CHERI
WebAssembly Micro Runtime (C-WAMR)
What is CHERI?
CHERI (Capability Hardware Enhanced RISC Instructions) is an innovative computer architecture that enhances memory safety and enables fine-grained compartmentalization for improved system security. Developed by the University of Cambridge, CHERI extends traditional instruction sets by introducing capabilities—secure and unforgeable pointers to memory and system resources.
As part of this effort, Arm, in collaboration with the University of Cambridge, has developed the Morello board—an experimental platform funded by the UKRI’s Digital Security by Design (DSbD) initiative. The Morello board features a prototype system-on-chip (SoC) and serves as an evaluation platform that integrates CHERI’s hardware concepts. This enables industry and academic partners to test and validate CHERI's potential in real-world use cases, laying the groundwork for future advancements in secure computing infrastructure.
Core Features of CHERI
Capability-Based Access Control
Secure pointers with metadata for bounds, permissions, and provenance.
Memory Safety
Prevents vulnerabilities like buffer overflows, use-after-free errors, and out-of-bounds accesses.
Compartmentalization
Isolates programs into secure compartments to limit the impact of vulnerabilities.
The Flowchart Below Illustrates This Process
CHERI Architecture
Enhances Memory Protection
Supports Software Compartmentalization
Reduces Vulnerabilities at Hardware Level
Why CHERI Matters?
CHERI delivers groundbreaking advancements in hardware-enforced security, setting a new standard for secure computing.
Hardware-Enforced Security
Ensures memory access stays within defined bounds.
Improved Isolation
Strong isolation between software components, even within the same application.
Secure Ecosystems
Supports initiatives like Digital Security by Design (DSbD) to enable secure commercial hardware.
What is WebAssembly (WASM) and WAMR?
WebAssembly (WASM) is a high-performance, platform-independent binary format designed for secure execution across web, cloud, IoT, and edge environments. It ensures sandboxed, near-native execution with strong portability.
WAMR (WebAssembly Micro Runtime) is a lightweight, optimized runtime for standalone WASM execution, supporting interpreted, Ahead-of-Time (AoT), and Just-in-Time (JIT) compilation. It is ideal for resource-constrained systems, ensuring fast, secure, and efficient execution.
Why WASM & WAMR?
Portability
Runs across diverse OS and architectures.
Security
Sandboxed execution with strict memory isolation.

Efficiency
Optimized for low-latency, minimal resource overhead.

Flexibility
Runs across diverse OS and architectures.
WASM and WAMR power trusted execution environments, forming the foundation for double sandboxing.
Double Sandboxing
Enhancing WebAssembly Security
Double sandboxing reinforces WASM security by running it within a secondary, hardware-isolated environment to block host-level threats and enforce execution boundaries.
How It Works
TEE/Enclave Execution – Frameworks like TWINE and AccTEE embed WASM runtimes inside Trusted Execution Environments (TEEs) (e.g., Intel SGX) to prevent host-based attacks.
WASM Runtime Isolation – Inside TEEs, the WASM runtime isolates modules, ensuring controlled access to resources.
Key Benefits
Multi-Layered Security
Combines TEE-backed isolation with WASM sandboxing.
Safe Execution
Enables secure third-party WASM execution.
Advanced Threat Protection
Prevents ROP exploits, memory leaks, and privilege escalations.
About Our Project
C-WAMR
In 2022, Verifoxx received funding through the Digital Security by Design (DSbD) programme to help expand the tools and technologies available for developers. Our goal is to make the advanced security features that CHERI offers more easily accessible through our project.
CWAMR
A Capability-Aware WebAssembly Runtime & Framework
CWAMR is a research-driven WebAssembly runtime and framework, designed to bring CHERI-based compartmentalization and capability-enforced execution into the WebAssembly ecosystem. It enhances WASM security by embedding double-sandboxed execution—combining WASM’s built-in sandboxing with hardware-isolated CHERI compartments. This ensures a resilient, high-performance, and memory-safe runtime for executing WebAssembly in cloud, edge, embedded, and high-security environments.
CWAMR Extends Beyond Just a Runtime
Secure WebAssembly execution
With CHERI-enforced privilege separation.
Fine-grained Compartmentalization
Sandboxed execution with strict memory isolation.

A Complete Toolchain
For building CHERI-aware WASM applications.
Benchmarking & Research Validation
Against traditional TEEs and enclaves.
Why cWAMR is Important
Double-Sandboxed Security
Embeds WebAssembly within CHERI compartments, providing a multi-layered security model.​
Capability-Enforced Memory Safety
Eliminates buffer overflows, ROP attacks, and shared memory exploits through CHERI’s fine-grained isolation.
Compartmentalized Execution
WASM modules run inside isolated CHERI compartments, with strict control over system interactions.

Alternative to Enclaves
Avoids the performance bottlenecks of traditional TEEs (e.g., SGX), while providing better scalability and security guarantees.
Optimized Performance
Supports Ahead-of-Time (AoT) compilation and lightweight interpretation, ensuring low-latency execution including edge devices.
By leveraging hardware-backed compartmentalization, cWAMR achieves increased protection for WASM workloads while maintaining the portability and flexibility that WebAssembly is known for.
What We Are Delivering
cWAMR Runtime & Framework
A secure, CHERI-enabled WebAssembly execution layer with compartmentalized runtime support.

cWASI-libc (Capability-Secured WASI Interface)
Enables secure system calls within WASM modules, enforcing least privilege principles.
Compartmentalization & Module Isolation
WASM modules can securely interact within controlled CHERI compartments, ensuring safe inter-module communication.
Porting Tools & CHERI-Optimized Toolchains
scripts and LLVM-based toolchains to support WASM development on CHERI hardware.
What This Means for Developers
Next-Gen Secure WebAssembly Execution
Leverage CHERI’s hardware-level protection for building WASM applications with built-in memory safety.


No More Common Memory Vulnerabilities
Eliminate buffer overflows, use-after-free errors, and function pointer hijacking at the hardware level.
Seamless CHERI Integration
Ready-to-use toolchains, porting scripts, and sample applications simplify CHERI adoption.

Performance-Optimized, Scalable Security
No TEE-related bottlenecks—compartmentalization is fast, scalable, and lightweight.

How cWAMR Enhances Verifoxx’s Security and Performance
cWAMR significantly strengthens Verifoxx’s privacy-preserving architecture by replacing traditional enclave-based isolation with CHERI-enhanced compartmentalization. This transition improves security, scalability, and cost-efficiency for Verifoxx’s enrichment and proof engines, setting a foundation for next-generation privacy-preserving data processing.
While CHERI continues to evolve toward commercialization, Verifoxx’s successful integration of cWAMR as an MVP underscores its transformative potential in privacy-centric computations. This approach not only future-proofs Verifoxx’s infrastructure but also serves as a case study for CHERI’s long-term adoption in secure data processing.
Commercial and Development Potential of cWAMR in Verifoxx
cWAMR strengthens Verifoxx’s mission to enable secure, privacy-preserving data verification and collaboration across industries by providing a CHERI-powered WebAssembly execution framework. This enables organizations to share, process, and verify sensitive data without exposing raw information, facilitating confidential computation across public and private sectors.
Key Commercial Applications
Privacy-Preserving Data Sharing & Collaboration
Enables cross-sector data collaboration between governments, enterprises, and research institutions without compromising confidentiality.
Decentralized Identity & Secure Credential Verification
Powers Verifoxx’s Zero-Knowledge Proof (ZKP)-based identity framework, allowing individuals and enterprises to prove credentials (e.g., age verification, financial status, certifications) without disclosing sensitive details.
Enables cross-border digital identity validation, fostering secure digital interactions between private and public sector entities.
Enterprise Data Monetization Without Risk
Allows organizations to share valuable datasets with partners or third parties for AI/ML training and analytics while ensuring data security through CHERI-based compartmentalization.
Enables privacy-preserving marketplaces, where enterprises can sell data insights without directly sharing raw data.
Secure AI & Confidential Machine Learning
Supports privacy-preserving federated learning, allowing AI models to train on decentralized datasets without revealing underlying data.
Is C-WAMR Relevant to Me?
If your role involves data protection or cyber security, understanding the relevance of C-WAMR is crucial.
For Data Protection Officers (DPOs)
C-WAMR enhances data privacy by ensuring that WebAssembly applications run in a secure, isolated environment. This isolation minimizes the risk of data breaches and unauthorized data access, aligning with stringent data protection regulations such as the technical measures requested in the GDPR.
For Chief Information Security Officers (CISOs) and Cyber Security Managers
Implementing C-WAMR within your organization's infrastructure can strengthen your security posture. Its lightweight and efficient design allows for secure application deployment across various platforms, reducing potential attack surfaces and ensuring consistent security measures.
Key Benefits
Data Privacy
Ensures sensitive information is processed securely without exposure.
Regulatory Compliance
Assists in meeting compliance standards by providing a secure execution environment.
Advanced Threat Protection
Its high performance and small footprint contribute to efficient system operations.
GitHub Repository
All source code, tools, and documentation for cWAMR are openly available for developers to evaluate and build upon at:
