|
|
|
www.design-reuse-embedded.com |
|
CHERI Protects Memory at the Hardware Level
Jamie Broome, chief product officer for automotive business and product management at Codasip, explained the role and importance of the CHERI Alliance and described Codasip's new L730 processor focused on security and customization.
www.eetimes.eu, Feb. 04, 2025 –
Software-based security solutions have improved system protection but remain fundamentally vulnerable, often imposing performance tradeoffs due to their reliance on continuous monitoring and computational overhead. As cyberthreats become more sophisticated, attackers find new ways to exploit software-layer weaknesses. This has driven a shift toward hardware-based security, which offers more resilient protection by integrating security mechanisms directly into the foundational computing infrastructure.
Unlike software, hardware security tackles vulnerabilities at their root, creating a barrier that is both difficult to penetrate and effective in terms of performance. The Capability Hardware Enhanced RISC Instructions (CHERI) technology, developed by the University of Cambridge and adopted by a group of organizations and governments through the CHERI Alliance, follows this approach.
In an interview with EE Times Europe, Jamie Broome, chief product officer for automotive business and product management at Codasip, explained the role and importance of the CHERI Alliance and described Codasip's new L730 processor focused on security and customization.
"CHERI focuses on memory protection by ensuring that data cannot be accessed outside the bounds of what is permitted, preventing memory overflow and unauthorized reading of sensitive information, which is achieved through a containerized framework at the hardware level," Broome said. "Software-based solutions like Rust require extensive code rewrites and can negatively impact performance, making them less practical for many use cases."
How does CHERI work?
CHERI's realization–and now commercialization–began with researchers at the University of Cambridge who recognized the propensity of commonly introduced software bugs in the code to jeopardize a device's memory. Given that most architectures protect memory quite poorly, these bugs open the floodgates to cyberattacks. Moreover, languages such as C/C++/Assembly do not automatically constrain access to certain parts of a device's memory. CHERI attempts to organize this aspect.
Based on capability-based addressing, CHERI works by assigning a "capability" to a particular part of the memory. A capability can be thought of as a label in the device's memory, containing not only the address but also the access rights and bindings on that part of the memory. It helps tag the degree of access available to any code, or even whether a code can be written in a particular part.
As an extension, CHERI can compartmentalize sensitive aspects of memory and "lock them in a box." This compartmentalization inherently occurs at the hardware level (with the help of software). As its design shows (Figure 1), using CHERI in a device introduces drastic reforms at the processor level.
Back
Contact Us
Partnership Offers