Skip to main content

Microsoft says new experimental architecture could cut number of necessary security patches

(Image credit: Image Credit: Wright Studio / Shutterstock)

For quite some time now, Rust (opens in new tab) has been touted as a potential replacement for C++ when it comes to writing some Windows components.

Some consider C++ outdated and Microsoft itself even acknowledges that switching to Rust could eliminate the need for constant security patches. This is mostly because the majority of vulnerabilities revolve around memory-safety - an issue allegedly inherent to C++.

But it appears Microsoft won’t be moving to Rust in a hurry, as the company is working on a new, experimental architecture that could prove even more valuable.

Called CHERI (Capability Hardware Enhanced RISC), the infrastructure could have mitigated about two-thirds of the memory-safety vulnerabilities that had to be patched in 2019, according to ZDNet (opens in new tab) .

"[CHERI] provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits," explained Nicolas Joly, Saif ElSherei and Saar Amar of Microsoft Security Response Center.

A spokesperson from Cambridge University added that "CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization".

According to ZDNet, CHERI (opens in new tab) has memory protection features that would adapt historically memory-unsafe programming languages and make them safer against widely exploited vulnerabilities.

Cutting down on patch frequency would result in significant savings for the company; Microsoft currently issues more than 100 patches every month. Making existing code compatible with CHERI could even be cheaper than rewriting existing code in Rust or a similar memory-safe language, it was added.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.