CHERI builds global chip security alliance
The CHERI Alliance has officially launched with support from Google and global companies to drive a memory-safe chip architecture.
The Capability Hardware Enhanced RISC Instructions (CHERI) Alliance, based in Cambridge, UK, is expanding with global founding members after showing variants using both ARM and RISC-V instructions.
The charitable CIC (Community Interest Company) now includes Chevin Technology (UK), Critical Technologies (USA), the Defence Science and Technology Laboratory (DSTL, UK), Google (US), Light Momentum Technology (Taiwan), National Cyber Security Centre (NCSC, a part of GCHQ, UK), Parvat Infotech (India), SRI International (US), TechWorks (UK), Trusted Computer Centre of Excellence (US), the University of Birmingham (UK), and the University of Glasgow (UK) as founding members.
First CHERI RISC-V embedded chip and Early Access Programme
Previously announced founding members of the CHERI Alliance include Capabilities, Codasip, CyNam, the FreeBSD Foundation, lowRISC, OpenHW Group, SCI Semiconductor, Swansea University, and the University of Cambridge.
The CHERI architecture addresses memory-related vulnerabilities, a critical security challenge that constitutes approximately 70% of the vulnerabilities exploited in cyberattacks, but does require code to be recompiled.
“Expanding our membership signals growing recognition of CHERI’s transformative potential,” said Prof Robert Watson, Director of the CHERI Alliance and Director of Capabilities.
“After more than a decade of development, it’s rewarding to see the CHERI community grow as new members bring their innovation and commitment to the Alliance. We are now well-positioned to advance our mission of delivering scalable, hardware-based security solutions that address critical vulnerabilities.”
“Google’s interest in CHERI stems from our unwavering commitment to security and privacy,” said Ben Laurie, Lead Security Researcher at Google. “We recognize the potential of CHERI in significantly enhancing system security by mitigating common software vulnerabilities. CHERI offers fine-grained compartmentalisation, which isolates sensitive data into secure compartments, and deterministic memory safety. In security-critical systems that handle sensitive information and personal data, such as those found in generative AI applications, CHERI helps protect against breaches and ensures robust protection against malicious attacks.”
The technology started development in 2010 through a collaboration between the University of Cambridge and SRI International to provide robust protection against memory safety issues such as buffer overflows and heap use-after-free vulnerabilities. The technology’s ability to enable high-performance, scalable compartmentalization significantly reduces the risk of both known and future unknown vulnerabilities.
A demonstration ARM chip called Morello was produced in 2022, while an FPGA implementation using the Ibex RISC-V instruction set has been developed by Microsoft and others. This has been turned into hardwired silicon by SRI with availability in the new year.
There are also several UK projects that finish this year to develop the technology for industrial, avionics and automotive applications, as well as a variant for x86 instructions developed by Critical Technologies in the US.
“With Syracuse University, CTI previously developed the first (and still to our knowledge only) capability based, formally verified, open source, multiboot loader for x86 processors with ‘late launch’ DR instructions and TPMs; we will do likewise with CHERI as needed to enable seL4 based virtualization for safe AI/ML,” said Stuart Card, VP and chief scientist at CTI.
There are also members in Taiwan and India.
“CHERI is a transformational technology, but until now has been largely limited to the UK,” said Dr. Divya Atkins, co-founder, Director, and CEO of Parvat Infotech. “We want to see its advantages extended to the rest of the world, and especially to India, where, at one end of the spectrum, there is a vast digital public infrastructure using server class hardware, and at the other end, smart cities full of IoT devices. All of these need better security, and our goal is to make that happen. Parvat, being an Indian company, is a newcomer to CHERI, but our principals have been working with CHERI in the UK, so we have the knowledge and experience to support our goal, as well as the mission of the CHERI Alliance.”
“The challenge of memory safety is a significant and growing problem for computing and cybersecurity – it simply cannot be ignored,” said John Moor, COO, TechWorks. “Industry must provide solutions for this challenge as the world becomes increasingly digital and connected. As the UK’s deep tech trade association, we understand the power of collaboration and TechWorks is fully supportive of the CHERI Alliance and its ambitious goals. We look forward to working with the CHERI Alliance to help raise more awareness and enable more commercially-available memory-safe solutions.”
Applications are through the CHERI Alliance website.