CHERI Deep Dive

What Is CHERI?

#

CHERI (Capability Hardware Enhanced RISC Instructions) is a set of ISA extensions, developed since 2010 by the University of Cambridge and SRI International, that replace raw machine pointers with capabilities — hardware-enforced tokens of authority that carry their own bounds, permissions, and validity.

Unlike other hardware memory safety approaches, CHERI provides:

• Deterministic protection (not probabilistic)
• Spatial and temporal safety in a single mechanism
• Fine-grained compartmentalization within a single process
• Secret-free defense (nothing to leak)

Why this matters for AGIACC: CHERI is important not as an academic label, but as a credible path to turning safety from optional software discipline into platform architecture.

Anatomy of a Capability

#

A CHERI capability is a 128-bit value (on 64-bit architectures) that replaces a traditional pointer:

┌─────────────────────────────────────────────────────────────────┐
│  Tag │ Permissions │ Object Type │  Base  │ Length │  Offset   │
│ 1 bit │   ~16 bits  │   ~16 bits  │ 64 bits (compressed via CHERI Concentrate) │
└─────────────────────────────────────────────────────────────────┘

Key Properties

#

• Unforgeable — The tag bit can only be set by hardware. Software cannot fabricate a capability by writing 128 bits to memory; the tag will be cleared.
• Monotonically non-increasing — Capabilities can only be restricted, never amplified. You can narrow the bounds or remove permissions, but never add them.
• Provenance-enforced — Every capability must be derived from an existing valid capability, tracing back to the initial root capabilities provided by the kernel.

Spatial Safety

#

When a CHERI program dereferences a pointer-capability, the hardware checks:

1. Bounds — Is the access within [base, base + length)?
2. Permissions — Does the capability allow this type of access (read / write / execute)?

If either check fails, a hardware exception is raised immediately — before the access reaches memory. There is no probabilistic bypass; the check is deterministic.

// Traditional C: no bounds check
char *buf = malloc(64);
buf[100] = 'A';  // Silent overflow → exploitable

// CHERI C: hardware bounds check
char *__capability buf = malloc(64);
buf[100] = 'A';  // CHERI exception → program trapped

Temporal Safety

#

CHERI addresses temporal safety (use-after-free, dangling pointers) through two mechanisms:

Capability Revocation

#

When memory is freed, the runtime revokes all capabilities pointing to that allocation. Any subsequent use of a revoked capability triggers a hardware trap.

Implementations include:

• Cornucopia (sweeping revocation) — Periodically scans memory for stale capabilities, clearing their tags.
• Load-barrier revocation — Checks capability validity on every load, revoking lazily.

Heap Quarantine

#

Freed memory is quarantined until all capabilities referencing it have been revoked, preventing reallocation of memory to which dangling capabilities still exist.

Compartmentalization

#

CHERI’s most distinctive feature is in-process compartmentalization — the ability to isolate software components within a single address space using capability boundaries.

How It Works

#

• Each software component (library, plugin, module) is given a restricted set of capabilities that define exactly which memory regions and system resources it can access.
• Cross-compartment calls pass through a controlled gate (sealed capability invocation), transferring control with a minimal, well-defined interface.
• A compromised component cannot forge capabilities to access memory or resources outside its domain.

Comparison with Traditional Isolation

#

CHERI compartmentalization is 1000× cheaper than process isolation, enabling fine-grained isolation that would be impractical with traditional MMU-based approaches.

Hardware Implementations

#

Arm Morello (2022)

#

Arm’s Morello board — a modified Neoverse N1 core with CHERI extensions — is a research platform funded by the UK’s Digital Security by Design programme.

• Full CheriBSD operating system (FreeBSD-derived) running in pure capability mode.
• University researchers and industry partners (Thales, Huawei, Google DeepMind) have used Morello for automotive, healthcare, and AI security research.
• 6 million lines of C/C++ ported with only 0.026% source line modifications (Cambridge).

Microsoft CHERIoT (2023+)

#

CHERIoT (CHERI for IoT) is a RISC-V-based CHERI variant designed for resource-constrained embedded devices:

• Custom RTOS with a lightweight compartment model.
• Adds temporal safety for embedded allocators.
• LowRisc Sunburst boards funded by UK DSbD make CHERIoT hardware accessible to the wider community.

SCI Semiconductor ICENI

#

The ICENI chip from SCI Semiconductor is the first commercially available CHERI-enabled processor — a secure 32-bit RISC-V microcontroller targeting embedded security applications.

CHERI-RISC-V

#

A general-purpose CHERI extension for RISC-V, with formal specifications and FPGA reference implementations. The RISC-V CHERI Special Interest Group is working on standardisation within the ISA.

The Adoption Path

#

CHERI’s primary adoption barrier is recompilation — existing software must be compiled with a CHERI-aware toolchain. However, the actual code changes required are minimal:

Next: Memory Safety in AI Systems →