Question 1

What is CHESS?

Accepted Answer

CHESS stands for Configurable Hardware Enforced Safety & Security. The CHESS platform developed by SecurWeave leverages virtualization extensions in the hardware and provides protection to systems from advanced threats of today. CHESS has two variants, CHESS-P and CHESS-E.

CHESS-P is specifically designed for protection of systems from malware that has kernel mode attack vectors. CHESS-P is designed for protection of systems that host a single OS and does not have virtualized applications executing on the OS.

CHESS-E targets emerging embedded systems where safe and secure coexistence of multiple Operating Systems are mandatory. Apart from the kernel mode protection features, CHESS-E also provides safety, mixed criticality and determinism.

Question 2

Are you using any 3rd party commercial or open source hypervisor as part of your product?

Accepted Answer

The hypervisor module in CHESS-P leverages hardware virtualization extensions in a unique way to provide security and safety to the system. The hypervisor is completely built from scratch by the SecurWeave team

Question 3

What are the performance impacts?

Accepted Answer

Performance micro benchmarking tests show drops of less than 0.01 percentage. Performance tests on applications show no deviations when compared to tests performed without CHESS. Performance test results are available on request.

Question 4

Why is CHESS-P supporting only Linux today?

Accepted Answer

We started with Linux as the government agencies we interacted with earlier were keen on Linux. As the hypervisor layer which is the key component of CHESS is OS independent, supporting Windows or any other Operating Systems can be done with not so significant effort. Windows support is definitely in our roadmap.

Question 5

Will CHESS force the userto stick to a particulartype of hardware /chip forever?

Accepted Answer

The new feature additions in the chip does not make existing features obsolete as all chip makers (specifically Intel) ensures backward compatibility when a new chip is introduced. Infact, currently our hypervisor without any changes works in the below list of processors.

Intel Core i7-9700 
Intel Core i7-7700 
Intel Core i7-2600 
   Intel Core i5-7200U 
   Intel Core i5-4200U 
Intel Core i5-3570 
Intel Core i3-8145 
Intel Core i3-4010

Question 6

Which are the industry segments targeted by CHESS ?

Accepted Answer

For CHESS-P we are looking at the embedded industry (SBCs), open switches, routers, gateways and desktop/servers that does not launch virtualized applications.

• Government Organisations 
 • Industrial Automation 
 • Aerospace & Defence 
 • Healthcare & Medical Devices 
 • Automotive 
 • Telecom 
 • BFSI

CHESS-P is targeted for embedded systems that are part of below industry segments.

• Industrial IoT 
 • Automotive 
 • Avionics

Question 7

What are the processors families that are supported?

Accepted Answer

Today we have support for Intel x86 and RISC-V. ARM processor support is in progress.

Question 8

Have you undertaken any threat modelling?

Accepted Answer

We have used the standard microsoft threat modelling tools. Apart from that we have followed secured design and coding practices.

Question 9

Are you following any particular standard (eg NIST)?

Accepted Answer

We are not following a particular standard but enforcing secure practices in our design and implementation. We target to get EAL certified in the future and have had preliminary talks with common criteria labs (STQC) in Delhi.

Question 10

Why can't this requirement be met with a secure boot application?

Accepted Answer

Each component in the boot chain (from firmware till OS) has a role to play in secure boot and ensures that the boot time components are safe. Our significant play is beyond the boot ie run time to protect the system from kernel mode attacks that can happen during the run time of the system.

Question 11

What about user space protection ?

Accepted Answer

Architecture of CHESS makes it possible for integrating with any 3rd party user space protection software seamlessly. For restrictive environments, we can provide certain levels of user space protection features such as hypervisor enforced application whitelisting etc without any 3rd party dependencies.

Question 12

Have you installed the product anywhere?

Accepted Answer

CHESS-P for x86 is currently deployed in IITM Rise Labs on Intel servers and these installations are used for malware testing as well as in 5G test beds. We have been working with IITM to enable CHESS-P support for the Shakti family of microprocessors, which is the nation's first indigenous RISC-V based SoC.

Question 13

How do you test the product against APTs?

Accepted Answer

We use openly available advanced malware samples as well as custom developed ones.

Kernel & Application Protector