See Solution
CHERI Memory Safety
At Sensor IT, we have been at the forefront of CHERI-based secure embedded systems development since the early days of the UK government’s Digital Security by Design (DSbD) programme. Through multiple cohorts of the Innovate UK / Digital Catapult DSbD Technology Access Programme, working directly alongside the University of Cambridge and lowRISC, we have built deep, production-ready expertise in CHERI architecture on both the Morello and Sonata Boards. Our work has culminated in the delivery of the world’s first open-source, CHERI-based RS-485/Modbus security gateway, a hardware-enforced cybersecurity solution purpose-built for Critical National Infrastructure.
Sensor IT and CHERI
Sensor IT’s relationship with CHERI began through our participation in the Innovate UK and Digital Catapult Digital Security by Design Technology Access Programme (DSbD TAP), where we were selected across multiple cohorts, as a testament to both our technical capability and our commitment to advancing hardware-enforced security. Working closely with the University of Cambridge, the creators of CHERI, and lowRISC, the open hardware organisation behind the Sonata Board, we developed hands-on expertise that very few organisations in the world can match. This experience led directly to our most significant CHERI project to date: an Innovate UK-funded RS-485/Modbus security gateway for Critical National Infrastructure, delivering hardware-enforced memory safety and compartmentalisation to the legacy industrial protocols that underpin power grids, water networks, and smart city deployments worldwide, without replacing a single field.
Sensor IT and the Digital Security by Design Programme
Sensor IT’s involvement in the Digital Security by Design programme started with Cohort One, right at the start. This cohort focused on the innovative Morello Board, designed by Arm, which introduced a radical approach to memory safety using CHERI (Capability Hardware Enhanced RISC Instructions).
As a company at the forefront of embedded and sensor-based systems, Sensor IT saw early potential in using capability-based security at the hardware level to strengthen the trustworthiness of IoT deployments (Sensor IT and the Digital Security by Design Programme). The Morello architecture provided an unprecedented opportunity to rethink how memory isolation, software compartmentalisation, and access control could be integrated directly into the fabric of real-time and safety-critical applications.
DSbD Cohort 1
During Cohort One, Sensor IT focused on:
- Evaluating CHERI-based cybersecurity Memory Protection: We explored how CHERI memory safety could enforce fine-grained access control across firmware modules in smart sensors and embedded gateways.
- Prototype Development: A secure sensor firmware stack was developed to demonstrate isolation of critical functions such as data acquisition, encryption, and network communication.
- Proof-of-Concept Deployment: Sensor IT implemented a working proof-of-concept using the Morello board to run a secure sensor node in a lab setting, capable of self-checking and resisting common memory vulnerabilities such as buffer overflows.
The Morello phase laid a strong technical foundation and helped our team understand how hardware capabilities could drive the next generation of cyber-secure embedded systems.
DSbD Cohort 2
Building on the success and lessons from Morello, Sensor IT joined Cohort Six, focusing on the Sonata board — another CHERI-enabled architecture tailored for real-time and embedded systems.
The Sonata phase was especially valuable in the context of Sensor IT’s work in industrial sensing, smart infrastructure, and transportation, where real-time constraints, low-latency processing, and safety are paramount.
Our work in this cohort included:
- Hardening Sensor Data Pipelines: We designed a real-time sensor data path where memory safety was enforced through CHERI memory safety capabilities — eliminating large classes of potential security flaws.
- Memory Tagging for Runtime Checks: We implemented memory tagging and runtime monitoring mechanisms to validate memory access, greatly enhancing system robustness.
Integration with RTOS and Edge AI: We explored how secure processing could be extended to edge machine learning inference, using CHERI to protect model data and execution contexts from tampering.
Use Cases and Outcome
Sensor IT’s participation across both Digital Security by Design cohorts allowed us to translate DSbD principles into tangible, domain-specific benefits.