Presented final version of specifications software and hardware platform CHERIoT 1.0 (Capability Hardware Extension to RISC-V for Internet of Things), which defines an instruction set extension (ISA) for creating secure devices. CHERIoT provides hardware capabilities to track memory access, verify pointer correctness, and enforce code block isolation. At the same time, is published a stable release of the reference formal model CHERIoT ISA, defined in the language Sail. The developments of the project are distributed under the BSD license.
The CHERIoT project was created by Microsoft for solve security problems in existing C and C++ code and protect such code without having to rewrite it. Protection is implemented through the use of a modified compiler that uses an extended set of processor instructions (ISA) to ensure pointer integrity, control boundaries when working with memory, and prevent access to freed memory. In 2023, CHERIoT’s developments were opened and transformed into a joint project, to which other companies also joined.
CHERIoT hardware components are designed in the form of a microcontroller based on the RISC-V architecture, implementing a secure processor architecture CHERI (Capability Hardware Extension to RISC-V) with a managed memory access model based on “capability” (each memory read and write operation is authorized). Based on the instruction set architecture (ISA) provided in CHERIoT, a software model is built that guarantees memory security at the level of individual objects, provides protection against access to already freed memory, and implements a lightweight system for isolating memory access.
The specified software protection model is directly reflected in the C/C++ language model, which allows it to be used for existing applications, the protection of which only requires recompilation and execution on hardware that supports ISA CHERIoT. For example, using CHERIoT allows you to implement automatic bounds checking, tracking the lifetime of memory areas, and ensuring the integrity of pointers in components that process untrustworthy data without making changes to the code.
Among the problems blocked using CHERIoT:
- Traversing the boundaries of an object in memory;
- Pointer substitution (when using CHERIoT, all pointers must be derived from existing pointers);
- Accessing memory after freeing (any access to memory using an invalid pointer or a pointer referencing a freed object results in an exception being thrown when CHERIoT is applied).