CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection

Memory safety vulnerabilities, particularly common in popular programming languages like C and C++, continue to pose a significant risk across various systems, from tiny embedded devices to large cloud environments. Simply put, memory safety means that software should only access the data it’s supposed to. When this safety net fails, malicious actors can exploit these weaknesses to take control of devices or disrupt essential services.

According to industry reports, around 70% of the vulnerabilities that Microsoft labels as Common Vulnerabilities and Exposures (CVE) every year are related to memory safety issues. This highlights how often these flaws translate into real-world security threats (CISA – The Urgent Need for Memory Safety in Software Products). Hardware solutions like CHERIoT-Ibex are designed to eliminate these vulnerabilities right at the source, making it less likely that low-level software flaws can be exploited to compromise devices or interrupt services. This approach promotes a more reliable infrastructure from the ground up.

A Reliable Foundation for Memory-Safe Embedded Systems

CHERIoT-Ibex is the first open-source production-quality implementation of the CHERIoT instruction set architecture and is also among the first cores to receive certification from the CHERI Alliance (CHERI Alliance – CHERIoT). CHERIoT extends the CHERI (Capability Hardware Enhanced RISC Instructions) instruction set, aimed specifically at embedded and IoT applications. Ibex is a 32-bit RISC-V core created by LowRISC. By adding CHERIoT capability extensions to Ibex, CHERIoT-Ibex provides hardware-enforced memory safety and detailed compartmentalization. This initiative is the result of a strong collaboration between Microsoft Research and Azure Hardware Systems & Infrastructure, merging cutting-edge research with leading-edge silicon expertise.

In 2023, Microsoft made the CHERIoT Platform open-source to enhance hardware-enforced memory safety in embedded systems. This includes an instruction set architecture, a toolchain, a real-time operating system, and the RTL implementation of the CHERIoT-Ibex core. The CHERI Alliance certification acknowledges its capability to provide spatial and temporal memory safety, precise compartmentalization, and compatibility with the wider CHERI ecosystem. Importantly, CHERIoT-Ibex delivers these security features while being power and area-efficient, demonstrating that you don’t have to sacrifice affordability for security.

Why Memory Safety Remains a Key Security Concern

Traditional embedded systems and microcontroller designs often depend on software hardening and broad hardware protections. However, these measures frequently fall short in stopping attacks like buffer overflows and use-after-free vulnerabilities, often complicating the security landscape while still leaving gaps in protection.

Imagine a controller running privileged firmware that handles device initialization, telemetry, and system health monitoring while also managing networking functionalities exposed to external inputs. A memory safety flaw in the networking stack could let attackers execute unauthorized code within the firmware, potentially threatening other critical functions on the device. In tightly knit systems, these failures can escalate, amplifying overall risks.

Controlling Risks with Hardware-Enforced Isolation

CHERIoT-Ibex enables hardware-enforced isolation between different components, meaning that if the networking stack is compromised, it can’t easily affect system initialization or telemetry functions. By restricting the impact of software failures, CHERIoT-Ibex promotes a comprehensive security mindset instead of relying solely on individual components to safeguard themselves.

Building Memory-Safe Infrastructure from the Ground Up

The CHERIoT-Ibex’s certification by the CHERI Alliance is a major step forward for open-source memory-safe solutions. It confirms that robust security protections can go hand in hand with efficiency and transparency, embodying Microsoft’s broader strategy of integrating security directly into the core hardware framework.

If you’re interested in exploring the open-source CHERIoT ecosystem, check out the microsoft/cheriot-ibex repository. This platform is a fantastic resource for developers and researchers to experiment with, contribute to, and build on a strong memory-safe hardware and software foundation.