CHERI for Hypervisors and Operating Systems (CHaOS)

Lead Research Organisation: University of Cambridge


Software compartmentalisation is the decomposition of larger software packages - such as web browser or OS kernels - into isolated components. Each is granted limited rights to utilize system services or communicate with other isolated components. Intuitively, vulnerability mitigation from compartmentalisation is grounded in the principle of least privilege, which argues that security is improved by minimising the set of privileges available to those required. Compromised software will yield fewer rights and limit further attack surfaces to a successful attacker.

In prior work, we have developed CHERI, a set of architectural extensions to RISC instruction-set architectures to support efficient, fine-grained memory protection and scalable software compartmentalisation. Supported by the UK Industrial Strategy Challenge Fund (ISCF), Arm is creating the Morello CPU, SoC, and board, a high-end, industrial-quality demonstrator of the CHERI principles embodied within a commercial hardware design. This platform has the potential to support far more granular and more easily integrated compartmentalization support than convention hardware designs. However, the current research software stacks for CHERI have been almost entirely focused on memory protection rather than compartmentalisation -- in part because the software operational models associated with CHERI-based compartmentalisation have not yet been established.

We propose to design, prototype, and evaluate new CHERI-based compartmentalisation techniques usable to support fine-grained, scalable software compartmentalisation of real-world software on the Morello board, building a deep understanding (as well as practical prototypes) spanning a rich range of use cases and operational models. CHaOS will enable extensive adoption of software compartmentalisation in systems software stacks, offering strong mitigation for many known (and also still-to-be-discovered) vulnerability classes and exploit techniques affecting server, desktop, mobile, and embedded systems.

CHaOS will investigate the hypotheses that: (1) CHERI can support multiple effective operational models for compartmentalisation; (2) approaches to CHERI compartmentalisation must cater to substantial differences up and down the systems stack; (3) detailed elaboration of compartmentalisation will turn up critical practical considerations (e.g., as relates to debugging); and (4) further refinement of the CHERI (and Morello) architectures may be required as a result of lessons learned in this work.

We will explore these hypotheses across the systems software stack: the hypervisor, general-purpose OS kernel, and user applications. Our existing open-source corpus adapted for CHERI memory safety will be our starting point: the FreeBSD kernel and userspace, the PostgreSQL database, and Apple's WebKit. With our industrial partners on this proposal (Arm, Google, HPI, and Microsoft), we will extend our investigation to include Arm's Morello Android, Google's Hafnium hypervisor, HPI's printer software stack, and Microsoft's Verona language runtime.

Planned Impact

Economic and societal impact lie at the heart of the Industrial Strategy Challenge Fund (ISCF) Digital Security by Design (DSbD) programme, in which our prior work on CHERI constitutes an essential core technology, now being prototyped at scale via the Arm Morello CPU, SoC, and board. The DSbD challenge argues that enhanced processor security can close many of the most critical security vulnerabilities that have made widespread malware and ransomware attacks, hacking, and other malicious activities essentially trivial to perform given current system designs. If successful, Morello has the potential to inform all of Arm's future processor product lines, used in trillions of devices ranging from Internet of Things (IoT) and embedded, to mobile devices, to servers. The potential economic and societal impact of more trustworthy systems will arise not just from decreased actual damage (e.g., NHS outages due to WannaCry), but also from increased confidence to deploy computer systems in security- and safety-critical contexts such as autonomous vehicles and medical systems.

CHERI directly target these ubiquitous software vulnerabilities via efficient, fine-grained memory protection for C/C++ software, and scalable software compartmentalisation. Of these two pitches, only the former, memory protection, is currently grounded in strong practical understanding. However, software compartmentalisation carries with it the potentially more significant security effect, being one of the few known techniques to address not just known vulnerability classes and exploit techniques, but also future undiscovered ones. Unlike CHERI memory protection, there is a strong argument for improved performance and reduced energy use with CHERI compartmentalisation, as compared to baseline MMU-based designs.

Success of the DSbD programme, and widespread adoption of CHERI, depends integrally on the success of software compartmentalisation, which is the key challenge addressed by CHaOS.
There is a strong industrial desire to deploy increased compartmentalisation - but little appetite for current performance and power expense. In collaboration with our industrial partners, we will apply CHERI-based compartmentalisation to elements of several critical software ecosystems including FreeBSD, Android/Linux, iOS/macOS, Windows, and the HP printer stack. If successful, this project will enable widespread deployment of fine-grained software compartmentalization, mitigating many known vulnerability classes and exploit techniques, but also future as-yet undiscovered vulnerability classes and exploit techniques. Our approach will protect billions of devices from Android/iOS mobile phones and tablets to the Sony Playstation, Juniper routers, HP laser printers, and are also used by cloud services such as Netflix and Azure, from trivial attacks that are highly damaging today -- future classes of computing devices, including many billions more IoT devices.


10 25 50
Description Our compartmentalisation models are the de facto standard compartmentalisation implementations used on Arm's prototype Morello hardware (jointly funded with UKRI as part of ISCF), and will be used by dozens of companies and universities in the UK and internationally as part of the UKRI Digital Security by Design programme. Current industrial consumers include Google, Microsoft, and Arm in their research environments.
First Year Of Impact 2023
Sector Digital/Communication/Information Technologies (including Software)
Description Collaboration with Google 
Organisation Google
Department Google UK
Country United Kingdom 
Sector Private 
PI Contribution We have regular meetings with teams from Google, sharing research results from our work, and engaging with their product teams on potential use cases.
Collaborator Contribution During our meetings, we have reviewed a large number of potential use cases for CHERI-based compartmentalisation in Google products including Android, the Chromium web browser, and others. This has been extremely helpful in formulating our ideas and preparing for experimental deployment and evaluation. Members of multiple Google teams attend our regular project meetings, including from GChips and Google Research, and collaborate with us on papers, reports, and specifications.
Impact Our improving research prototypes addressing Google requirements, with the intention of experimental Google use as they mature.
Start Year 2020
Description Collaboration with, and funding from, Microsoft Research Cambridge 
Organisation Microsoft Research
Department Microsoft Research Cambridge
Country United Kingdom 
Sector Private 
PI Contribution Our collaboration is around co-process compartmentalisation, a form of CHERI-based compartmentalisation implementing a higher-performance version of the UNIX process model. A PhD student working closely with the CHaOS team, supported by a Microsoft ICASE award, is developing a user level microkernel over the co-process model.
Collaborator Contribution Microsoft Research Cambridge has supported an EPSRC ICASE award for the PhD student, who is building a user level microkernel running over the co-process model designed and implemented by a research engineer supported by CHaOS. We meet with Microsoft Research monthly to discuss this work, and are preparing for the student to attend an internship at Microsoft this summer to collaborate more closely with the group. Further, multiple members of the MSR CHERI / Morello team are engaged closely with us in the design of the co-process model, even beyond the PhD student's work.
Impact An in-progress open-source software prototype of the 'comsg' IPC model and userspace microkernel.
Start Year 2021
Description SRI International 
Organisation SRI International (inc)
Country United States 
Sector Charity/Non Profit 
PI Contribution We have developed co-process and other compartmentalisation models as part of our EPSRC CHaOS work. SRI International and Cambridge will now receive joint DARPA to funding to extend this work to explore application prototypes and further techniques.
Collaborator Contribution Our collaboration will begin in April 2022.
Impact This is a long-term research partnership, but the collaboration around the CHaOS compartmentalisation work is quite recent and doesn't yet have outputs.
Start Year 2021
Title CheriBSD 22.12 
Description The CheriBSD research operating system runs on the CHERI-RISC-V and Arm Morello architectures, demonstrating tight integration of CHERI support into a richly featured, open-source operating system. The December 2022 release, 22.12, incorporates support for a memory-safe graphics stack, a large collection of memory-safe software packages, and experimental support for library compartmentalisation. 
Type Of Technology Software 
Year Produced 2022 
Open Source License? Yes  
Impact In extensive use across the UKRI Digital Security by Design (DSbD) research ecosystem of dozens of companies and universities across the UK, as well as a number of industrial research labs around the world running on Arm Morello boards.