The CHERI technology was originally developed by the University of Cambridge. The technology has matured and reached a tipping point where general use becomes possible. The mission of the CHERI Alliance is to provide a framework that will drive and promote CHERI as an efficient security standard so that it is successfully deployed commercially.
The CHERI security technology provides a preventive approach that improves system security at runtime by extending conventional hardware ISAs with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization.
The billions of lines of C code that we use daily use pointers to memory that are inherently risky, and very often used by hackers to access data that they are not supposed to view ormodify. CHERI replaces pointers with capabilities that prevent these abuses and adds watertight boundaries between different software functions. By construction, these hardware features cannot be bypassed, and a simple code re-compilation is often what it takes to get protected. No need to rewrite billions of lines of code.
The CHERI technology provides the robustness needed to address unexpected software defects and memory vulnerabilities, which would otherwise enable cyberattacks that target memory misuse. These are the most common attacks, which each year represent around 70% of newly detected software vulnerabilities.
For example, many attacks use techniques like “buffer overflows”, where a memory access is performed outside of the normal bounds of a data structure. This is impossible with CHERI because the data buffer’s boundaries are strictly enforced by the hardware. Similarly, CHERI will help identify software defects earlyby throwing an error if an access lands outside of a buffer, preventing silent bugs that could become harmful in some other use cases.
Some memory access errors are caused by the software designers themselves by not observing or understanding the pitfalls built into C/C++ programming languages.
By checking the bounds of all memory accesses, both known and future attacks can be mitigated.
The C in CHERI stands for capability. In security, a capability refers to an unforgeable token that provides a set of access rights. In CHERI, capabilities are used to convey memory access rights that include bounds and permissions. A capability is a replacement for a pointer. Capabilities can be used to check for valid use of all memory accesses and flag exceptions as needed, preventing unexpected behavior in software. Systems without CHERI typically have weak, or even no, runtime checking, so are prone to malfunction through programming errors and malware attacks that go unnoticed.
CHERI memory protection is “fine-grained” because access permissions can be specified even down to single memory locations, and all memory accesses. Without fine-grained access checking in hardware, security mechanisms often fall back to simpler methods that provide coarse-grained or “statistical” protection, meaning that they cannot guarantee 100% protection.
CHERI compartmentalization is ‘fine-grained’ and allows the definition of software compartments at any scale from a complete software system down to a single function. Other “coarse-grained” techniques such as Virtual Machines do not offer this flexibility.
CHERI allows a clean isolation of any function or any data structure in the system, effectively creating a watertight boundary for a defense in depth of the system, much more efficient than simple separations between “secure” and “unsecure” worlds, which are much too coarse to support the complexity of modern use cases.
CHERI and Rust complement each other.
Rust is a programming language focused on safety, speed, and concurrency, designed to ensure memory safety. Where possible, it is recommended to write new code in safer languages like Rust… but it is obviously impossible to re-write the existing trillions of lines of existing code.
Rust relies on FFI (Foreign Function Interface), that calls “unsafe” native libraries written in C/C++. CHERI can be used to enforce memory safety in these libraries, without having to rewrite them. It is therefore necessary to combine Rust and CHERI to get a full protection.
There are multiple platforms available currently:
There are many ways to get involved, and you don’t have to be an expert in everything to participate in making the World more secure. It depends on your case: