Peter Sewell

Here are my contact details, a photo, short bio, and CV

Teaching

• Part II and Part III/ACS Project suggestions for 2025-26
• The 2025-2026 Part 1B Semantics of Programming Languages course.
• The 2024-2025 Multicore Semantics and Programming (L304) Part III/ACS module and Part II Unit (with Tim Harris and Christopher Pulte) [slides] [notes]
• ...previous teaching

Research

This is in collaboration with many academic colleagues in Cambridge, Edinburgh, Aarhus, and elsewhere, and industry colleagues in Arm, Google, IBM, RISC-V International, and elsewhere. REMS (Rigorous Engineering for Mainstream Systems) was originally funded by the eponymous EPSRC REMS Programme Grant, with Imperial and Edinburgh; it continues with other funding, including the EU ERC AdG ELVER (2018-2024), the ERC/UKRI Frontier Guarantee AdG SAFER (2024-2029), and donations from Arm, Google, Intel, and Amazon.

The CHERI project, led by Robert Watson, Simon Moore, and myself at Cambridge, and Peter Neumann at SRI International, extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization. It is a hardware/software/semantics co-design project, involving architecture design, hardware implementation, system software adaption, and formal semantics and mechanised proof of security properties. The UKRI Digital Security by Design Challenge, with £70m government and £117m industry funding from 2019-2025, developed the industrial prototype Arm Morello CHERI-ARM 64-bit CPU, SoC, board, and software stack, to evaluate and demonstrate the mass-market industrial feasibility of CHERI. Here are our DSbD pages.

Recent REMS Group Papers

• ArchSem: Reusable rigorous semantics of relaxed architectures. Thibaut Pérami, Thomas Bauereiss, Brian Campbell, Zongyuan Liu, Nils Lauermann, Alasdair Armstrong, and Peter Sewell. In POPL 2026. [ bib | doi | pdf | github | abstract ]
• Ghost in the Android Shell: Pragmatic Test-oracle Specification of a Production Hypervisor. Kayvan Memarian, Ben Simner, David Kaloper-Meršinjak, Thibaut Pérami, and Peter Sewell. In SOSP 2025. [ bib | doi | pdf | abstract ]
• Morello-Cerise: A Proof of Strong Encapsulation for the Arm Morello Capability Hardware Architecture. Angus Hammond, Ricardo Almeida, Thomas Bauereiss, Brian Campbell, Ian Stark, and Peter Sewell. In PLDI 2025. [ bib | doi | pdf | abstract ]
• Precise exceptions in relaxed architectures. Ben Simner, Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Ohad Kammar, Jean Pichon-Pharabod, and Peter Sewell. In ISCA 2025, Best paper award. [ bib | doi | errata | pdf | abstract ]
• ISO/IEC TS 6010:2025 Programming languages --- C --- A provenance-aware memory object model for C, ISO/IEC JTC 1/SC 22. ISO, May 2025. Based on N3005: A Provenance-aware Memory Object Model for C. Working Draft Technical Specification ISO/IEC TS 6010:2023 (E). Jens Gustedt, Peter Sewell, Kayvan Memarian, Victor B. F. Gomes, Martin Uecker. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n3005.pdf. June 2022. [ bib | .html | abstract ]
• Arm systems semantics. Ben Simner. PhD thesis, University of Cambridge, April 2025. [ bib | doi | errata | pdf | http | abstract ]
• Comprehensive Formal Verification of Observational Correctness for the CHERIoT-Ibex Processor, Louis-Emile Ploix, Alasdair Armstrong, Tom Melham, Ray Lin, Haolong Wang, and Anastasia Courtney, February 2025. [ bib | arXiv | http | abstract ]
• Towards general white-box automation: a typeclass-guided context cleaner. Thibaut Pérami. In CoqPL 2025. [ bib | http ]
• A CHERI C Memory Model for Verified Temporal Safety. Vadim Zaliva, Kayvan Memarian, Brian Campbell, Ricardo Almeida, Nathaniel Wesley Filardo, Ian Stark, and Peter Sewell. In CPP 2025. [ bib | doi | http ]
• It Is Time to Standardize Principles and Practices for Software Memory Safety. Robert N.M. Watson, John Baldwin, David Chisnall, Tony Chen, Jessica Clarke, Brooks Davis, Nathaniel Filardo, Brett Gutstein, Graeme Jenkinson, Ben Laurie, Alfredo Mazzinghi, Simon Moore, Peter G. Neumann, Hamed Okhravi, Alex Richardson, Alex Rebert, Peter Sewell, Laurence Tratt, Murali Vijayaraghavan, Hugo Vincent, and Konrad Witaszczyk. Communications of the ACM, 68(2):40–45, January 2025. [ bib | doi | http | abstract ]
• Fulminate: Testing CN Separation-Logic Specifications in C. Rini Banerjee, Kayvan Memarian, Dhruv Makwana, Christopher Pulte, Neel Krishnaswami, and Peter Sewell. In POPL 2025. [ bib | doi | pdf | abstract ]

Blog articles

• Formal CHERI: rigorous engineering and design-time proof of full-scale architecture security properties, Peter Sewell, Thomas Bauereiss, Brian Campbell, and Robert N. M. Watson. Blog post, https://www.lightbluetouchpaper.org/2022/07/22/formal-cheri/, July 2022. [ bib | project page | http ]
• Bad Reasons to Reject Good Papers, and vice versa, Peter Sewell. SIGPLAN PL Perspectives Blog, December 2021. Also published 2022-12-07 on the Communications of the ACM Blog https://cacm.acm.org/blogs/blog-cacm/267440-bad-reasons-to-reject-good-papers-and-vice-versa/fulltext. [ bib | http ]

Talks

• On long-term research vision, Peter Sewell, January 2026. Talk at RTFM 2026 faculty mentoring workshop (Read the Faculty Manual) with POPL 2026, Rennes, 2026-01-13. [ bib | pdf ]
• Production language specification: requirements for multiple usages, Peter Sewell, June 2025. Talk at RPLS 2025 (Real-World Programming Language Specification), with PLDI 2025, Seoul/remote, 2025-06. [ bib | pdf ]
• Open problems from system software verification , Peter Sewell, June 2024. Talk at Iris workshop, Zurich, 2024-06-03. [ bib | pdf ]

Research Topics

• CHERI: Capability enhanced systems (project page)
• ISA semantics and Sail (project page)
• Relaxed-memory concurrency
  • Relaxed-memory concurrency: Arm, RISC-V, and Power (rmem operational and isla axiomatic tools for hardware concurrency)
  • Relaxed-memory concurrency: C/C++11 (cppmem tool)
  • Relaxed-memory concurrency: x86
  • Relaxed-memory concurrency: the CompCert-TSO verified compiler (project page)
  • Relaxed-memory concurrency: general
• CN C verification and testing (repo) (tutorial)
• Cerberus C semantics (project page) (Cerberus tool)
• Cerberus: ISO WG14 C standards committee papers (project page)
• WebAssembly and JavaScript
• LinkSem: ELF linking semantics (project page)
• SibylFS: POSIX filesystem semantics (project page)
• nqsb-TLS (project page)
• Tool support for semantics
  • Lem: tool support for semantics (project page)
  • Ott: tool support for semantics (project page)
  • The POPLmark challenge (project page)
• Netsem: semantics for TCP, UDP, and Sockets (project page)
• Type-safe distributed languages (Acute and HashCaml)
• Dynamic update
• Java modules (project page)
• Language and communication infrastructure for mobile computation: Nomadic Pict (project page)
• Security policy
• Anonymity
• Secure encapsulation
• Iota: XML scripting
• Observational concurrent language semantics
• Process calculi
  • Models for name-passing processes
  • From rewrite rules to bisimulation congruences
  • Locality typing
  • Pi calculus tutorials
  • Finite Axiomatisability
• Hardware model abstraction
• Misc
• Plasma Physics

Another photo