Remix.run Logo
rando1234 4 hours ago

Yeah, I feel like Rust has killed Cheri.

Timshel 4 hours ago | parent | next [-]

Do you have more details on why ? I just found stuff like: https://cheri-alliance.org/discover-cheri/rust-and-cheri/ Or https://rust.cheriot.org/2026/02/15/status-update.html

pjmlp 4 hours ago | parent | prev [-]

CHERI is valuable even for unsafe Rust code.

timhh an hour ago | parent | next [-]

Is it valuable enough though. Looking at Google's stats Rust has several orders of magnitude fewer memory vulnerabilities even with `unsafe` (kind of the point). If C was at that level there's no way CHERI would have ever been proposed.

There are two counter-arguments:

1. There's a lot of C/C++ code still out there. You can't rewrite it all. I'm not totally convinced by that though because, a) do you need to? Google has shown that just writing new code in Rust is very effective, and b) AI is actually pretty decent at porting from C/C++ to Rust so maybe you can?

2. CHERI also allows really strong and fine grained compartmentalisation. This is absolutely fantastic for robustness, supply chain security and so on. If you want the absolute 100% most secure code possible, then Rust + CHERI with compartmentalisation is basically the best thing you can do. (Though Rust compartmentalisation is still not actually ready yet; it's in progress though.) That's really great but I'm not sure that level of security is needed by most projects, and also I think you can get pretty good compartmentalisation (though definitely not CHERI level) by doing something like what Xous does (basically isolation with processes/virtual memory, combined with the ability to call functions in other processes; IIRC Hubris OS does something similar).

CHERI is clever tech though and it would definitely be a boon for RISC-V if it succeeds.

rwmj 4 hours ago | parent | prev [-]

The problems with CHERI are not whether it's technically good or not, it's organizational. It's an academic project that requires everyone to boil the ocean. They tried to get ARM interested and that didn't go anywhere and now they're trying to get RISC-V interested. But they haven't addressed any of the problems of why manufacturers would ever make a complex and completely incompatible chip for a problem that they (the manufacturers) don't have and don't care about, that can probably be solved 90% as well in software.

panick21_ 3 hours ago | parent [-]

The manufactures will do what costumers demand and if they demand safty then cheri will make a lot of sense to many costumers.

And you cant rewritte 50 years of C in Rust. And even in Rust you can still run into various issues.

crote 2 hours ago | parent | next [-]

> And you cant rewritte 50 years of C in Rust

You don't have to. Google already showed that the vast majority of memory safety bugs are in newly-written C code. Stop writing new C code (which the industry already seems to be moving towards) and the problem will eventually solve itself - even with plenty of C code still around.

Besides, very few (if any) pieces of code have been around for anywhere close to 50 years. Over time components naturally get refactored or rewritten for all sorts of reasons. And if you're rewriting anyways, why not switch to a more secure language? Don't allow C for rewrites and over the years every C component will eventually be replaced by a non-C one without forcing a big C-to-Rust rewrite.

panick21_ an hour ago | parent [-]

Can you show me that research?

Also, nothing new in C is just not happening, there is massive amounts of things that will not switch for decades.

Why not just switch to a slightly different compiler and core, and then you make all your old code safe without verifying it. And your new code in whatever language is also safe.

Also it helps with debugging. Also it helps you enforce security constraints on higher level.

CHERI also gives you features you can build more on-top off.

The silicon area and the performance hit are pretty minor, if it 'just' works for most code and most open source code just works, many people will want to use it.

Yes most bugs are new code, but plenty of bugs aren't and with CHERI I can be much more confident in running all that stuff. Specially older code that isn't as well used and tested as say Linux kernel.

rwmj 3 hours ago | parent | prev | next [-]

However you can do what Airbus do and formally prove your C code and use a formally proven toolchain like compcert to compile it. Or you can take a performance hit and add bounds checking to the C code[1]. Aircraft systems are probably the best chance that CHERI has, and that's pretty niche, small runs and very expensive, and still better solved in software.

[1] I literally wrote the paper on this back in 1996: https://www.doc.ic.ac.uk/~phjk/BoundsChecking.html

pjmlp an hour ago | parent [-]

Most people on HN would run screaming away if they had to follow high integrity computing processes on their daily C programming.

If they think programming with Modula-2 and Object Pascal is programming with a straightjacket, good luck with MISRA, Frama-C, DOD and ISO certifications for reliable C code.

ykonstant 31 minutes ago | parent [-]

For the record, I found programming in MISRA C guidelines really fun; but then again, I did it out of personal interest. If I had to do it professionally, I guess the pressure would be less pleasant.

mort96 3 hours ago | parent | prev | next [-]

I haven't exactly seen an outpouring of consumer demand for CHERI.

sph 3 hours ago | parent | next [-]

Is there an outpouring of hardware offer for CHERI? I'm a random nobody, but I'm sitting on this design for a message-passing platform that can only truly perform in a world where processes live in a single address space, which requires CHERI hardware to be feasible (or secure) at all.

CHERI would open many doors in operating system design and security, and it's stagnant because it's not a real thing yet, there's no CPU one can buy that supports it in any way outside of research. Without CHERI, we're stuck with security models from the 1970s. Most people are fine with 1970s design, but the OS research world has been itching for something like this for decades.

leoc 22 minutes ago | parent | next [-]

Right: it's not clear whether the availability of some $300 US CHERI SBCs would be enough to carry CHERI to glory, but it would obviously generate a significant pop of awareness, support and grassroots activity. For their part the antis could then transition seamlessly from "nobody wants it lol" to "all these enthusiasts are so annoying and out of touch with reality lol" as is traditional. Instead, AFAICT, the CHERI leadership seems to be convinced that the next step is to present the business case for CHERI to people at or just below CxO level https://www.youtube.com/watch?v=FJhS2i7KVtI . Imagine how far Rust (or, earlier and further afield, Linux) adoption would have got if it had relied solely on having an academic-led consortium present a business case to CxOs, instead of being pushed along by internal pressure from mid-level technical staff who had used it themselves and were crazy about it.

pjmlp an hour ago | parent | prev [-]

Tell ARM about it, https://cheri-alliance.org/discover-cheri/cheri-products/mor...

leoc a minute ago | parent [-]

It's a lot better than things apparently used to be, but what CHERI really needs to develop a grassroots is a board that runs CheriBSD ( https://www.cheribsd.org/ ) and is actually available for a few hundred US dollars cash down, not a board of which you can apply to, maybe, have a single unit allocated to you if you are deemed worthy. Even taking for granted that they only have a small supply which has to be allocated on a non-commercial basis for now, they should be beating down the doors of guys like Jeff Geerling and Wendell Wilson from Level1Techs and thrusting eval boards in their hands, not sitting on their throne waiting to consider entreaties.

panick21_ an hour ago | parent | prev [-]

I'm not saying end consumer, I mean companies who have to insure safety and reliability. That is also behind adoption of things like Rust and many other trends.

CHERI gives you that and more. But its still very new and radical, and a lot of work needs to happen all over the place to make it practical.

Once you have micro-controllers and software it makes sense in lots of niches, and then it can expand.

For example, Google OpenTitan project. There is no reason not to use Cheri if the open source core supports it.

fragmede 3 hours ago | parent | prev [-]

> And you cant rewritte 50 years of C in Rust.

How many tokens do you think that would cost?