Adopting Memory-Safety and Fine-Grained Compartmentalisation With CHERI

Abstract

This talk will describe how CHERI achieves memory safety for existing code with just a recompile and how that non-bypassable memory safety can be used as a building block for higher-level security abstractions.

CPUs with CHERI support are starting to appear in commercial products now. CHERI began as a DARPA-funded research project at the University of Cambridge and SRI International  in 2010 to add support for fine-grained compartmentalisation (providing strong security boundaries around software components within a program) to modern CPU instruction sets. This included support for object-granularity memory safety, which allows usable abstractions for compartmentalisation, where programmers share objects, not pages. CHERI has subsequently been the subject of over £200M of total research, including Arm producing a high-performance test chip (Morello).

Most CHERI work has focused on incremental adoption. Morello, for example, can run versions of Linux and FreeBSD that can run unmodified binaries, and allows individual processes to adopt CHERI features either for isolated sandboxes or for a fully memory-safe process environment. The latter, on CheriBSD (the FreeBSD CHERI variant) includes a complete Wayland and KDE userspace stack.

Any memory-safety bug in any of this software track becomes a recoverable error (trapping before any memory corruption). A small team was able to run well over a hundred million lines of C and C++ in a fully memory safe environment. Rewriting in a safe language such as Rust would have cost orders of magnitude more.

CHERIoT aimed to showcase what will be possible once you can assume CHERI everywhere and design the software model to support this. The CHERIoT Platform is a fully open hardware-software stack for embedded systems that assumes CHERI from the ground up, with a mere 350 instructions that are trusted for the core isolation guarantees (contrast with around 50 KLoC in an embedded microkernel such as Zephyr or millions of lines of code in Linux). Every part of the system is built using CHERI-enabled compartmentalisation and .

The talk will discuss how fine-grained compartmentalisation can be not just possible, but easy on a CHERI system.

Date

Tuesday Mar 17

Share

Share Share

From the same track

Session

Why Governance Matters: The Key to Reducing Risk Without Slowing Down

When you hear “governance,” you might think of red tape, bureaucracy, or someone telling you what you can’t do. But real governance is about alignment and reducing technical risk. And that matters more than ever.

Speaker image - Sarah Wells

Sarah Wells

Independent Consultant and Author

Session

Building on Bedrock: A Security Philosophy from Bootloader to Runtime

In Minecraft, every world is built from blocks. At the very bottom lies bedrock: an unbreakable foundation that everything else rests on. Above it sit layers of stone, dirt, sand, and other materials.

Speaker image - Alex Zenla

Alex Zenla

Founder & CTO @Edera

Session

From Chaos to Clarity: Modern SBOM Practices That Actually Work

In this talk, Viktor will walk you through everything you need to know to build a practical and future ready SBOM strategy.

Speaker image - Viktor Petersson

Viktor Petersson

Founder of sbomify, Co-founder & CEO of Screenly, Host of Nerding Out with Viktor

Session

Catching Attacks in the Act: eBPF for Runtime Security

Since the SolarWinds attack and the Biden-era cybersecurity executive order, much of the security industry’s energy has gone into preventing attacks in the software supply chain, before software is ever deployed. That work matters — but it is not enough.

Speaker image - Liz Rice

Liz Rice

Chief Open Source Officer @Isovalent at Cisco, Ex-Governing Board at CNCF and OpenUK, Emeritus Chair, CNCF Technical Oversight Committee, eBPF, Security, Cilium, Cloud Native