Hardware-Driven Security: Can CHERI Fix the "Blind Spots" of Software Testing?

For decades, the software industry has played a game of cat-and-mouse with memory vulnerabilities. There is a steady rise of "Secure by Design" principles, such as the adoption of memory-safe languages such as Ada, SPARK, or Rust; however, memory-related errors in systems implemented with traditional programming languages suffer from buffer overflows and use-after-free errors, and these problems remain the "Trojan horse" of modern cybersecurity, consistently ranking among the most dangerous software weaknesses.

There is still a lot of software written in memory-unsafe languages, and rewriting it all in a memory-safe language is not realistic. It is important to explore practical testing methodologies to improve the robustness and security of such codebases.

The Problem: When Sanitizers Blink

Currently, the "gold standard" for detecting memory-related vulnerabilities in languages such as C and C++ is Grey-box fuzzing (e.g., AFL++) combined with sanitizers, such as AddressSanitizer (ASan). ASan works by surrounding memory allocations with "red zones," poisoned regions of memory that trigger a crash if a program accidentally writes into them.

However, ASan is a heuristic with inherent limitations. For example, ASan’s red zones have a finite size (typically 16–32 bytes); thus, a large or strategic overflow can "leap" over the poisoned zone and land in a valid neighboring allocation, something the authors called a "Red Zone Jump". Since the overflow never touches the red zone, ASan considers the access "legal," and the bug remains silent and exploitable.

The Solution: Hardware-Enforced Capabilities

In a recent study presented at the 2026 European Congress of Embedded Real Time Systems (ERTS), researchers from AdaCore explored a powerful new combination: fuzz testing of C/C++ and Ada code paired with CHERI (Capability Hardware Enhanced RISC Instructions). Unlike software-based sanitizers that use heuristics, CHERI replaces traditional integer-based pointers with capabilities. These are hardware-extended pointers that include:

• Bounds: A strictly defined address range that the pointer is allowed to access.
• Permissions: Metadata that prevents, for example, executing code from a data buffer.
• Tags: A 1-bit hardware tag that ensures pointers cannot be forged and invalidates them if their bits are tampered with.

By embedding security directly into the CPU, CHERI ensures deterministic memory protection. If a fuzzer generates an input that causes a pointer to stray even a single byte outside its bounds, the hardware raises an immediate exception.

Real-World Results

Using a custom, lightweight fuzzer called the Adaptive Engine, the team tested both C and Ada code on Arm's Morello prototype platform running CheriBSD and AdaCore's GNAT Pro CHERI security-enhanced runtime in "pure capability" mode, forcing all load and store instructions to use CHERI capabilities. The results were telling:

• ASan Evading: In every case where an overflow "jumped" the software red zones, CHERI’s hardware-enforced bounds caught the violation.
• Legacy Code Security: CHERI successfully detected vulnerabilities in legacy C/C++ codebases without requiring a full rewrite into a memory-safe language.
• Strengthening Safe Languages: Even in memory-safe languages like Ada, CHERI provided an extra layer of defense, catching errors that might arise from using "unsafe" language features.

The Path Forward: Secure by Verification

While CHERI hardware is still in the early stages of adoption, its ability to convert "silent" memory corruption into "deterministic" hardware faults represents a massive leap forward.

By moving from a reactive legacy approach of identify, patch, re-deploy, and repeat to a proactive Secure by Verification approach, developers can finally eliminate entire classes of vulnerabilities before the code ever reaches deployment.

AdaCore GNAT DAS is well-positioned to lead this shift. Using GNATfuzz, teams can readily deploy advanced bug-finding capabilities, integrating everything from address sanitizers to next-generation CHERI capabilities into a single, streamlined workflow.

The SCHEME project has funded this work. The £37.5m investment program is co-funded by the ATI Programme, which funds civil aerospace research in the UK and which is delivered in partnership by the Aerospace Technology Institute, the Department for Business & Trade, and Innovate UK. Rolls-Royce is joined by AdaCore, TT Electronics, Volant Autonomy, Rapita Systems, The Manufacturing Technology Centre, Queen's University Belfast, University of Bristol, University of Sheffield, and University of York.