CHERIoT, a Microsoft project to improve security in C


CHERIoT, an MS option for security for embedded systems

The news recently broke that Microsoft has opened the developments related to the CHERIoT project (Capability Hardware Extension to RISC-V for Internet of Things), intended to block security issues in C and C++ code existing. CHERIoT offers a solution to protect existing C/C++ code bases without having to refactor them.

The protection is implemented by using a modified compiler which uses a special extended set of processor instructions (ISA) provided by the processor and monitors memory access at the hardware level, verifies job correctness with pointers, and provides code block isolation.


The project was created with the understanding that the low-level nature of the C language becomes a source of memory errors, which leads to problems like buffer overflows, access to memory already freed, pointer dereferencing or double freeing.

Practice shows that even large corporations such as Google and Microsoft, which have a strict change review policy and use modern development methods and static analysis tools, cannot guarantee error-free working with memory (for example, about 70% of vulnerabilities in Microsoft and Google are caused by insecure memory management).

The problem It can be solved by using programming languages ​​that guarantee safe work.or with memory or links with additional controls, for example, by using MiraclePtr (raw_ptr) instead of common pointers, which performs additional controls to access freed memory areas.

However such methods are more suitable for new code y it's quite troublesome to rework existing C/C++ projects, especially if they are intended to run in resource-constrained environments, such as embedded systems and IoT devices.

The CHERIoT hardware components are designed as a microcontroller based on the RISC-V architecture, implementing the secure processor architecture CHERI (Capacity Hardware Extension for RISC-V), providing a controlled memory access model.

Basado en the instruction set architecture (ISA) Provided in CHERIoT, a programming model is built that guarantees the security of working with memory at the level of individual objects, provides protection against access to already freed memory, and implements a lightweight isolation system for memory access.

This programmatic protection model mirrors directly the C/C++ language model, allowing it to be used to protect existing applications (recompiling and running on ISA CHERIoT-compliant hardware only required) .

The proposed solution allows to block errors that cause out of bounds of an object in memory, does not allow pointer substitution (all pointers must be generated from existing pointers), monitors memory access after freeing (any memory access by a bad pointer or a pointer referencing a freed object raises an exception).

For example, using CHERIoT allows, without making any code changes, to implement automatic bounds checking, track the lifetime of memory areas, and ensure the integrity of pointers in components that process unreliable data.

The project includes a specification for a CHERIoT instruction set architecture extension, a reference implementation of an ISA CHERIoT-compliant 32-bit RISC-V CPU, and a modified LLVM toolset.

Finally If you are interested in knowing more about it, you must know that the prototype diagrams CPU and hardware block descriptions in Verilog are distributed under the Apache 2.0 license. The Ibex core of the lowRISC project is used as the basis for the CPU and the CHERIoT ISA code model is defined in the Sail language and distributed under the BSD license.

Additionally, a prototype CHERIoT RTOS real-time operating system is proposed, which provides the ability to isolate compartments (compartment) even on embedded systems with 256 MB of RAM.

The code CHERIOT RTOS It is written in C++ and is distributed under the MIT license. In the form of compartments, the basic components of the operating system, such as the boot loader, the scheduler, and the memory allocation system, are designed.

The content of the article adheres to our principles of editorial ethics. To report an error click here.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.