The new Cyber Resilience Act and EU NIS2 Directive approach cybersecurity with a new design philosophy. Every product with a digital element must be secure by design and ensure that all digital risks are minimized including access to sensitive data, attack surface or impact of an incident. The CRA requires confidentiality and integrity, authenticity of sender/receiver, a secure product lifecycle and secure software update/upgrade; it also requires resilience to attack and graceful recovery from an incident without degradation of service or functionality.
In this talk we describe how the Capability Hardware Enhanced RISC Instructions technology addresses these new requirements. CHERI provides memory safety and limits the impact of what rogue software can do. The design approach relies on the least privilege principle and data is only shared safely between isolated software compartments when needed.
CHERI enabled devices support the use of TLS and TCP/IP protocols and let you create safeboxes to securely manage keys and certificates. They offer secure boot and secure initial configuration; they enforce bounds and permissions on memory accesses; they are architected to limit the blast radius of any malicious piece of code to a single compartment and to recover gracefully from that. And they cannot serve as a basis to further distribute malware to a botnet because they locally contain the impact of any incident. They are designed with CRA and NIS2 requirements in mind.