Building Secure Infrastructure with CHERI

Executive Summary:

CHERI technology offers a practical, hardware-based path to eliminate entire classes of software vulnerabilities. By embedding memory protection directly in silicon, it transforms cybersecurity from reactive patching to proactive resilience, bridging technical innovation and national security policy.

Building Secure Infrastructure with CHERI using the smart meter critical network infrastructure as an example

Recent events have shown what’s at stake. When Jaguar Land Rover (JLR) suffered a major cyber-attack in August, global manufacturing and retail systems went down for weeks. Suppliers faced financial strain, production halted, and recovery took more than a month. It was a stark reminder that one digital event can ripple through entire supply chains disrupting industries, jobs, and even national output.

The government-backed £1.5bn loan guarantee for JLR was headline-grabbing, but the deeper issue lies in the invisible weaknesses that make such attacks possible. Every breach is a chain of events and cybersecurity is about breaking those links before the damage spreads.

One of the weakest links is buried inside the software itself: memory safety. Exploiting memory bugs remains one of the most common and effective ways attackers gain control, extract credentials, and trigger remote code execution.

And JLR’s experience is not an isolated case; it reflects a wider truth about our hyperconnected world, where a single vulnerability can reverberate across sectors and borders.

In an Era of Interconnected Vulnerability

Today, our energy grids, smart meters, and connected transport systems form a single digital organism, every embedded device acts as a nerve in the nation’s digital nervous system. A single flaw in firmware, network stack, or hardware can cascade across thousands of endpoints.

Traditional cybersecurity has always played catch-up, patching vulnerabilities after attackers exploit them. But what if security could be enforced by design – in the silicon itself?

The Real-World Cost of Memory-Unsafe Systems

This isn’t a theoretical problem. In the past year alone, a series of major memory-safety vulnerabilities from browser engines and operating systems to edge infrastructure and embedded controllers have exposed how fragile our digital foundations remain.

DrayTek routers, widely used by UK businesses and public organisations, were compromised through a classic memory flaw vulnerability. Attackers exploited unpatched firmware to gain remote control, alter network configurations, and exfiltrate data.

Similar issues affected everything from Citrix NetScaler gateways and BitLocker encryption components to SQLite databases embedded in industrial controllers – all demonstrating how unsafe memory handling can cascade into real-world operational risk. (See appendix).

The National Cyber Security Centre (NCSC) has even advised critical operators to prepare ‘pen-and-paper’ contingencies, a sobering reminder of how fragile our digital foundations remain.

But there’s a better path, one where vulnerabilities are prevented at the hardware level, not patched after the fact.

Enter CHERI: Security rooted in Silicon

This is where CHERI (Capability Hardware Enhanced RISC Instructions) comes in. Developed by the University of Cambridge and SRI International and supported by the UK Government’s Digital Security by Design (DSbD) programme, CHERI redefines how processors handle memory and authority.

It brings hardware-enforced memory safety and fine-grained compartmentalisation to conventional CPU architectures, where each compartment is isolated yet able to share data or code securely when required. In CHERI, every pointer becomes a capability, a protected reference that encodes both the memory bounds and the permissions associated with it.

As a result, common vulnerabilities such as buffer overflows, dangling pointers, and unauthorised memory writes are contained within their defined limits, dramatically reducing the potential for exploitation.

The diagram below illustrates how CHERI integrates with existing C/C++ development, enabling hardware-enforced memory safety through recompilation for a CHERI-enabled platform — with minimal code changes rather than a full rewrite.

Diagram illustrating how CHERI integrates into existing software workflows: through a recompile of standard C/C++ code with a CHERI aware (open-source and standard tool chain) — *Fig. 1 CHERI integrates into existing software workflows through recompilation of standard C/C++ code using a CHERI-aware, open-source toolchain.*

In practice, CHERI CPUs like Arm’s Morello prototype, Codasip’s X730 IP, and SCI Semiconductor’s ICENI microcontrollers can eliminate the majority of memory-safety flaws — the same weaknesses that account for nearly 70 percent of today’s cyber vulnerabilities.

Building on this foundation, the CHERI Alliance is now driving a global industrial ecosystem to tackle one of cybersecurity’s most persistent challenges, memory vulnerabilities, and to accelerate adoption of capability-based security across hardware, software, and infrastructure domains.

CHERI and Rust — Different Layers, Shared Goals

Some ask whether CHERI’s goals could simply be achieved with Rust (a memory-safe programming language). Both tackle memory safety, but at different levels:

Rust is preventive: it stops many bugs at compile time through ownership and lifetime checks.
CHERI is protective: it enforces safety at runtime, even if the bug remains in code.

Rust depends on developers writing new, safe code, while CHERI hardens the hardware itself, ensuring that even legacy or unsafe C/C++ software can’t step out of bounds. And with millions of lines of critical code already in use, rewriting everything in Rust simply isn’t feasible.
CHERI therefore offers a practical, scalable path to securing the systems we already depend on.

Can Rust and CHERI Work Together?

Yes, and together they’re even stronger. CHERI can harden Rust’s unsafe regions (Foreign Function Interface (FFI), raw pointers), while Rust can be compiled for CHERI hardware combining compile-time and runtime guarantees.

This hybrid model could eliminate entire classes of memory vulnerabilities across critical infrastructure.

But what does this mean in practice for the systems that keep our nation running? To see its real impact, we can look to one of the most ambitious digital rollouts in the UK, the national smart meter network.

Smart Meters: A Case Study in Risk and Reward

This vast digital network (Fig. 2 ) links millions of homes and businesses, connecting them through a secure backbone managed by the Data Communications Company (DCC).

*Fig. 2 Smart Meter Ecosystem and Data Flow Across the UK Energy Network*

The system relies on a tightly interwoven ecosystem: generation and renewables companies such as RWE and SSE Renewables; network operators managing transmission and distribution such as National Grid Electricity Transmission, UK Power Networks, and SSEN; and household retail suppliers including British Gas, E.ON Next, and OVO Energy.

At the heart of it all, the National Energy System Operator (NESO) acts as the grid’s “air traffic controller,” balancing supply and demand and integrating renewables nationwide.

Every participant, from core infrastructure operators to end consumers, relies on the integrity of data flowing through this network. Yet with each additional connection, the attack surface widens. A single compromised node, whether in a smart meter or a communications hub, could be exploited to falsify energy readings, disrupt power distribution, or launch lateral attacks against critical control networks.

CHERI technology offers a concrete, forward-looking solution to these risks. By embedding memory safety at the hardware level, CHERI reduces emergency patching, lowers overall lifecycle costs, and builds long-term resilience from the ground up.

Deployment starts at the network’s edge, inside smart meters and communication hubs, where millions of embedded microcontrollers serve as the first line of defense. From there, CHERI’s architecture can expand to fortify critical network nodes and control centers, reinforcing trust across the entire energy ecosystem.

Embedding CHERI at this foundational level doesn’t just connect the smart grid — it makes it inherently secure.

The call to action is clear:

Bring CHERI into MCU roadmaps, smart-meter supply chains, and infrastructure standards.
Secure by design must begin at the edge and become the new normal.

Investment and National Support: Building the Future of Safe Infrastructure

Adopting CHERI across Critical Network Infrastructure (CNI) won’t happen overnight, but the transition has already begun.

CHERI-enabled hardware, tools, and software stacks are available today for edge and endpoint devices, supporting immediate pilot deployments and real security gains. The next step is extending these proven benefits into the core network; routers, Data Processing Units (DPU), and control servers that carry national data traffic.

Diagram illustrating the CHERI compilation process. It shows a flow from 'Existing C Code' to a 'CHERI-enabled compiler (LLVM/Clang)' represented with gear icons, and then to a 'CPU' that includes 'CHERI Hardware support.' The arrows indicate the compilation and execution flow from code to hardware. — *Fig. 3 Layers of Critical Network Infrastructure connecting core systems to edge devices and national services.*

Sustained investment is essential to scale CHERI from edge environments to the heart of national infrastructure, as silicon partners refine designs for data-intensive systems alongside evolving software, standards, and ecosystems.

This is a multi-year engineering journey, with progress needed in three connected areas:

Software and toolchain enablement: advancing the CHERI LLVM toolchain, CHERI-aware kernels, and operating systems such as FreeBSD, Ubuntu, and Debian, which underpin research platforms and guide future CNI-grade solutions.
Prototype hardware and evaluation: expanding on successful projects like Arm Morello to validate CHERI’s performance, programmability, and integration across diverse network and control workloads.
Pilot collaborations: funding public–private initiatives to recompile and test CNI components in CHERI-enabled environments, ensuring software readiness and shaping standards ahead of mass-market silicon.

While CHERI represents the long-term vision for hardware-enforced memory safety, critical infrastructure security can and should advance today using technologies deployable on existing hardware.

At the edge and endpoint layer, where CHERI-enabled prototype systems already exist, organisations can begin pilot deployments that deliver immediate security benefits in devices close to operational environments.

Across the network core and control servers, where performance, scale, and legacy integration demands are higher, the transition will take longer. In the meantime, defences such as compiler and runtime hardening (Control-Flow Integrity, Address Space Layout Randomization (ASLR), and shadow stacks), modern CPU security extensions (like Arm Memory Tagging or Intel CET(Control-flow Enforcement Technology)), and the use of memory-safe languages such as Rust can strengthen protection on today’s platforms.

Combined with Zero Trust architectures, secure boot, and microkernel or container isolation, these steps deliver measurable resilience now, laying the foundation for a future in which CHERI hardware and capability-based security extend seamlessly from the edge to the core, forming a unified, defence-in-depth model for national infrastructure.

By investing now in skills, compilers, and collaborative pilots, we accelerate a future where CHERI’s capability-based security protects every layer of our connected infrastructure from the network edge to national cores.

From Policy to Practice: A Future Built on Silicon Trust

True resilience depends on more than technology alone. While CHERI provides the hardware foundation of trust, enduring security requires governance, operational discipline, and continuous staff awareness.

Integrating CHERI into a broader defence-in-depth strategy ; combining Zero Trust architectures, secure boot, signed firmware, IOMMU policies, and proactive monitoring, ensures that the protection extends from silicon to systems and people.

The NCSC’s warning to prepare for “pen-and-paper” contingencies exposes a simple truth: our digital foundations remain fragile. But we don’t need to halt progress to stay safe.

The transition to capability-based security has already begun. Each CHERI-enabled pilot, from smart meters to industrial controllers, proves that stronger assurance can start where the physical and digital worlds meet – gradually extending toward the national core network.

CHERI offers a better path, where security is built into silicon, not bolted on after compromise. If CPU vendors have lit the spark, it’s time for software, interconnect, and accelerator partners to carry the flame, aligning operating systems, compilers, data fabrics, and offload engines around the same principles of memory safety and least privilege.

Final Thoughts

Together, we can ensure that the systems powering our energy, transport, and national infrastructure are secure, resilient, and trustworthy by design, moving the nation from cyber shock to silicon trust.

This vision is already taking shape, but recent case studies remind us why the journey from policy to practice cannot pause. They reveal, in tangible terms, how memory-safety flaws continue to threaten critical systems and why the shift toward capability-based security is not just desirable, but essential.

Appendix: Recent UK Case Studies of Memory-Safety Vulnerabilities

In the UK context, several significant recent memory-safety vulnerabilities (all involving buffer overflows or unsafe memory handling) illustrate how deeply these flaws remain a driver of serious cybersecurity risk, especially given widespread deployment of the affected software and infrastructure.

Microsoft BitLocker Use-After-Free Elevation (CVE-2025-54911 / CVE-2025-54912) – September 2025

In September 2025 Microsoft disclosed two closely related use-after-free (UAF) vulnerabilities in BitLocker (CVE-2025-54911 and CVE-2025-54912) affecting multiple versions of Windows. The primary one, CVE-2025-54911, is described as “Use after free in Windows BitLocker allows an authorised attacker to elevate privileges locally.” These flaws (CWE-416) allow an attacker who already has some access (local, low-privileged) to escalate privileges, which is a classic memory-safety exploitation path. Given the ubiquity of Windows and BitLocker in UK enterprises and public sector, the vulnerability carried meaningful risk to UK organisations.

SQLite Memory Corruption (CVE-2025-6965) – May 2025

SQLite, embedded in many IoT and industrial control systems, was found to contain a memory-corruption bug (CVE-2025-6965) where a large number of aggregate terms could overflow column count limits, triggering out-of-bounds writes. This vulnerability is noteworthy because SQLite is used in embedded databases inside controllers and edge compute devices found throughout UK critical infrastructure. Such issues illustrate how legacy memory-unsafe components remain deeply embedded in modern industrial stacks and how CHERI hardware support for spatial and temporal memory protection could prevent such failures in future IoT and edge designs.

Citrix NetScaler memory disclosure vulnerability (“CitrixBleed 2”) – CVE-2025-5777 – March 2025

In March 2025, Citrix released patches for CVE-2025-5777 (“CitrixBleed 2”), a memory-leak vulnerability affecting NetScaler Gateways used widely across UK enterprises and critical infrastructure networks. The flaw (CWE-125) allowed remote attackers to read uninitialised memory and extract sensitive data such as session tokens and credentials. Because NetScaler devices often sit at the aggregation layer of national and enterprise networks, the vulnerability underscored how memory-unsafe code in edge appliances can undermine entire secure architectures – precisely the type of system-level risk that CHERI’s capability-based hardware model aims to eliminate.

Google Chrome Heap Buffer Overflow (CVE-2025-0999) – February 2025

In February 2025 Google released a security update for Chrome (version 133.0.6943.126) to fix a heap-based buffer overflow in the V8 JavaScript engine (CVE-2025-0999). This memory-safety defect (CWE-122) could allow remote code execution via a crafted HTML page, thereby enabling an attacker to compromise the browser process and potentially pivot to the host system. Because Chrome is widely used in both UK consumer and business environments, the vulnerability posed a realistic threat to UK systems.

DrayTek Router Buffer Overflow Vulnerabilities (CVE-2024-51138, CVE-2024-51139) – firmware updates in late 2024 / exploit observations in 2025

In October 2024 DrayTek issued security advisories for buffer-overflow vulnerabilities (CVE-2024-51138, CVE-2024-51139) in its business router/firmware line (e.g., TR-069/STUN server and CGI POST integer overflow). In early 2025, security researchers reported active exploitation of older DrayTek vulnerabilities, noting “buffer overflow vulnerabilities … tracked as CVE-2024-51138 and CVE-2024-51139” and urging firms to update firmware. These memory-safety issues are of particular concern for UK businesses and public-sector networks because DrayTek devices are widely deployed in UK SMEs, edge infrastructure and remote sites making them a potential stepping stone for attackers.

Summary:
These cases illustrate that memory-safety vulnerabilities, whether in mainstream consumer software (Chrome), core OS components (BitLocker), embedded infrastructure (DrayTek), network edge appliances (Citrix NetScaler), or lightweight databases (SQLite) continue to represent serious attack vectors.

For the UK context, the risks are elevated by the ubiquity of these technologies across public, private, and critical-infrastructure networks. They also underline why hardware-enforced memory safety, as pioneered by the CHERI architecture, is a transformative step toward a resilient and secure-by-design national digital infrastructure.

References and Further Reading

Acronyms & Explanations

Click each to expand for full definitions

ASLR – Address Space Layout Randomisation

Randomises memory address locations of key data areas (e.g., stack, heap) to make it harder for attackers to predict and exploit

Arm Memory Tagging

A security feature that helps detect memory safety issues like buffer overflows by tagging memory allocations and checking tags during access, reducing vulnerabilities.

Buffer Overflow

This occurs when a program writes more data to a buffer (a temporary storage area) than it can hold, potentially overwriting adjacent memory and causing crashes or vulnerabilities.

CHERI – Capability Hardware Enhanced RISC Instructions

A hardware architecture enabling fine-grained memory safety and compartmentalisation.

CHERI-aware Kernels

Operating system kernels adapted to leverage CHERI’s capabilities, enhancing security by enforcing memory safety and privilege separation at the hardware level.

CHERI LLVM Toolchain

A modified version of the LLVM compiler infrastructure designed to support CHERI (Capability Hardware Enhanced RISC Instructions), enabling fine-grained memory safety and compartmentalisation in software.

CFI – Control-Flow Integrity

Ensures that the program’s control flow (e.g., function calls, jumps) follows legitimate paths, preventing exploits like code injection or hijacking.

CVE – Common Vulnerabilities and Exposures

A standardised system for identifying and cataloguing known security vulnerabilities and exposures in software or hardware.

Dangling Pointers

Pointers in programming that reference a memory location that has been deallocated or freed.

DCC – Data Communications Company

Operates the UK’s national smart meter communications network, securely linking meters with suppliers and authorised parties.

DNOs – Distribution Network Operators

Deliver electricity from transmission substations to homes and businesses (e.g. UKPN, SSEN)es.

DPU – Data Processing Units

Specialised programmable processors designed to handle data-centric tasks in modern data centres. They are considered one of the three pillars of computing, alongside the CPU (Central Processing Unit) for general-purpose computing and the GPU (Graphics Processing Unit) for accelerated computing. DPUs are particularly focused on efficiently moving and processing data within data centres.

FFI – Foreign Function Interface

Allows a programming language to call or interact with functions or libraries written in another language, enabling cross-language integration (e.g., calling C functions from Python or Rust).

Intel CET – Control-flow Enforcement Technology

A hardware-based security feature designed to prevent control-flow attacks (e.g., Return-Oriented Programming) by enforcing valid execution paths using techniques like Shadow Stacks and Indirect Branch Tracking.

MCU – Microcontroller Unit

A microcontroller-class device, or MCU, is a compact, integrated circuit designed to perform specific control tasks in embedded systems. It typically includes a processor (CPU), memory (RAM/ROM/Flash), and input/output peripherals on a single chip.

Microkernel/Container Isolation

Techniques to separate system components or applications, minimising risks by isolating processes and limiting their access to critical resources.

NESO – National Energy System Operator

Balances national electricity supply and demand, manages transmission networks, integrates renewables, and operates balancing markets.

Pointer

A Pointer is a variable that stores the memory address of another variable. Instead of holding a value directly, it “points” to where the value is stored in memory, allowing indirect access or manipulation of that data.

Raw Pointers

Low-level memory addresses used in languages like C or Rust. They provide direct access to memory but lack safety guarantees like automatic memory management or bounds checking.

Secure Boot

A process ensuring only trusted, verified software runs during a device’s startup, protecting against malicious code.

Shadow Stacks

Maintains a separate, protected stack to verify return addresses, preventing return-oriented programming (ROP) attacks.

SMETS2 – Smart Metering Equipment Technical Specifications, Version 2

Defines the technical and security standards for smart metering systems in the UK.

TNOs – Transmission Network Operators

Own and maintain high-voltage transmission infrastructure (e.g. National Grid, Scottish Power Transmission, Scottish Hydro Electric Transmission).

Use-After-Free

This happens when a program continues to use memory after it has been freed, leading to unpredictable behaviour, crashes, or security risks.

Zero Trust Architecture

A security model where no entity (inside or outside a network) is trusted by default, requiring strict verification for access.

Copyright shall at all times remain vested in the Author. No part of the work shall be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise, without the Author’s express written consent.

Jim Wallace

From Cyber Shock to Silicon Trust