In this deep dive on CHERI (Capability Hardware Enhanced RISC Instructions) and CHERIoT technology we describe how - thanks to RISCV - memory safety can help eradicate 70% of the world’s cybersecurity vulnerabilities.
We first introduce the technology and discuss how it enables foundational memory safety and achieves hardware enforced software security. We describe the mechanism of hardware enforced capabilities (or “secure pointers”), i.e. pointers to memory with bounds and permissions that offer fine-grained control over who is allowed to do what with which address in memory. Capabilities enforce the principle of least privilege and intentional use. In addition, we introduce the concept of compartmentalization of software which allows to minimize the impact of a software incident and to contain it locally.
We then proceed to describe how CHERI and the 32-bit CHERIoT RISCV extension is being standardized by the corresponding RISCV TG, what the current status of the specification is and when we hope to see it ratified in 2025/26.
The deep dive will include the low level details of the new RV32Y/RV64Y RISC-V base architectures for CHERI. It will include details of the ISA definition and how it compares with RV32/RV64.