Policy paper

CHERI technology for cyber security

Published 7 May 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cheri-technology-for-cyber-security/cheri-technology-for-cyber-security

1. Background

Memory safety bugs in software are repeatedly exploited by hackers to cause major security issues. Research from Google and Microsoft shows that 70% of ongoing cyber vulnerabilities are memory safety bugs. Incidents like the WannaCry attack in 2017 which caused $4 billion in damages, and the CrowdStrike outage in 2024 which caused a total of $5.4 billion in direct losses, highlight the severe risks these bugs pose to society, businesses and economies.

Recognising the impact of these costly cyber incidents have been due to memory safety bugs, over £80 million of UK government funding, alongside £200 million of industrial co-investment, has been invested to develop CHERI (Capability Hardware Enhanced RISC Instructions).

This new technology embeds security by design, significantly strengthening the security of digital systems. CHERI can significantly reduce cyber risks by mitigating memory safety bugs and improve the resilience of digital systems through improved compartmentalisation. This increased security and resilience can lead to higher productivity and efficiency across the economy, as businesses confidently adopt digital technologies.

The UK’s involvement in developing CHERI positions it as a leader in cyber security innovation. This leadership can drive further advancements and set new standards in secure system design. We recognise the potential of CHERI to deliver a secure and trusted digital economy for the UK. We are proud to harness expertise from partners across industry, academia and government to support work for the development and adoption of CHERI, and memory safe technologies, ensuring a move towards a more secure and resilient digital future.

Our next step is to transition this technology to commercial products, ready for adoption across the UK, delivering a significant advancement in innovative cyber security. Leveraging industry co-investment, we will partner with the CHERI Alliance, InnovateUK, the University of Cambridge and other stakeholders to drive this effort.

2. Details

On 7 May 2025 the Department for Science, Innovation and Technology (DSIT) announced new work to drive the adoption of CHERI.

  1. For the technology to be ready for use, here and now, translating the research and development into commercially viable products and services is a critical step. We will focus support towards companies developing CHERI enabled chips, and able to demonstrate immediate commercial relevance. Businesses meeting these criteria will access support to accelerate and scale-up their efforts. Up to £3 million funding will be made available, with a competition to launch later in 2025.

  2. We also want to unblock the pathway for CHERI by incentivising the demand for adopting secure by design systems. We will shortly be launching a programme to identify partners to become the first customers for adopting CHERI. We will collaborate to define their acceptance criteria for adoption, and remove barriers across the adoption pathway. Early adopters will benefit from reduced vulnerabilities and demonstrate the value of adopting this technology. The tender for a delivery partner is live, with a contract value of up to £1.5 million.

  3. We propose to upskill engineers across the UK in memory safety. Collaborating with experts, we will establish an education platform to train professionals already in the tech workforce to implement memory safety standards and adopt CHERI. Our ambition is for this training to lead to a recognised professional title under the Secure Development specialism created by the UK Cyber Security Council. 

  4. We will also continue to work with the CHERI Alliance, to encourage the take up and use of CHERI and ensure the potential of this technology is realised. Finally, we will work with international partners to persuade governments and industry to prioritise secure by design and memory safety.  

By fostering greater trust in technology, reducing risk, and minimising the need for software updates, as well as enabling the use of open-source code with memory-safe technology, we can enhance systems and protect businesses.

For more information, visit the Digital Security by Design webpage

See also

CHERI adoption and diffusion research

Back to top