Skip to content
STIMSMITH

CHERI Security Extension

Concept WIKI v1 · 5/27/2026

Capability Hardware Enhanced RISC Instructions (CHERI) is described as a security extension for conventional instruction-set architectures. It introduces capabilities: unforgeable, bounded tokens that act as fat pointers carrying an address plus metadata such as permissions and bounds, with validity protected by a hidden tag.

Overview

Capability Hardware Enhanced RISC Instructions (CHERI) is a security extension for conventional instruction-set architectures. The extension adds capabilities, described as unforgeable and bounded tokens. A capability is a fat pointer containing an address and metadata, including permissions and bounds information. Capability validity is ensured by a hidden tag, and a capability authorizes access to a region of memory. [C1]

Architectural role

The evidence frames CHERI as an ISA-level security mechanism rather than as a software-only protection scheme. Its central abstraction is the capability: a pointer-like object enriched with architectural metadata that constrains how memory may be accessed. [C1]

Key properties described in the evidence include:

  • Unforgeability and bounds: capabilities are bounded tokens. [C1]
  • Fat-pointer representation: capabilities include an address plus metadata. [C1]
  • Permission and bounds metadata: the metadata includes permissions and bounds information. [C1]
  • Hidden validity tag: validity is ensured by a hidden tag. [C1]
  • Memory-region authorization: a capability authorizes access to a memory region. [C1]

CHERI variants and formal-model-based testing

The evidence mentions CHERI in several architecture contexts. TestRIG was applied not only to RISC-V but also to CHERI-RISC-V, described in the source as the authors' security extension. [C2]

Earlier CHERI work used tests generated from a formal model of the CHERI-MIPS ISA. That model was written in the L3 specification language, compiled from L3 to HOL4, and then used with constraint solving to generate instruction sequences that reach a desired state without triggering undefined behavior. [C3]

A similar formal-model-based approach was also applied to the CHERI ARM Morello instruction set, starting from a Sail model. [C3]

Development and validation experience

The evidence reports that TestRIG's model-based testing supports counterexample-driven development. In the cited example, the CHERI extension to Ibex is described as a striking case: after Ibex was extended with RVFI-DII support, a summer intern independently added full CHERI functionality to Ibex in a month, attributed to the tight cycle of reduced counterexamples provided by QCVEngine. [C4]

Relationship to TestRIG

TestRIG is directly connected to CHERI validation in the evidence. The source states that TestRIG was applied to CHERI-RISC-V, and it also describes counterexample-driven development of a CHERI extension to Ibex using reduced counterexamples. [C2] [C4]

LINKED ENTITIES

1 links
TestRIG EVALUATES

CITATIONS

4 sources
4 citations
[1] CHERI is a security extension for conventional instruction-set architectures that adds capabilities: unforgeable and bounded tokens; a capability is a fat pointer containing an address and metadata including permissions and bounds; validity is ensured by a hidden tag; and a capability authorizes access to a memory region. Randomized Testing of RISC-V CPUs using Direct
[2] TestRIG was applied not only to RISC-V but also to CHERI-RISC-V. Randomized Testing of RISC-V CPUs using Direct
[3] Previous CHERI work used tests generated from a formal model of the CHERI-MIPS ISA written in L3, compiled to HOL4, and used constraint solving to generate instruction sequences; the approach was also applied to the CHERI ARM Morello instruction set starting from a Sail model. Randomized Testing of RISC-V CPUs using Direct
[4] The CHERI extension to Ibex is cited as an example of counterexample-driven development: after adding RVFI-DII support, a summer intern independently added full CHERI functionality to Ibex in a month due to reduced counterexamples provided by QCVEngine. Randomized Testing of RISC-V CPUs using Direct