CHERIoT and CHERI 
Resolving the Memory Safety Challenge

CHERIoT and CHERI- Resolving the Memory Safety Challenge

Memory safety is a property of computer systems that ensures programs only access memory locations they are permitted to, preventing unintended or malicious behaviour.

  • Security: Majority of critical software vulnerabilities stem from memory safety violations.
     
  • Reliability: Memory errors often lead to program crashes or unpredictable behaviour.
     
  • Maintainability: Ensuring memory safety makes debugging easier and reduces technical debt.
     
  • Compliance: Many industries now require memory-safe programming to meet regulatory standards.

Core Concepts of CHERI

CHERI is an advanced architectural extension designed to enhance memory safety and software security at the hardware level. Developed over more than a decade by the University of Cambridge, in collaboration with SRI International and funded by DARPA, it is now the leading solution for securing computing systems.
 

At its heart, CHERI introduces capabilities, which are hardware-enforced pointers that integrate bounds checking, permissions, and provenance to mitigate common security. This fundamentally changes the way memory management and access control are handled at the processor level.

What are Capabilities?

  • Base and Bounds: Pointers can only access a designated memory region, preventing buffer overflows.
  • Permissions: Defines allowed operations (e.g., read, write, execute) to prevent unauthorized memory modifications.
  • Sealing: Locks capabilities so they cannot be arbitrarily modified, preventing certain types of attacks.
  • Tagging: Hardware to detect and prevent unauthorized pointer manipulations.
  • Unforgeable: Capabilities are unforgeable making attacks, such as stack smashing or ROP, significantly harder.

CHERI additionally provides fine-grained memory protection ensuring that every memory access is checked at the hardware level.

The CHERIoT Platform

The CHERIoT platform is a hardware/software co-design project, and the smallest supported implementation of CHERI optimized for small, low-power devices.

 

 

 

 

Key innovations in CHERIoT include:

  • Secure, Compartmentalize, Real-Time Performance with low power consumption suitable for a wide array of embedded and IoT applications.
  • Efficient Capability-Bound Memory Protection for preventing common vulnerabilities such as buffer overflows, use-after-free, and privilege escalation.
  • Hardware-Enforced Software Compartmentalization to securely isolate different system components, preventing one compromised module from affecting others.
  • Privilege-separated RTOS with a Trusted Compute Base of only around 300 instructions.
  • Compartmentalization Model designed for ease of use from higher-level languages.

 

Find out more about CHERI-enabled ICENI - contact Us now.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.