Post · bonfire.cafe

Post

Log in

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange · 2 weeks ago

Mitre has just published their top 25 most dangerous software vulnerabilities of 2025

How does #CHERIoT stack up against this list?

5, 7, 8, 11, 14, and 16 are deterministically mitigated with just a recompile.

13 will trap, but is recoverable on a per-compartment basis.

15 is trivial to mitigate with compartmentalisation. Phil Day wrote about this 18 months ago.

6 is mitigated by good capability-based filesystem APIs.

25 is mitigated by our software capability model in the RTOS.

1, 2, 3, 9, 10, 12, 22, and 23 and are not normally applicable on embedded platforms.

That leaves you with a lot more spare brainpower to think about avoiding the remaining seven (4, 17, 18, 19, 20, 21, and 24). The impact of many of these is limited in an environment where there is a programmer model that makes implementing the principles of least privilege and intentional use trivial.

CHERIoT Platform

Safe and Secure Configuration Management on CHERIoT

All systems rely on some form of configuration data. Fully immutable systems, where configuration is baked in at build time, may work for container based environments where re-deployment is relatively easy, but in other systems the configuration interface forms a significant part of the attack surface, and misconfiguration, whether accidental or malicious, is a major sources of security vulnerabilities. For example the recent CrowdStrike outage was caused by a bug in an in-kernel parser that crashed when given a new configuration value.

CWE -
2025 CWE Top 25 Most Dangerous Software Weaknesses

Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.1-alpha.41 no JS en

Automatic federation enabled

Log in