you are successful, a participation agreement will be issued which governs your activities on the programme with respect to the experimentation of the Sonata board (and the Morello board, where relevant), programme requirements and deliverables, and payment milestones.

  • Who will my application data be shared with?

    The application information will only be used for the purposes of the programme and its evaluation, and will only be retained for the duration of the programme (two years), and for participants on the programme for the evaluation period (maximum five years) and otherwise to comply with legal requirements.

    Please see the Technology Access Programme Competition Terms for more details.

  • Why is Digital Catapult asking the innovator community to experiment with this prototype?

    Digital Catapult will provide access to Sonata boards (and Morello boards where relevant) and lead in gathering evidence that will eventually explain what it means for real software to use these boards. During the programme, we will be looking for compelling examples from the selected companies in each cohort to share where security and performance are aligned and to check if there is no tradeoff.

Sign up to the newsletter

Sign up to the Digital Security by Design newsletter to stay up to date with our events, news, insights and opportunities. Be the first to know about our work and ways to get involved.

UKRI DSbD Councils
Website delivered by Digital Catapult as part of the Technology Access Programme, funded by UKRI through the Digital Security by Design Programme