Skip to content
STIMSMITH

CHERI

Concept WIKI v3 · 6/8/2026

CHERI (Capability Hardware Enhanced RISC Instructions) is a hardware-capability approach to memory safety that replaces conventional pointers with hardware capabilities. The provided evidence covers CHERI software experience in CheriBSD/Morello allocator studies and VM porting, and UCAM-CL-TR-984 evidence on CHERI processor implementation topics such as bounds checks, PCC, Special Capability Registers, Sentries, Flute, Sail, and RVFI-DII.

Overview

CHERI stands for Capability Hardware Enhanced RISC Instructions. It is described in the provided literature as hardware designed to address memory-safety issues by replacing traditional pointers with hardware capabilities. [CHERI memory-safety design]

CHERI also appears in systems work as a hardware capability platform evaluated under CheriBSD on Arm’s experimental Morello platform. [CHERI allocators on CheriBSD and Morello]

Architectural concepts in the provided evidence

The provided UCAM-CL-TR-984 material defines the Program Counter Capability (PCC) as an extension of the processor’s program counter that includes capability metadata for the current execution context. [PCC definition]

The same material defines a Secure Entry (Sentry) as a capability that can only be unsealed by jumping to it, and says such capabilities are produced by default on linking from a jump. [Sentry definition]

For CHERI RISC-V, the evidence defines Special Capability Registers (SCRs) as control registers that contain a full capability. [SCR definition]

The UCAM-CL-TR-984 table of contents also identifies CHERI implementation topics including bounds checks, additional instructions, cache modifications, memory-subsystem changes, PCC implementation, Special Capability Register implementation, safe speculation, and fast bounds checks. [CHERI implementation topics]

Software and systems experience

Memory allocators

Several open-source memory allocators have been ported to CHERI and evaluated under CheriBSD on Arm’s experimental Morello platform. One allocator study introduced security attacks and reported that all but one allocator were vulnerable to at least some of the attacks, including the default CheriBSD allocator. The same study cautioned that comparing allocator performance between hybrid and pure-capability modes did not appear meaningful in that evaluation, and suggested that immature compiler toolchains were likely one contributing factor alongside capability-related hardware effects. [CHERI allocator security and performance]

Virtual machines

A CHERI virtual-machine porting study characterizes CHERI’s stricter memory-safety model as a source of incompatibilities with assumptions made by C-language VM implementations. In a CRuby case study and survey of prior VM ports, the authors report that many pitfalls arise from undefined behavior in C and from VM implementation idioms that assume conventional-architecture behavior that is invalid on CHERI. The study also discusses workarounds and validates them through the CRuby port and surveyed prior case studies. [CHERI VM implementation pitfalls]

Processor implementation and evaluation context

UCAM-CL-TR-984’s contents distinguish CHERI work for microcontrollers from CHERI work for application-class processors: it includes a chapter on “CHERI microcontroller evaluation,” a chapter on “CHERI for application-class processors,” and a chapter on “CHERI application-class processor evaluation.” [CHERI processor evaluation scope]

The same contents include a section on Flute in the CHERI microcontroller implementation area, with subsections on branch prediction and timing. [Flute context in UCAM-CL-TR-984]

Formal and verification context

The UCAM-CL-TR-984 glossary describes Sail as a University of Cambridge formal-group language used to produce executable and verifiable instruction-set-architecture specifications. [Sail definition]

The same glossary defines RVFI as a tracing protocol for RISC-V processors to specify the results of running instructions, and RVFI-DII as the combined use of Direct Instruction Injection and RVFI. [RVFI and RVFI-DII definitions]

Related entities

  • UCAM-CL-TR-984: the provided technical-report evidence containing CHERI terminology and sections on CHERI microcontroller and application-class processor implementation and evaluation. [CHERI processor evaluation scope]
  • Flute: appears in UCAM-CL-TR-984 as a section near CHERI microcontroller implementation topics, with branch-prediction and timing subsections. [Flute context in UCAM-CL-TR-984]
  • bounds checking: appears as a CHERI implementation topic, including “Bounds check” and “Fast bounds check” sections. [CHERI implementation topics]
  • Program Counter Capability: defined as the PC extended with capability metadata for current execution. [PCC definition]
  • Sentry mechanism: represented in the evidence by Secure Entry/Sentry capabilities, which can only be unsealed by jumping to them. [Sentry definition]
  • Sail CHERI-RISC-V: while the specific tool name is not described in the evidence, the provided material defines Sail as a language for executable and verifiable ISA specifications and discusses CHERI RISC-V concepts such as Special Capability Registers. [Sail definition] [SCR definition]

LINKED ENTITIES

13 links
UCAM-CL-TR-984 USES
Piccolo IMPLEMENTS
Flute IMPLEMENTS
Toooba IMPLEMENTS
Sail CHERI-RISC-V IMPLEMENTS
bounds checking USES
tag controller USES
merged register file USES
CHERI-Concentrate USES
Program Counter Capability USES
capability mode bit USES
Sentry mechanism USES
MIPS architecture DERIVED_FROM

CITATIONS

12 sources
12 citations
[1] CHERI memory-safety design Pitfalls in VM Implementation on CHERI: Lessons from Porting CRuby
[2] CHERI allocators on CheriBSD and Morello Picking a CHERI Allocator: Security and Performance Considerations
[3] PCC definition UCAM-CL-TR-984.pdf
[4] Sentry definition UCAM-CL-TR-984.pdf
[5] SCR definition UCAM-CL-TR-984.pdf
[6] CHERI implementation topics UCAM-CL-TR-984.pdf
[7] CHERI allocator security and performance Picking a CHERI Allocator: Security and Performance Considerations
[8] CHERI VM implementation pitfalls Pitfalls in VM Implementation on CHERI: Lessons from Porting CRuby
[9] CHERI processor evaluation scope UCAM-CL-TR-984.pdf
[10] Flute context in UCAM-CL-TR-984 UCAM-CL-TR-984.pdf
[11] Sail definition UCAM-CL-TR-984.pdf
[12] RVFI and RVFI-DII definitions UCAM-CL-TR-984.pdf

VERSION HISTORY

v3 · 6/8/2026 · gpt-5.5 (current)
v2 · 6/7/2026 · gpt-5.5
v1 · 5/30/2026 · gpt-5.5