Initial members join CHERI Alliance
The CHERI Alliance CIC (Community Interest Company) has been established to advance the industry-wide adoption of CHERI (Capability Hardware Enhanced RISC Instructions) security technology.
The CHERI Alliance aims to enhance security across the industry by ensuring compliance with commonly defined standards.
The initial founding members of the CHERI Alliance include Capabilities Limited, Codasip, the FreeBSD Foundation, lowRISC, SCI Semiconductor, and the University of Cambridge. The governing board of the Alliance will comprise representatives from both industry and academia. Their mission extends beyond technology, aiming to unite industry leaders, system developers, users, and security experts to promote CHERI as an efficient security standard.
Memory issues account for approximately 70% of cyberattack vectors. CHERI, a hardware-based technology developed by the University of Cambridge and SRI International since 2010, addresses these issues to protect consumers and prevent trillions of dollars in damages. The technology can be selectively applied to critical functions with minimal software modifications, enhancing the security of existing products while leveraging the extensive pool of existing C/C++ software.
In addition to fine-grained memory protection, CHERI enables high-performance scalable compartmentalisation. Compartmentalisation limits an attacker's ability to exploit unknown vulnerabilities, providing resilience against both known and future classes of vulnerabilities and exploit techniques. This is particularly important for mitigating the impact of supply chain attacks.
The success of CHERI relies on industry adoption and the support of a robust ecosystem. Collaboration within the industry is essential to share security expertise and drive education, adoption, and standardisation efforts. CHERI Alliance members will play a pivotal role in supporting standardisation, ensuring technical alignment and compliance, and driving broader commercial adoption.
Professor Robert N. M. Watson, Director of Capabilities Limited, said: “After 14 years developing the CHERI technology, we are so excited to see early industry adoption of CHERI, and CHERI Alliance’s foundation essential role in that effort."
“The software community has been trying to solve memory-related issues for 75 years,” said Ron Black, CEO of Codasip. “Progress has been limited, and security breaches are surging. It’s time to complement the software efforts with robust hardware to prevent buffer overflows, over-reads, and other memory-related vulnerabilities. With CHERI, the hardware community can now give software the tools to fight this.”
"We are proud to be a founding member of the CHERI Alliance,” said Deb Goodkin, Executive Director, FreeBSD Foundation. “FreeBSD has been a significant part of the groundbreaking CHERI research for many years, recognising the critical importance of memory safety in programming. Security is a top priority for FreeBSD, and CHERI represents a significant advancement in addressing memory-safety vulnerabilities like buffer overflows. As the world's digital infrastructure evolves, protecting it against emerging threats is crucial. Our participation in the CHERI Alliance aligns perfectly with our mission to enhance system security and reliability and contribute to the growth of this vital technology."
“lowRISC is honoured to be a founding member of the CHERI Alliance – alongside other hardware security leaders – to help promote CHERI as an efficient security standard,” said Dr. Gavin Ferris, CEO of lowRISC. “CHERI provides foundational hardware security and has been implemented by a growing number of vendors, across multiple ISAs, at a variety of design points from high-end application processors to 32-bit embedded systems. It has a proven ability to protect against exploits that leverage illegal memory accesses (such as buffer overflows) without requiring massive recoding of legacy software. The CHERI Alliance will play a vital role in helping drive this critical technology to widespread commercial adoption.”
“Market delivery of CHERI-based devices is critical in evolving robust proof points for this transformation technology,” stated Haydn Povey, CEO of SCI Semiconductor. “Working closely across the CHERI Alliance ensures ecosystems can be built and thrive in collaboration across the membership, and beyond. CHERI technology delivers a revolutionary impact on the industry, ensuring that existing critical vulnerabilities can be identified and resolved quickly, and that undetected future zero-day attack vectors are constrained. This new approach embraces the reality of industry-wide code reuse, reducing development burdens without importing critical systemic weaknesses.”
Professor Simon Moore, University of Cambridge, added: “As noted by the White House in a recent report on a path toward secure and measurable software, hardware support is critical to robust and efficient memory safety. Compiling software to run on CHERI enhanced processors guarantees very strong memory safety that an attacker cannot bypass.”
Membership requests
The CHERI Alliance will formally launch in September 2024 but is already accepting new member applications.
Interested companies can contact the Alliance at https://cheri-alliance.net/