Department of Computer Science and Technology


CTSRD – Project news

April 2024

We will be hosting CHERITech'24 (CHERI Technical Workshop) on 23 April 2024 in Cambridge. We are looking forward to a fruitful exchange of ideas.

September 2023

We have now released CHERI ISAv9, which replaces CHERI-MIPS with CHERI-RISC-V as our primary reference architecture, CHERI-MIPS is removed, merged register files are always used, tags are cleared in preference to exception throwing for non-monotonic capability modification, and DDC/PCC no longer relocate memory accesses by default. CHERI-RISC-V is substantially refined in preparation for standardisation. The CHERI-x86 sketch is now substantially more detailed.

December 2022

Welcome to the Fall 2022 release of the CheriBSD operating system. As well as a general update of the baseline FreeBSD OS from which CheriBSD is derived, we have introduced several new research components which will be of interest to the CHERI and CheriBSD community:

  • Memory-safe adaptation of Direct Rendering Manager (DRM) and Panfrost device driver, which enable a Morello-based desktop system using on-board GPU and HDMI. These drivers may be used with hybrid or pure-capability kernels.
  • An initial set of graphics and desktop CheriABI software packages such as Wayland and portions of KDE to get you up and running with a memory-safe desktop environment. These components remain under active development, and we anticipate continuing package updates after the CheriBSD release.
  • An early research prototype of Library Compartmentalization (GitHub page), which implements an alternative run-time linker running shared objects in libraries. This implementation is very much a work-in-progress, and is provided to enable research at other collaborator institutions needing easy access to the prototype. It is neither complete nor intended to be secure.
  • Improved pluggability of experimental heap temporal memory-safety support, which is not yet merged into the main development branch, but will now be easier to use by downloading an alternative kernel and heap allocator libraries provided by Microsoft.
  • Support for Arm’s Morello GDB in CheriBSD, which provides generally improved debugging support including Morello code disassembly. We have also added support for memory tag access from the debugger on live targets as well as core dumps.
  • Alpha support for ZFS file systems including support for boot environments.

While CheriBSD is by definition an experimental research operating system, the above features – other than GDB improvements – are not yet considered to be mature. They are being made available as an early release to facilitate collaboration, but will not be suitable for a general Morello audience until the following release.

As with previous releases, the default CheriBSD kernel on Morello ships with debugging features enabled, which should be disabled by booting a non-debug kernel before any performance benchmarking is performed.

May 2022

The CHERI Project is pleased to announce our Getting Started release of CheriBSD (22.05). The Getting Started release has been timed to coincide with the May 2022 availability of Arm's CHERI-enabled Morello Board prototype.

CheriBSD is an adaptation of FreeBSD for CHERI, providing an experimental operating system with a rich use of the Morello prototype architecture’s features. It is intended to be a platform for general research, development, evaluation, and demonstration for secure, memory-safe CHERI-enabled systems. CheriBSD provides spatial and referential memory safety to all software running in userspace and, optionally, the entire operating system kernel. Future releases will also implement CHERI-based temporal memory safety and software compartmentalization features.

The Getting Started release is delivered as an installable image which needs to be downloaded, written to a USB storage device, and installed on the Morello Board. Read the Getting Started with CheriBSD guide to learn more how to obtain a copy of the latest release and install it. The guide also includes information on what third-party software is available for CheriBSD and Morello.

The best way to contact CheriBSD developers, CHERI researchers, and other CheriBSD users is via the CHERI-CPU Slack, which includes a #cheribsd channel.

We gratefully acknowledge our sponsors and supporters including UKRI, DARPA, Arm, Google, Microsoft, and others. We offer many thanks to the complete CHERI hardware, software, and formal teams at SRI International and the University of Cambridge, without whom this work would never have taken place.

CheriBSD/Morello is a Digital Security by Design (DSbD) technology. This work was supported in part by the UK Industrial Strategy Challenge Fund (ISCF) and Innovate UK project Digital Security by Design (DSbD) Technology Platform Prototype, 105694.

January 2022

Arm has shipped its CHERI-enabled Morello prototype processor, SoC, and board! Read blog posts about this at Arm and Microsoft, and our own thoughts at Cambridge.

August 2021

August 2021: We have released an updated version of our CHERI software stack for Morello, which can be downloaded and run on the Arm Morello FVP ISA-level simulator or on QEMU-Morello. Key features include pure-capability kernel support, and integrated support for Morello in our main CheriBSD development branch.

February 2021

We have open sourced a CHERI adaptation of the WebKit browser framework and JavaScript interpreter, which has been developed in close collaboration with Arm. This is the first open-source JIT available for CHERI, and runs on Arm's Morello architecture.

October 2020

October 2020: We have released a prototype of our CHERI software stack for Morello, which can be downloaded and run on Arm's Morello FVP ISA-level simulator.

We have posted CHERI ISAv8. This ISA version is synchronized to Arm's Morello architecture, as well as presenting a mature version of our CHERI-RISC-V ISA.

September 2020

Arm has published its Morello architecture specification, a fully elaborated integration of the CHERI protection model into their ARMv8-A architecture.

June 2020

We have posted a new technical report, CHERI C/C++ Programming Guide, which documents the memory-safe CHERI pure-capability C and C++ programming languages, and their implications for software implementation and portability.

April 2020

We are pleased to announce two new papers on our website, both published at the IEEE Symposium on Security and Privacy (Oakland), on Cornucopia: Temporal Safety for CHERI Heaps and Rigorous engineering for hardware security: Formal modelling and proof in the CHERI design and implementation process.

October 2019

We are advertising two new jobs in compiler/OS research and engineering. These positions will contribute to our research and development on the Arm Morello board and CHERI software stack.

September 2019

UKRI has announced the Digital Security by Design Challenge, which includes £8M EPSRC and £3M ESRC calls to support new UK research around CHERI using an Arm-built CHERI-ARM 64-bit demonstrator CPU, SoC, and board (supported by InnovateUK), to be available from 2021.

We have now posted a new technical report, An Introduction to CHERI, which is a high-level summary of our work on CHERI architecture, microarchitecture, formal modeling, and software.

We have now posted our IEEE MICRO 2019 paper, CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety, which explores the potential for implementing strong temporal memory safety using the CHERI architecture.

June 2019

We have now posted the CHERI ISAv7 technical report. This new version of the CHERI architecture better differentiates architecture-neutral and architecture-specific aspects of CHERI, elaborates CHERI-RISC-V, adopts the CHERI Concentrate compression model, adds support for side-channel resistance, and makes a variety of other changes to improve performance and functionality. This is the first version of our specification that directly incorporates formal description of the ISA.

May 2019

We have now posted our IEEE Transactions on Computers article, CHERI Concentrate: Practical Compressed Capabilities, on techiques for the efficient storage of CHERI capabilities in memory.

April 2019

We are pleased to announce that our paper, CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment, has won an ASPLOS 2019 Best Paper award.

We have posted an extended technical-report version of our ASPLOS 2019 CheriABI paper.

January 2019

We have now posted our ASPLOS 2019 paper, CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment, on the general-purpose OS design implications of CHERI when used for ubiquitous memory safety.

August 2018

The New Scientist has published an article, Uncrackable computer chips stop malicious bugs attacking your computer, covering CHERI and other projects relating to security-focused computer architectures.

February 2018

We have posted new technical report describing how CHERI interacts with the Meltdown and Spectre side-channel attacks.

October 2017

We have now posted our ICCD 2017 paper, Efficient Tagged Memory, which explores the design and implementation of efficient hardware for tagged memory.

July 2017

We have now posted the CHERI ISAv6 specification, which introduces support for kernel-mode compartmentalization, jump-based rather than exception-based domain transition, architecture-abstracted and efficient tag restoration, and more efficient generated code. A new chapter addresses potential applications of the CHERI model to the RISC-V and x86-64 ISAs, previously described relative only to the 64-bit MIPS ISA. CHERI ISAv6 better explains our design rationale and research methodology.

April 2017

We have now posted our ASPLOS 2017 paper, CHERI-JNI: Sinking the Java security model into the C, which explores how CHERI capabilities can be used to support sandboxing with safe and efficient memory sharing between Java Native Interface (JNI) code and the Java Virtual Machine.

June, 2016

We have now posted the CHERI ISAv5 specification, which improves the maturity of 128-bit capabilities, code generation efficiency, and more detailed descriptions of the protection model.

We have now posted our PLDI 2016 paper, Into to the depths of C: elaborating the de facto standards, which develops a formal model for the C language -- and explores its implications for CHERI. This paper won a PLDI 2016 distinguished paper award.

May, 2016

We have now posted slides from the first CHERI microkernel workshop, which took place in Cambridge, UK in April 2016.

April, 2016

The first CHERI microkernel workshop took place in Cambridge, UK on 23 April 2016, drawing attendees from SRI International, the University of Cambridge, T U Dresden, ETH Zurich, George Washington University, ARM, Broadcom, Google, and Hewlett Packard Labs, and Oracle.

February, 2016

We have posted QEMU-CHERI, an ISA-level simulation of CHERI MIPS, to complement our HDL prototypes. QEMU-CHERI runs CheriBSD, providing an accessible CHERI experimentation environment.

November, 2015

Two new technical reports on CHERI are now available: CHERI ISAv4, and the CHERI Programmer's Guide.

October, 2015

Khilan Gudka has presented our paper on SOAAP, a tool to explore and evaluate compartmentalised software at ACM CCS 2015.

August, 2015

Our paper on SOAAP, an analysis tool to explore and evaluate compartmentalised software, has been accepted to ACM CCS 2015.

May, 2015

Our third full paper on CHERI, CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization, was presented at the IEEE Symposium on Security and Privacy (Oakland) in May 2015. This paper discusses the hardware-software object-capability model used for software compartmentalisation on CHERI.

We have made a new release of the BERI/CHERI source code, which has been updated for our most recent architectural changes described in our ASPLOS and Oakland papers, and includes everything necessary to synthesise BERI on an Altera FPGA.

April, 2015

Our second full paper on CHERI, Beyond the PDP-11: Architctural support for a memory-safe C abstract machine was presented at ASPLOS in March and received the Audience choice: Best presentation award. This paper discusses convergence of ideas about fat pointers and capabilities needed to support widely used C-language code idioms when compiling for CHERI.

December, 2014

The New York Times has published a Special section on security with a quote from Peter G. Neumann in the lead article and an article on the CRASH program mentioning our work on CHERI.

June, 2014

We have now open sourced the BERI processor and its software stack, making available a high-quality RISC processor implementation and associated operating-system, compiler, and application stacks suitable for hardware-software teaching and research. This release includes full support for the CHERI ISA, which supports fine-grained memory protection and scalable software compartmentalization. This release coincides with presentation of our paper on the CHERI memory model at ISCA 2014.

April, 2014

Our first full paper on CHERI, The CHERI capability model: Revisiting RISC in an age of risk, will be presented at the International Symposium on Computer Architecture (ISCA) in June 2014.

We have now posted our paper on TESLA, presented at EuroSys 2014 in Amsterdam, The Netherlands. TESLA is a Clang/LLVM-based dynamic temporal assertion system that we have used to validate complex security properties, such as check-before-use, in operating systems, applications, and also security test suites.

February, 2014
The University of Cambridge Computer Laboratory has posted a job ad for multiple research assistants and post-doctoral researchers to work in the areas of operating-system, compiler, and CPU security. These roles will contribute to our CHERI, TESLA, and SOAAP projects, as well as support an open-source hardware-software research community we hope to develop around the CHERI processor.
December, 2013

Robert Watson has written a Light Blue Touchpaper blog post, 2013 Capsicum year in review, describing research and deployment progress for Capsicum in 2013.

October, 2013

We have now created a BERI open-source downloads web page that includes links to the hardware specs and build instructions for our Terasic DE4-based tablet, FreeBSD OS support, test suite, and shortly, open-source Bluespec designs.

Google has announced Capsicum for Linux, an adaptation of the Linux kernel to support Capsicum capability mode, capabilities, and process descriptors. This follows on the heels of ports of Capsicum to DragonFlyBSD, and news that FreeBSD 10.0 will ship with Capsicum enabled by default – along with several key applications sandboxed with Capsicum "out of the box".

August, 2013
We have open sourced Smten, a programming and SMT orchestration tool intended to support computer-aided verification of hardware designs, such as the CHERI processor, presented at CAV 2013.
June, 2013
We have open sourced the hardware specs and build instructions for our Terasic DE4-based tablet design. We use this tablet platform to host our BERI and CHERI processors.
April, 2013
The University of Cambridge Computer Laboratory has posted two job ads for the CTSRD project: research assistant and post-doctoral research associate positions in processor, operating system, and compiler security. Please see the job ads or recent blog post for further details.
December 2012
IEEE Spectrum has posted a Techwise Conversations podcast with Robert Watson discussing the clean-slate argument for computer security in operating systems and computer architecture.
October 2012

The New York Times has posted an article on Peter G. Neumann and our work on clean-slate host and network security as part of their Science section.

ACM Queue has posted a video interview with Robert Watson, CTSRD project lead at Cambridge on the topic of research into the hardware-software interface, as well as the CHERI processor.

An early prototype of our SOAAP toolchain is now available for download.

September 2012
We have now posted a workshop paper describing the Security-Oriented Analysis of Application Programs (SOAAP) at the Workshop on Adaptive Host and Network Security (AHANS 2012) in Lyon, France.
August 2012
BERI support for the FreeBSD operating system has been committed to the FreeBSD Subversion repository, and will be included in FreeBSD 10.0.
March 2012
We have now posted a workshop paper describing our goals in the CHERI project. This paper was presented at RESoLVE 2012 in London.
February 2012
Communications of the ACM Research Highlights carries two articles on Capsicum, a hybrid capability system model developed in collaboration between the University of Cambridge and Google Research. Capsicum introduces new operating system primitives in support of application compartmentalisation, the fine-grained decomposition of software applications into independently sandboxed components in order to mitigate security vulnerabilities.
January 2012
FreeBSD 9.0 ships with experimental support for Capsicum! Learn more about Capsicum below.