CHERIoT at SOSP 2025

This week, some of the CHERIoT team were at The 31st Symposium on Operating Systems (SOSP 2025) presenting the first paper about the CHERIoT RTOS: [1]. This paper describes the CHERIoT RTOS and how it builds on the ISA features to deliver fine-grained compartmentalisation, easy programming, and a tiny trusted computing base (TCB). I also gave a keynote on how CHERI impacts operating system design for the KISV workshop associated with SOSP. There were a lot of good discussions, and I hope to see more folks looking at CHERIoT RTOS.

It was interesting to compare our approach with Tock OS, which remains the gold standard for security on non-CHERI embedded devices. One of the papers in the same session as ours discussed the problems Tock has with untrusted code in userspace violating the Rust invariants. A lot of these are intrinsic to the problem of interfacing a language that provides (and can therefore depend on) a very rich set of compile-time properties with one that does not guarantee any of these. It was particularly nice to see that the CHERIoT ISA allows CHERIoT RTOS to enforce some of these properties (such as non-aliasing arising from a no-capture guarantee) even across trust boundaries. That makes me optimistic that CHERIoT RTOS will be one of the best embedded targets for Rust code (more on this coming soon!).

Full citation

1. Saar Amar, Tony Chen, David Chisnall, Nathaniel Wesley Filardo, Ben Laurie, Hugo Lefeuvre, Kunyan Liu, Simon W. Moore, Robert Norton-Wright, Margo Seltzer, Yucong Tao, Robert N. M. Watson and Hongyan Xia. CHERIoT RTOS: An OS for Fine-Grained Memory-Safe Compartments on Low-Cost Embedded Devices. Proceedings of the ACM SIGOPS 31st Symposium on Operating Systems Principles, Association for Computing Machinery (2025), 67–84. [pdf] [doi]
   BibTeX

   @inproceedings{10.1145/3731569.3764844,
     author = {Amar, Saar and Chen, Tony and Chisnall, David and Filardo, Nathaniel Wesley and Laurie, Ben and Lefeuvre, Hugo and Liu, Kunyan and Moore, Simon W. and Norton-Wright, Robert and Seltzer, Margo and Tao, Yucong and Watson, Robert N. M. and Xia, Hongyan},
     title = {CHERIoT RTOS: An OS for Fine-Grained Memory-Safe Compartments on Low-Cost Embedded Devices},
     year = {2025},
     isbn = {9798400718700},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/3731569.3764844},
     doi = {10.1145/3731569.3764844},
     booktitle = {Proceedings of the ACM SIGOPS 31st Symposium on Operating Systems Principles},
     pages = {67–84},
     numpages = {18},
     location = {Lotte Hotel World, Seoul, Republic of Korea},
     series = {SOSP '25},
     pdf = {https://dl.acm.org/doi/pdf/10.1145/3731569.3764844}
   }
   

   Abstract

   Embedded systems do not benefit from strong memory protection, because they are designed to minimize cost. At the same time, there is increasing pressure to connect embedded devices to the internet, where their vulnerable nature makes them routinely subject to compromise. This fundamental tension leads to the current status-quo where exploitable devices put individuals and critical infrastructure at risk.We present the design of a dependable embedded OS where compartmentalization and memory safety are first-class citizens. We co-design the OS with an embedded hardware platform that implements CHERI capabilities at a similar cost profile to existing chips with minimal security. We demonstrate key design benefits: fine-grained fault-tolerant compartments, OS-level support for compartment-interface hardening, and auditing facilities to thwart supply-chain attacks, among others, and show that they come at a memory usage and performance cost that allows their widespread deployment in cheap, resource-constrained devices.