CHERI Security Hardware Program Essential to UK Security

The UK government-backed Digital Security by Design (DSbD) initiative must succeed to systematically address rising cyber risks to the nation, according to the National Cyber Security Centre’s (NCSC) CTO, Ollie Whitehouse.

Whitehouse made the remarks during an event showcasing the technological advances from the ambitious program, which aims to secure the underlying computer hardware used in the UK.

Based on the hardware concepts of the Capability Hardware Enhanced RISC Instructions (CHERI) project, the program has enabled academia and industry to develop hardware capabilities that prevent memory safety software vulnerabilities from occurring. Memory safety issues currently make up around 70% of all security vulnerabilities that are patched and assigned a CVE number.

Memory safety vulnerabilities relate to software bugs when dealing with memory access, such as buffer overflow.

CHERI Offers New Approach to Memory Safety

CHERI was born out of a collaboration between semiconductor and software design company Arm and University of Cambridge researchers that dates back to 2014.

Whitehouse noted that edge security appliances, which are meant to protect us, frequently contain memory safety issues.

“They have vulnerabilities within them which are then laterally exploited by those who wish to do our country and the countries of our allies harm,” he explained.

Addressing the memory safety problem is therefore a national security priority. However, Whitehouse acknowledged that refracturing all C and C++ software code into memory safe programming languages is not practical, given the scale at which it is used.

CHERI architecture offers a “fundamentally new approach to the problem,” Whitehouse noted.

The DSbD project, which has received £80m of government funding and £200m from industry since 2018, is coming to an end in March 2025. It has resulted in the development of effective, deployable secure hardware devices and tools by a number of companies that address the memory safety problem.

“Without [CHERI], there’s no way we ultimately enhance the posture of the UK at the pace and scale necessary,” Whitehouse added.

DSbD forms a key part of the government’s ambition to embed secure by design principles into digital technology. Another example is the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, which places obligations on smart device manufacturers to secure their products before going to market.

Overcoming Market Barriers to CHERI Adoption

While the DSbD program has demonstrated the efficacy of CHERI technology in preventing memory safety vulnerabilities, there remain major market barriers to real-world adoption.

Fundamentally, this revolves around the engineering costs of replacing current hardware components with CHERI-based solutions.

“The market is not asking for it and the vendors are not producing it. There isn’t enough market signal in either direction for one to respond to the other,” Whitehouse explained.

Incentivizing businesses to adopt secure hardware solutions ultimately comes down to creating market demand.

Whitehouse said he hopes the growing availability of CHERI solutions will help with this motivation and result in lower barriers to adoption.

He also urged those who are aware of the DSbD program to seek out “converts,” persuading organizations to demand CHERI technology from their technology supply chain.

“With that the market will respond, but they need the concert of the voice to do so,” he commented.

Professor John Goodacre, Challenge Director at DSbD, and Professor of Computer Architectures at The University of Manchester, highlighted the enormous long-term business benefits of adopting these technologies. This includes significantly reducing cybersecurity costs, such as incidents caused by vulnerability exploitation and the constant patch management cycle that teams must undergo.

He also pointed out that the customer experience will be significantly enhanced by CHERI solutions.

“When was the last time you clicked on an update and had to patch your phone? We do this all the time,” Goodacre noted.

Development of CHERI Solutions

A number of technology firms demonstrated their CHERI-based solutions at the DSbD showcase event. These include CPU hardware capabilities developed by companies like Codasip and SCI Semiconductors. These solutions are fully compatible with standard RISC-V code.

There have also been a number of “secondary effects” from the development of the CHERI architecture, with the technology being used as a test target to improve the quality of existing software.

Digital Catapult is a non-profit organization which has worked with industry and academia to experiment with CHERI architecture to help facilitate developments that are viable in the real world.

The body has created a DSbD virtual laboratory space which allows organizations to test the security of software solutions against CHERI architecture, quickly uncovering known security vulnerabilities.

Another example of this is the Sunburst project, which will see two types of development boards featuring capability-enhanced processors based on the CHERIoT  (Capability Hardware Extension to RISC-V for Internet of Things) technology, with the goal of getting this technology into the hands of engineers.

In addition, academia has been heavily involved in helping to understand and overcome the market barriers to CHERI adoption. This includes a social science-led research program Discribe, coordinated by the University of Bath in the UK. The project has analyzed areas such as drivers of adoption for the DSbD initiative, and its association with digital policy and legislation.

Researchers in the program have developed self-assessment tools to assess DSbD readiness and need, looking at providing metrics that can be taken to business leaders around investing in the technology.