Capability Hardware Enhanced RISC Instructions

CHERI is a capability architecture. As systems became faster and more complex, vulnerabilities like buffer overflows and use-after-free errors became widespread. CHERI addresses these challenges with a design intended for modern computing environments. It enforces memory safety and provides secure sharing and isolation to handle increasing software complexity and combat cyberattacks. In the 1970s and 1980s early capability architectures such as the CAP computer (developed at the University of Cambridge) and the Intel iAPX 432 demonstrated strong security properties. These systems relied on indirection tables to manage capabilities, introducing performance bottlenecks as memory access required multiple lookups. While this approach worked when processors were slow and memory was fast, it became impractical by the mid-1980s as processors became faster and memory access times lagged behind. which tasked participants with redesigning computer systems to improve security. SRI International and University of Cambridge team revisited capability architectures, seeking to address memory safety challenges inherent in conventional designs. == Mechanism ==

A CHERI system operates at a hardware level by providing a hardware-enforced type (a CHERI capability) that authorises access to memory. This type includes an address and other metadata, such as bounds and permissions. Instructions such as loads, stores, and jumps, that access memory use one of these types to authorise access, whereas on traditional architectures they would simply use an address. This metadata is stored inline, alongside the address, in the computer's memory and protected by a tag bit, which is cleared if the capability is tampered with. This informs the computer of which areas of memory can be accessed through a specific operation and how a program can modify or read memory through that operation. This allows CHERI systems to catch cases where memory that was outside the bounds of where the program was supposed to read or write to was operated on. Associating the metadata with the value used to access memory, rather than with the memory being accessed (in contrast to a memory management unit) means that the hardware can catch cases where a program attempts to access a part of memory that it should have access to while intending to access a different piece of memory. Implementations of CHERI systems also include modifications to the default memory allocator, which is a component that defines that a range of addresses should be treated by a program as an object. On a CHERI system, it must also communicate this information to the hardware, by setting the bounds on the pointer (represented by a CHERI capability) that is returned. It may also communicate the lifetime, to prevent use-after-free or use-after-reuse bugs. Depending on the context, CHERI systems can be used to enhance compiler-level checks, build secure enclaves, or even be used to augment existing instruction architectures. A report by Microsoft in 2019 found that CHERI's protections could be used to mitigate over 70% of memory safety issues found in 2019 at the company. CHERI architectures are also designed to be backward compatible with existing programming languages such as C and C++. A study performed by University of Cambridge researchers found that porting six million lines of C and C++ source code to CHERI required changes to 0.026% of the source lines of code (LoC). == Limits ==

The architecture introduces hardware complexity due to the tag-bit mechanisms and capability checks needed to enforce memory safety. Although optimizing has been implemented to minimise these impacts, and RISC-V standardisation == Implementations ==

The CHERI architecture has been implemented across multiple platforms and projects: • Morello – Developed by Arm as part of the UKRI-funded Digital Security by Design (DSbD) programme, the Morello chip is a superset architecture designed to evaluate experimental CHERI features for potential production use on the AArch64 architecture. The Morello board supports CheriBSD, custom versions of Android, and Linux. It remains a research prototype. • CHERIoT – Introduced by Microsoft in 2023 and now developed by multiple vendors, CHERIoT is a RISC-V CHERI adaptation optimised for small embedded devices. The board has an open-source design, allowing researchers and developers to modify and adapt its hardware and software. Sonata is primarily designed as a prototyping system for CHERIoT. • X730 – Released by Codasip in 2024, this processor IP is an implementation of the draft RISC-V CHERI standard for an application-class processor. • ICENI – Announced by SCI Semiconductor in 2024, == History ==

By 2012 early CHERI prototypes were presented, These prototypes ran a microkernel with hand-written assembly for manipulating capabilities. CHERI was designed to be easy to implement on modern superscalar pipelined architectures. Unlike earlier capability systems, CHERI eliminated the need for indirection tables, avoiding the associated performance issues and proving that modern capability architectures could be efficiently implemented. In 2014 CHERI hardware demonstrated its ability to run a full UNIX-like operating system, FreeBSD. This demonstration showed that CHERI's capability model can integrate with existing software ecosystems. CHERI was originally prototyped as an extension to MIPS-64. a compressed encoding model that reduced capability size to 128 bits by eliminating redundancy between the base, address, and top. In 2019 CheriABI demonstrated a fully memory-safe implementation of POSIX, allowing existing desktop software to become memory safe with a single recompile. By 2020 it became evident that software vendors were reluctant to port their software without hardware vendor support, while hardware vendors were unwilling to produce chips without sufficient customer demand. UK Research and Innovation (UKRI) launched the Digital Security by Design (DSbD) programme to address adoption barriers for CHERI. The programme allocated £70M, matched by £100M of industrial investment, to build the CHERI software ecosystem. project demonstrated that CHERI could enforce both spatial and temporal memory safety, offering deterministic protection against heap object temporal aliasing (roughly, "use-after-free"). The follow-up project, Cornucopia Reloaded, Codasip announced that they had RISC-V IP cores with CHERI extensions available to license. The CHERI Alliance was launched in 2024. This non-profit organisation was formed by a number of high-tech companies to accelerate CHERI adoption. It provides a platform for collaboration and helps the technology become more visible and easier to use. Its goal is to aggregate the ecosystem and welcomes members interested in CHERI, from commercial companies to universities, research centres, and open-source communities. It is organised in working groups that focus on specific themes (operating systems porting, tools, design recommendations...). It also organises conferences focused on CHERI and participates to a number of events to promote the technology. By 2024 SCI Semiconductors announced ICENI, a CHERIoT-compatible chip designed specifically for secure embedded systems. Codasip is actively developing a Linux kernel implementation for the RISC-V architecture. The CHERI Alliance, a non-profit organisation based in Cambridge, UK, was established to promote the adoption of CHERI technology and its integration into secure digital products and systems, including Google as a founding member. the first commercially available CHERI-BSD native RISC-V chipset built from the ground up with CHERI in mind, and announced an OEM adoption programme under the same name for existing manufacturer's to integrate the technology into their existing boards using the WARP chipset. They have also pledged adoption of CHERI into all of their existing products and services end-to-end going forward and joined the CHERI alliance C.I.C ==References==