Biting the CHERI bullet: Blockers, Enablers and Security Implications of CHERI in Defence

TL;DR

The paper presents a 12-month, multi-team evaluation of CHERI on the Morello platform to assess adoption readiness for Defence software. It identifies a taxonomy of blockers (dependencies, knowledge premium, missing utilities, technical debt, performance, platform instability) and enablers (tooling, code quality, easy porting), alongside five potential security vulnerabilities that CHERI could expand if misconfigured. Using Grounded Theory to analyze 12 final reports, the study also discusses competing approaches (memory-safe languages, software memory protection, hypervisors) and the risks CHERI poses to software certification. The work emphasizes the need for better documentation, tooling, and a formal CHERI knowledge base to reduce knowledge asymmetries and improve adoption in safety-critical contexts.

Abstract

There is growing interest in securing the hardware foundations software stacks build upon. However, before making any investment decision, software and hardware supply chain stakeholders require evidence from realistic, multiple long-term studies of adoption. We present results from a 12 month evaluation of one such secure hardware solution, CHERI, where 15 teams from industry and academia ported software relevant to Defence to Arm's experimental Morello board. We identified six types of blocker inhibiting adoption: dependencies, a knowledge premium, missing utilities, performance, platform instability, and technical debt. We also identified three types of enabler: tool assistance, improved quality, and trivial code porting. Finally, we identified five types of potential vulnerability that CHERI could, if not appropriately configured, expand a system's attack surface: state leaks, memory leaks, use after free vulnerabilities, unsafe defaults, and tool chain instability. Future work should remove potentially insecure defaults from CHERI tooling, and develop a CHERI body of knowledge to further adoption.