Security by Default with CHERI ISA Extensions

This technical paper discusses the integration of CHERI ISA extensions with a security-enhanced Ada runtime to improve security in embedded real-time systems. It outlines the guiding principle of 'Secure by Default' and evaluates the security assurance claims associated with CHERI-compliant microprocessors. The paper details the development of a security-hardened Ada runtime that operates on Arm's Morello CHERI architecture, emphasizing a layered approach to security that mitigates common vulnerabilities. It presents case studies demonstrating how the combination of memory-safe hardware and software enhances security assurance. The research highlights CHERI's capabilities in fine-grained memory protection and its ability to precisely control memory access, thereby reducing risks associated with memory-related vulnerabilities. Additionally, it discusses the advantages of using Ada as a high-integrity programming language in safety-critical applications, asserting that the joint adoption of CHERI and Ada provides a robust defense-in-depth strategy for embedded systems.