#cheri — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cheri, aggregated by home.social.
-
When we originally created #CHERIoT, we added an instruction to make accessing globals uniform with respect to the rest of RISC-V. We fairly quickly realised it wasn’t a great design, but the toolchain changes required to eliminate it took a while.
We’ve finally done it and I spent a bit of time this week writing up our journey. Removing this instruction is something we always planned to do before rebasing on the upcoming RV32YE base.
-
We’ll be talking more about the progress on the CHERIoT port of Rust at CHERI Blossoms next week, but here’s a teaser:
The embedded graphics crate rendering an image on Sonata. This currently using a (memory-safe) C function to draw pixels (that can go away with a little bit more work) but the current compiler is able to build this crate and run it in a CHERIoT compartment.
-
Me? Trolling the other microcontroller vendors? Surely not! Maybe if they had bothered to do something about the most common source of vulnerabilities at some point in the last few decades, the could have been on the other side of the sign...
-
Yay, we won a Best in Show Award at #EmbeddedWorld ! In the Microcontrollers, Microprocessors, and IP category for our ICENI #CHERIoT chips!
-
First Post! Uh, I mean, First CHERIoT Silicon!
We have our first chips back! It is very exciting! Spatial and temporal memory safety, fine-grained compartmentalisation, and also a load of other big chips on a board, so you can play 'Where's ICENI?' on the board picture!
-
@cheri_alliance has posted about the Secure Horizons event in Duxford next week, which will be a great event for people who want to understand how CHERI (and, especially, CHERIoT) can make regulator compliance easier for secure IoT devices (as well as actually making them more secure).
Registration is still open and some SCI folks will be there!
-
For anyone who missed CHERITech, there’s an online after party on the 4th! The talks will be online shortly and then CHERITech Reloaded will give you an opportunity to ask questions.
So you have two weeks to think of awkward questions for me about CHERIoT Audit! Good luck!
-
Yay, the embargo was finally lifted yesterday so we can talk about the UK Government funding for #CHERIoT!
They funded us (SCI) to do two projects, for a total of £7.7M:
- Bring #Rust on CHERIoT to production qualities.
- Build our second-generation chip with a dual-issue core, post-quantum crypto hardware, and an edge inference accelerator.
-
“Fil-C: A Memory-Safe C Implementation”, LWN (https://lwn.net/SubscriberLink/1042938/658ade3768dd4758/).
On HN: https://news.ycombinator.com/item?id=45735877
On Lobsters: https://lobste.rs/s/mg0aur/fil_c_memory_safe_c_implementation
-
Great to see so many OS folks at SOSP last week when we presented the CHERIoT RTOS paper (and not to be the only one presenting work on CHERI)!
The paper is now live in the ACM Digital Library and already has almost 2,000 downloads. Hopefully a few of those will even translate to people reading it!
-
I'm joining @cheri_alliance@[email protected] as an ambassador, working to transform cybersecurity at its foundation.
Memory safety bugs cause 70% of cyber vulnerabilities, leading to disasters like OpenSSL Heartbleed and the 2024 CrowdStrike outage ($5.4 billion in losses). CHERI technology, developed over 15 years by Cambridge University and SRI International, prevents these attacks through hardware-enforced memory protection rather than endless software patches.
The momentum is extraordinary. The UK government invested £80 million alongside £200 million from industry, with backing from DSIT, NCSC/GCHQ, DSTL, and DARPA. Industry giants Google, Microsoft, and Arm have joined alongside BT Group and Siemens, recognizing that hardware-level security is no longer optional.
I'm particularly excited about our working groups porting critical operating systems to CHERI. FreeBSD, FreeRTOS, Zephyr, and seL4 have all been ported to run on CHERI hardware, with teams actively developing and maintaining these implementations. This ecosystem work ensures CHERI can protect everything from embedded IoT devices to enterprise servers, making memory safety accessible across the entire computing stack.
Microsoft found CHERI would have prevented two-thirds of their 2019 vulnerabilities. The technology is practical too – existing software often needs less than 0.03% code changes to become memory-safe. As we deploy AI and connect critical infrastructure, we can't afford to keep patching symptoms. CHERI addresses the root cause.
Join us in building secure-by-design systems. The Alliance welcomes all who share this vision. Let's stop playing defense and fundamentally solve memory safety.
-
🚀🤖 "CHERI with a #Linux hat" is the latest #geekfest where nerds dream of rearchitecting the universe with "capabilities" that sound like #access #control for your #toaster. 🍞🔐 Meanwhile, #Carl #Shaw showcases yet another attempt to make #Linux run on something other than your grandfather's calculator. 😂
https://lwn.net/Articles/1037974/ #CHERI #capabilities #innovation #HackerNews #ngated -
RE: https://infosec.exchange/@cheri_alliance/115304565481924558
Morello is a modified quad-core Neoverse N1 with CHERI support. The UK Government funded a lot of the development and there are a few tens of them left over that don't yet have homes.
They look like real computers (ATX case, HDMI out). The under my desk runs CheriBSD (FreeBSD fork), KDE with its Wayland compositor and a bunch of userspace apps, with everything including the GPU drivers memory safe. It can also run AArch64 binaries, but that's less fun.
If you're doing interesting research that would benefit from CHERI or if you are looking to evaluate building products on CHERI systems, reach out to the CHERI Alliance.
CHERI RISC-V (the 'Y' base) is near to standardisation, so there should be RISC-V CHERI application cores available fairly soon, but the Neoverse N1 is a fairly advanced microarchitecture (designed for server chips) and it will probably take a while for RISC-V chips to equal it in performance. It was a fairly rushed conversion to CHERI, so has a few significant performance artefacts that won't be there in a production chip, but this is still probably the best opportunity to get a desktop CHERI system for at least the next year or two.
-
RE: https://mastodon.social/@FreeBSDFoundation/115300447765010145
Oh, yay, I wrote one of these articles!
-
Anyone going to be at SOSP in a couple of weeks? I will be giving a keynote at the KISV workshop on Monday morning about how CHERI changes how you think about OS design, and then we'll be presenting our paper on the CHERIoT RTOS first thing on Tuesday morning (and at the poster session).
-
We’re looking at building a CTF competition to show off CHERIoT at Embedded World next year. We want to make it a supply-chain competition, so you get complete control over a source file that is compiled into the final image (including inline assembly) and have to exploit bugs in other compartments to control the device or leak a secret.
Unfortunately, the last time we did a CHERI CTF (BlueHat a few years ago), we found it very hard to come up with bugs that were both exploitable and not so obviously stupid that there is no chance that they would pass code review. I think we can probably have some things at compartment boundaries that miss some checks for the permissions of capabilities passed at boundaries, but I’d welcome any other suggestions.
(The last one was not a success because it wasn’t the only CTF running and everyone thought it was too hard, so we ended up with no one attempting it)
-
Some cool news about #Apple taking memory vulnerabilities seriously: https://security.apple.com/blog/memory-integrity-enforcement/
My understanding is that it improves upon the probabilistic protection of the original #MTE to make the probability of a successful attack even lower. I'm a little sad they didn't go for a more deterministic approach like #CHERI but still a cool development in real hardware.There's a bit more discussion here: https://lobste.rs/s/wlyzqn/memory_integrity_enforcement_complete
-
One of our founding directors, Mike Eftimakis, sat down with Akshaya Asokan from Information Security Media Group (ISMG) to explore how CHERI is helping tackle one of cybersecurity’s biggest challenges: memory safety.
CHERI (Capability Hardware Enhanced RISC Instructions) is a hardware-based approach to security, designed to prevent around 70% of today’s common vulnerabilities. Backed by industry leaders and the UK government, we're working to ensure global adoption across the electronics supply chain.
Watch the interview to learn more about:
💠 How CHERI addresses memory safety issues
💠 Common hardware supply chain vulnerabilities
💠 Progress on adoption by chipmakers
💠 Scalability challenges associated with CHERI🎥 Watch the full interview: https://www.bankinfosecurity.com/uks-cheri-alliance-expands-to-global-hardware-supply-chain-a-28942
#CHERI #CyberSecurity #HardwareSecurity #MemorySafety #SecurityByDesign #InfoSec
-
It was a great evening.
Both talks were great. Christian Farrow (@zedstarr) did an entertaining talk about about time synchronisation and atomic clocks, which was really good. Sadly it was so interesting I forgot to take any pictures.That is the second talk about time I heard at #NetMCR, but both were great and there was no overlap in information, surprisingly!
Apparently around #Nicosia is where the most spoofed GPS signals in the world happen.
Sam Cater (https://uk.linkedin.com/in/samalexcater) also gave a very interesting talk about #CHERI (https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/) and what it does.
This was also great as I'd heard of the term, but that was about it. -
CHERI Security Hardware Program: A Vital Initiative for UK's Cyber Safety - https://www.redpacketsecurity.com/cheri-security-hardware-program-essential-to-uk-security-says-government/
-
CHERI Security Hardware Program: A Vital Initiative for UK's Cyber Safety - https://www.redpacketsecurity.com/cheri-security-hardware-program-essential-to-uk-security-says-government/
-
CHERI Security Hardware Program: A Vital Initiative for UK's Cyber Safety - https://www.redpacketsecurity.com/cheri-security-hardware-program-essential-to-uk-security-says-government/
-
CHERI Security Hardware Program: A Vital Initiative for UK's Cyber Safety - https://www.redpacketsecurity.com/cheri-security-hardware-program-essential-to-uk-security-says-government/
-
CHERI Security Hardware Program: A Vital Initiative for UK's Cyber Safety - https://www.redpacketsecurity.com/cheri-security-hardware-program-essential-to-uk-security-says-government/
-
Colin Percival's AWS re:Invent asks
https://www.daemonology.net/blog/2024-12-04-My-reinvent-asks.html
-
Great to see so many people building things on the #CHERIoT platform at the Digital Security by Design (#DSbD) all hands yesterday! If you didn't attend, here are some photos, videos, and links to the code, including Hugh the Lightbulb, an IoT light that can gracefully recover from bugs in the TCP/IP stack that would allow an attacker to gain arbitrary-code execution on non-#CHERI platforms.
-
Do you want to see #CHERIoT talking to #Morello, showing big server and tiny IoT-class #CHERI systems from the #DSbD ecosystem? Come to the UKRI stand at CyberUK this week!
-
@bugaevc I'll mention, but not advocate, CheriBSD <https://www.cheribsd.org/> …
-
Last week we open source an early prototype of a #CHERIoT network stack. If you want to see what #cheri and #dsbd can do to improve system resilience and security, read on. Memory safety is only a small part of be benefits of a complete CHERI platform.
https://cheriot.org/rtos/networking/auditing/2024/03/08/cheriot-network-stack.html
-
I just wrote a blog post about auditing the security properties of compartmentalisation with #CHERIoT.
Remember #cheri / #dsbd is not just (or even primarily) about memory safety, it's about the interesting things that you can build if you can assume memory safety at all levels in your stack, including assembly code.
-
Ed Maste, Senior Director of Technology at The FreeBSD Foundation, discusses the rapidly-evolving interplay between hardware, cybersecurity, open source, and instruction set architectures.
<https://hackernoon.com/the-cybersecurity-battle-has-come-to-hardware>
#RISCV #Arm #Morello #CHERI #CheriBSD #hardware #ISA #security #cybersecurity #University #Cambridge #SRI #FreeBSD
-
Some more relevant links:
https://freebsdfoundation.org/wp-content/uploads/2023/06/20230207-freebsd-use-cases.pdf
-
#FreeBSD30 timeline - a few things that happened during these 30 #FreeBSD years:
#UNIX #BSD #MULTICS #1BSD #2BSD #42BSD #43BSD #386BSD #ipfw #FreeBSDCon #BSDCON #ports #jails #FreeBSDFoundation #kqueue #EuroBSDCon #CoreTeam #AsiaBSDCon #BSDCAN #pf #OpenBSD #ZFS #DTrace #VNET #Capsicum #Cheri #Poudriere #clang #llvm #subversion #OpenZFS #git
