Founding members include Capabilities Limited, Codasip, the FreeBSD Foundation, lowRISC, SCI Semiconductor, and the University of Cambridge
Cambridge, the United Kingdom, June 17, 2024 — The CHERI Alliance CIC (Community Interest Company) today announced it has been established to advance the industry-wide adoption of the security technology CHERI (Capability Hardware Enhanced RISC Instructions). The CHERI Alliance will drive the adoption of enhanced security across the industry and ensure compliance with commonly defined standards.
The initial founding members of the CHERI Alliance include Capabilities Limited, Codasip, the FreeBSD Foundation, lowRISC, SCI Semiconductor, and the University of Cambridge.
The Alliance governing board will include representatives from industry as well as academia, whose work will go beyond technology to unite industry leaders, system developers, users, and security experts to drive and promote CHERI as an efficient security standard.
Memory issues represent approximately 70% of the routes taken by cyber attackers. CHERI is a stable, well-established, hardware-based technology developed by the University of Cambridge and the research institute SRI International since 2010. It prevents memory issues to protect consumers and avoid trillions of dollars of damage. Because the technology can be applied selectively to critical functions and requires almost negligible software modifications, the security of existing products can be enhanced with a small effort. The huge pool of existing C/C++ software can therefore still be leveraged to get more secure systems.
In addition to fine-grained memory protection, CHERI enables high-performance scalable compartmentalization. Compartmentalization restricts the ability of an attacker to exploit an unknown vulnerability as a stepping stone to attack the system further. This is especially important because it provides resilience against not only exploits in known classes but also protects against future as-yet undiscovered classes of vulnerability and exploit techniques, reducing the impact of for example supply chain attacks.
To ensure the success of CHERI, industry adoption and support from a robust ecosystem are crucial. The industry must collaborate to share security expertise and drive education, adoption, and standardization efforts. The CHERI Alliance members will play a pivotal role in supporting standardization, ensuring technical alignment and compliance, and driving broader commercial adoption.
Professor Robert N. M. Watson, Director of Capabilities Limited, said: “After 14 years developing the CHERI technology, we are so excited to see early industry adoption of CHERI, and CHERI Alliance’s foundation essential role in that effort.”
“The software community has been trying to solve memory-related issues for 75 years,” said Ron Black, CEO of Codasip. “Progress has been limited, and security breaches are surging. It’s time to complement the software efforts with robust hardware to prevent buffer overflows, over-reads, and other memory-related vulnerabilities. With CHERI, the hardware community can now give software the tools to fight this.”
“We are proud to be a founding member of the CHERI Alliance,” said Deb Goodkin, Executive Director, FreeBSD Foundation. “FreeBSD has been a significant part of the groundbreaking CHERI research for many years, recognizing the critical importance of memory safety in programming. Security is a top priority for FreeBSD, and CHERI represents a significant advancement in addressing memory-safety vulnerabilities like buffer overflows. As the world’s digital infrastructure evolves, protecting it against emerging threats is crucial. Our participation in the CHERI Alliance aligns perfectly with our mission to enhance system security and reliability and contribute to the growth of this vital technology.”
“lowRISC is honored to be a founding member of the CHERI Alliance — alongside other hardware security leaders — to help promote CHERI as an efficient security standard,” said Dr. Gavin Ferris, CEO of lowRISC. “CHERI provides foundational hardware security and has been implemented by a growing number of vendors, across multiple ISAs, at a variety of design points from high-end application processors to 32-bit embedded systems. It has a proven ability to protect against exploits that leverage illegal memory accesses (such as buffer overflows) without requiring massive recoding of legacy software. The CHERI Alliance will play a vital role in helping drive this critical technology to widespread commercial adoption.”
“Market delivery of CHERI-based devices is critical in evolving robust proof points for this transformation technology”, stated Haydn Povey, CEO of SCI Semiconductor. “Working closely across the CHERI Alliance ensures ecosystems can be built and thrive in collaboration across the membership, and beyond. CHERI technology delivers a revolutionary impact on the industry, ensuring that existing critical vulnerabilities can be identified and resolved quickly, and that undetected future zero-day attack vectors are constrained. This new approach embraces the reality of industry-wide code reuse, reducing development burdens without importing critical systemic weaknesses.”
Professor Simon Moore, University of Cambridge, added: “As noted by the White House in a recent report on a path toward secure and measurable software, hardware support is critical to robust and efficient memory safety. Compiling software to run on CHERI enhanced processors guarantees very strong memory safety that an attacker cannot bypass.”
Membership requests
The CHERI Alliance will formally launch in September 2024 but is already accepting new member applications.
Interested companies can contact the Alliance at https://cheri-alliance.net/
Media contact
Tora Fridholm, tora.fridholm@cheri-alliance.net