Endpoint Security , Hardware / Chip-level Security
CHERI Alliance Adds to Memory Safety Hardware Coalition
UK Government Agencies, Google Join Group that Promotes Memory SafetyThe British cyber and defense research agencies joined a U.S and U.K.-government-supported computer hardware project designed to stop memory-based cyberattacks.
See Also: Simplifying OS Migration
Backers of the project in June formed an alliance to push for wider adoption of Capability Hardware Enhanced RISC Instructions - better known as CHERI - saying its uptake by computer manufacturers would prevent buffer overflows and heap use-after-free vulnerabilities. One commonly cited figure is that about 7 in 10 cyberattacks are traceable to memory-safety issues (see:
CHERI controls the creation of memory pointers by software, enforcing boundaries and authorized use. Despite its name, backers say it also works on x86 chip architecture. Industry has been reluctant to adopt it. British semiconductor manufacturer Arm in 2022 printed hundreds of demonstration motherboards using the CHERI architecture, but the corporation declined to join the alliance. A major hurdle is the cost of recompiling code to work on the new architecture - leading to a self-reinforcing situation of low demand thwarting production. Alliance members hope to break through that barrier. "Expanding our membership signals growing recognition of CHERI's transformative potential," said Robert Watson, a University of Cambridge computer science professor and CHERI Alliance director. "We are now well-positioned to advance our mission of delivering scalable, hardware-based security solutions that address critical vulnerabilities." Ben Laurie, lead security researcher at Google said switching to CHERI will help in improving system privacy and safety, especially in generative AI applications that handle sensitive personal data. "Google's interest in CHERI stems from our unwavering commitment to security and privacy," Laurie said, "In security-critical systems that handle sensitive information and personal data, such as those found in generative AI applications, CHERI helps protect against breaches and ensures robust protection against malicious attacks." A company spokesperson did not immediately respond to a request on how Google is planning to integrate the technology into its operations. The tech industry has responded better to prodding to buttress memory safety at the software level. Google in September said switching to a memory-safe language such as Rust, helped the organization reduce significantly vulnerabilities in Android systems (see: Memory-Safe Coding Cuts Android System Flaws by 75%).