Peter Sewell

Here are my contact details, a photo, short bio, and CV

Teaching

• Part II and Part III/ACS Project suggestions for 2024-25
• The 2024-2025 Part 1B Semantics of Programming Languages course.
• The 2024-2025 Multicore Semantics and Programming (L304) ACS MPhil module and Part II Unit (with Tim Harris and Christopher Pulte) [slides]
• ...previous teaching

Research

Our REMS group (Rigorous Engineering for Mainstream Systems) does this, in collaboration with many academic colleagues in Cambridge and elsewhere, and industry colleagues in Arm, Google, IBM, RISC-V International, and elsewhere. REMS was originally funded by the eponymous EPSRC REMS Programme Grant, with Imperial and Edinburgh; it continues with other funding, including the EU ERC AdG ELVER (2018-2024), the ERC/UKRI Frontier Guarantee AdG SAFER (2024-2029), and donations from Arm, Google, Intel, and Amazon.

The CHERI project, led by Robert Watson, Simon Moore, and myself at Cambridge, and Peter Neumann at SRI International, extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization. It is a hardware/software/semantics co-design project, involving architecture design, hardware implementation, system software adaption, and formal semantics and mechanised proof of security properties. The UKRI Digital Security by Design Challenge, with £70m government and £117m industry funding from 2019-2025, developed the industrial prototype Arm Morello CHERI-ARM 64-bit CPU, SoC, board, and software stack, to evaluate and demonstrate the mass-market industrial feasibility of CHERI. Here are our DSbD pages.

Recent REMS Group Papers

• Morello-Cerise: A Proof of Strong Encapsulation for the Arm Morello Capability Hardware Architecture. Angus Hammond, Ricardo Almeida, Thomas Bauereiss, Brian Campbell, Ian Stark, and Peter Sewell. In PLDI 2025. [ bib | doi | pdf | abstract ]
• Precise exceptions in relaxed architectures. Ben Simner, Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Ohad Kammar, Jean Pichon-Pharabod, and Peter Sewell. In ISCA 2025, Best paper award. [ bib | doi | pdf | abstract ]
• ISO/IEC TS 6010:2025 Programming languages --- C --- A provenance-aware memory object model for C, ISO/IEC JTC 1/SC 22. ISO, May 2025. Based on N3005: A Provenance-aware Memory Object Model for C. Working Draft Technical Specification ISO/IEC TS 6010:2023 (E). Jens Gustedt, Peter Sewell, Kayvan Memarian, Victor B. F. Gomes, Martin Uecker. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n3005.pdf. June 2022. [ bib | .html | abstract ]
• Comprehensive Formal Verification of Observational Correctness for the CHERIoT-Ibex Processor, Louis-Emile Ploix, Alasdair Armstrong, Tom Melham, Ray Lin, Haolong Wang, and Anastasia Courtney, February 2025. [ bib | arXiv | http | abstract ]
• Towards general white-box automation: a typeclass-guided context cleaner. Thibaut Pérami. In CoqPL 2025. [ bib | http ]
• A CHERI C Memory Model for Verified Temporal Safety. Vadim Zaliva, Kayvan Memarian, Brian Campbell, Ricardo Almeida, Nathaniel Wesley Filardo, Ian Stark, and Peter Sewell. In CPP 2025. [ bib | doi | http ]
• It Is Time to Standardize Principles and Practices for Software Memory Safety. Robert N.M. Watson, John Baldwin, David Chisnall, Tony Chen, Jessica Clarke, Brooks Davis, Nathaniel Filardo, Brett Gutstein, Graeme Jenkinson, Ben Laurie, Alfredo Mazzinghi, Simon Moore, Peter G. Neumann, Hamed Okhravi, Alex Richardson, Alex Rebert, Peter Sewell, Laurence Tratt, Murali Vijayaraghavan, Hugo Vincent, and Konrad Witaszczyk. Communications of the ACM, 68(2):40–45, January 2025. [ bib | doi | http | abstract ]
• Fulminate: Testing CN Separation-Logic Specifications in C. Rini Banerjee, Kayvan Memarian, Dhruv Makwana, Christopher Pulte, Neel Krishnaswami, and Peter Sewell. In POPL 2025. [ bib | doi | pdf | abstract ]
• Formal Mechanised Semantics of CHERI C: Capabilities, Provenance, and Undefined Behaviour. Vadim Zaliva, Kayvan Memarian, Ricardo Almeida, Jessica Clarke, Brooks Davis, Alex Richardson, David Chisnall, Brian Campbell, Ian Stark, Robert N. M. Watson, and Peter Sewell. In ASPLOS 2024. [ bib | pdf | abstract ]
• CHERI: Hardware-Enabled C/C++ Memory Protection at Scale. Robert N. M. Watson, David Chisnall, Jessica Clarke, Brooks Davis, Nathaniel Wesley Filardo, Ben Laurie, Simon W. Moore, Peter G. Neumann, Alexander Richardson, Peter Sewell, Konrad Witaszczyk, and Jonathan Woodruff. IEEE Secur. Priv., 22(4):50--61, 2024. [ bib | doi | pdf | http | abstract ]
• An axiomatic basis for computer programming on the relaxed Arm-A architecture: the AxSL logic. Angus Hammond¹, Zongyuan Liu¹, Thibaut Pérami, Peter Sewell, Lars Birkedal, and Jean Pichon-Pharabod. In POPL 2024, ¹These authors contributed equally. Proc. ACM Program. Lang. 8, POPL, Article 21. [ bib | doi | pdf | abstract ]
• The Arm Morello Evaluation Platform---Validating CHERI-Based Security in a High-Performance System. Richard Grisenthwaite, Graeme Barnes, Robert N. M. Watson, Simon W. Moore, Peter Sewell, and Jonathan Woodruff. IEEE Micro, 43(3):50--57, 2023. [ bib | doi | pdf | http | abstract ]
• CN: Verifying systems C code with separation-logic refinement types. Christopher Pulte, Dhruv C. Makwana, Thomas Sewell, Kayvan Memarian, Peter Sewell, and Neel Krishnaswami. In POPL 2023, Proc. ACM Programming Languages 7, POPL, Article 1. [ bib | doi | project page | pdf | abstract ]

Blog articles

• Formal CHERI: rigorous engineering and design-time proof of full-scale architecture security properties, Peter Sewell, Thomas Bauereiss, Brian Campbell, and Robert N. M. Watson. Blog post, https://www.lightbluetouchpaper.org/2022/07/22/formal-cheri/, July 2022. [ bib | project page | http ]
• Bad Reasons to Reject Good Papers, and vice versa, Peter Sewell. SIGPLAN PL Perspectives Blog, December 2021. Also published 2022-12-07 on the Communications of the ACM Blog https://cacm.acm.org/blogs/blog-cacm/267440-bad-reasons-to-reject-good-papers-and-vice-versa/fulltext. [ bib | http ]

Research Topics

• CHERI: Capability enhanced systems (project page)
• ISA semantics and Sail (project page)
• Relaxed-memory concurrency
  • Relaxed-memory concurrency: Arm, RISC-V, and Power (rmem operational and isla axiomatic tools for hardware concurrency)
  • Relaxed-memory concurrency: C/C++11 (cppmem tool)
  • Relaxed-memory concurrency: x86
  • Relaxed-memory concurrency: the CompCert-TSO verified compiler (project page)
  • Relaxed-memory concurrency: general
• CN C verification and testing (repo) (tutorial)
• Cerberus C semantics (project page) (Cerberus tool)
• Cerberus: ISO WG14 C standards committee papers (project page)
• WebAssembly and JavaScript
• LinkSem: ELF linking semantics (project page)
• SibylFS: POSIX filesystem semantics (project page)
• nqsb-TLS (project page)
• Tool support for semantics
  • Lem: tool support for semantics (project page)
  • Ott: tool support for semantics (project page)
  • The POPLmark challenge (project page)
• Netsem: semantics for TCP, UDP, and Sockets (project page)
• Type-safe distributed languages (Acute and HashCaml)
• Dynamic update
• Java modules (project page)
• Language and communication infrastructure for mobile computation: Nomadic Pict (project page)
• Security policy
• Anonymity
• Secure encapsulation
• Iota: XML scripting
• Observational concurrent language semantics
• Process calculi
  • Models for name-passing processes
  • From rewrite rules to bisimulation congruences
  • Locality typing
  • Pi calculus tutorials
  • Finite Axiomatisability
• Hardware model abstraction
• Misc
• Plasma Physics

Another photo