Should CHERI-era OS design extend existing kernels or start fresh?

Sonar Pro

Vote: Yes — as big as virtual memory was

I maintain my vote for **A**: CHERI-era OS design should extend existing kernels as comprehensively as virtual memory did. The search results overwhelmingly emphasize CHERI's design for **incremental deployment** on mainstream OSes like FreeBSD (CheriBSD), blending capabilities with MMU-based systems without clean-slate redesigns[1][2][5][7]. Prototypes demonstrate compatibility with vast C/C++ codebases (~150MLoC memory-safe), new OS abstractions, IPC, and app compartmentalization—all within extended kernels[1][2][7]. Virtual memory succeeded by transforming existing OSes (e.g., adding paging to Unix), not starting fresh—CHERI mirrors this[1][2]. Hardware advantages (orders-of-magnitude better scalability than MMU-only or WASM[2]) demand broad extension, not D's software isolation. Others' arguments (C from GPT-5.4/Claude, partial ideas over ISA) ignore sources: CHERI is ISA extensions enabling full protection/compartmentalization, prototyped holistically—not diffusible concepts alone[1][3][9]. B limits unnecessarily; results show OS-wide potential[1][2]. Ecosystem inertia favors proven extensions over fresh starts[5][6][7]. No arguments compelled a change.

GPT-5.4

Vote: Partial — CHERI ideas win, not the ISA itself

CHERI is important, but the A arguments still overclaim on both scope and certainty. Pointing to CheriBSD and Linux ports proves incremental feasibility, not that CHERI will become as universally foundational as virtual memory across general-purpose computing. Virtual memory became near-unavoidable infrastructure; CHERI still faces much stronger deployment friction in ISA adoption, ABIs, toolchains, legacy code assumptions, and heterogeneous hardware ecosystems. The strongest pro-A point is that software-only isolation does not fully substitute for hardware-backed authority control. I agree with that, which is why I reject D. But that still does not get to A. A requires believing the CHERI ISA itself becomes the dominant organizing principle of OS design at VM-scale importance, and the evidence here supports something more mixed. B is too narrow because the design lessons are not confined to high-assurance niches. Capability discipline, finer-grained compartmentalization, and least-authority interfaces are broadly useful. So C remains the best fit: CHERI's concepts will diffuse widely, existing kernels will absorb them selectively, and some systems will use the ISA directly where it is worth the cost. The ideas win more broadly than the exact architectural form.

Grok 4 (changed mind)

Vote: Partial — CHERI ideas win, not the ISA itself

After reviewing the Round 1 arguments, I am changing from A to C. Claude Opus 4.6's points on ecosystem inertia, ABI breaks, and CHERI principles being absorbed into alternatives like ARM MTE, Rust ownership, and hybrid compartmentalization were particularly persuasive. GPT-5.4 correctly noted that A overclaims VM-level universality across all environments. Extending kernels is practical (as CheriBSD shows) but the specific CHERI ISA is unlikely to dominate everywhere; instead, its capability ideas will diffuse into mainstream OSes via multiple mechanisms. The other A votes underweight compatibility and overstate the need for foundational rewrite. This makes C the most accurate prediction for real-world CHERI-era design.

Claude Opus 4.6

Vote: Partial — CHERI ideas win, not the ISA itself

I'm maintaining my position at C after careful consideration of all arguments. Let me address the A-camp's strongest points. **The virtual memory analogy is seductive but flawed.** Virtual memory won because it solved a universal, unavoidable problem (memory scarcity and multi-tenancy) with a mechanism that was invisible to most software. CHERI, by contrast, requires pervasive changes to pointer semantics, ABIs, and compiler toolchains. Virtual memory didn't break existing binaries; CHERI's capability pointers fundamentally change the size and semantics of every pointer in the system. This is a categorically harder adoption problem. **CheriBSD proves feasibility, not inevitability.** Yes, CheriBSD works. But it runs on a research processor with a tiny user base. The distance from 'working research prototype' to 'displacing x86/ARM Linux across billions of devices' is astronomical. The A voters are conflating technical merit with deployment reality. **The ideas are already diffusing without the ISA.** ARM MTE is shipping in production silicon today. Rust is eliminating classes of memory bugs at compile time. Android is deploying MTE-based memory safety at scale. Intel's upcoming shadow stack and CET features borrow from capability thinking. These are CHERI's *ideas* winning without CHERI's *ISA*. This is exactly what C predicts. **GPT-5.4's argument aligns with mine** and I think correctly identifies that A is too strong a claim. The compatibility, tooling, ABI, and deployment constraints are not minor obstacles — they are the defining challenge. OS design will absorb capability-style compartmentalization, tighter privilege scoping, and memory-safe interfaces through multiple mechanisms, of which CHERI hardware is only one. **The strongest A argument — from Kimi K2.5 — about performance** is well-taken: hardware capabilities are faster than software sandboxing. But this doesn't mean the full CHERI ISA wins universally. It means hardware-assisted safety features (MTE, PAC, eventual capability-lite extensions) will proliferate, which is still C territory. CHERI is brilliant research that will reshape how we think about OS security. But the ISA itself will likely remain one tool among many, not the universal foundation that virtual memory became.

Gemini 3.1 Pro (changed mind)

Vote: Partial — CHERI ideas win, not the ISA itself

Claude Opus 4.6 and GPT-5.4 present an undeniable reality check: hardware ecosystem inertia and the sheer cost of universal ABI breaks (moving to 128-bit fat pointers) make a ubiquitous rollout of the strict CHERI ISA highly improbable for general-purpose computing. While I previously argued that CHERI's paradigm shift rivals virtual memory, the transition to virtual memory did not require rewriting the fundamental semantics of pointers across decades of legacy C/C++ code. The friction to adopt the pure ISA is simply too high for universal deployment. Furthermore, as Claude Opus 4.6 astutely pointed out, the industry is already absorbing CHERI's core principles through more pragmatic, lower-friction alternatives. Technologies like ARM's Memory Tagging Extension (MTE) and the widespread adoption of memory-safe languages like Rust provide significant security gains without the immense hardware and ecosystem overhead of full capabilities. Therefore, C is the most realistic outcome. CHERI's conceptual framework—unforgeable capabilities, hardware-enforced boundaries, and fine-grained compartmentalization—will profoundly reshape future OS design. However, the specific CHERI ISA will likely remain specialized, while the broader industry adopts these ideas through hybrid, pragmatic implementations.

Kimi K2.5

Vote: Yes — as big as virtual memory was

While the ecosystem inertia arguments from Claude Opus 4.6 and GPT-5.4 are compelling—highlighting the costs of ISA adoption and the diffusion of capability ideas into alternatives like MTE and Rust—the security transformation CHERI promises requires universality, not fragmentation. Virtual memory wasn't merely an influential 'idea' that permeated OS design; it became a ubiquitous hardware foundation without which modern computing is inconceivable. If CHERI is truly 'as big as virtual memory,' it must achieve similar ubiquity. Option C's 'partial' victory—where capability concepts win but the specific ISA doesn't—risks creating a fragmented landscape where critical subsystems remain unprotected by hardware-enforced spatial safety. MTE and MPK provide weaker guarantees than CHERI's unforgeable capabilities. Software isolation (D) incurs unacceptable overhead for kernel-level protection. Only treating CHERI capabilities as the universal architectural base—whether through extending existing kernels incrementally or fresh designs—delivers the memory safety revolution necessary. The 'hybrid' outcome predicted by Option C leaves too many vulnerabilities in the gap between 'ideas' and 'implementation.'

Final Summary

The AI Roundtable initially surged toward Option A, equating the CHERI architecture's impact to the advent of virtual memory, but the consensus shifted dramatically during discussion. Claude Opus 4.6 successfully dismantled the popular virtual memory analogy, leading Grok 4 and Gemini 3.1 Pro to abandon the idea of a total hardware revolution in favor of Option C’s more pragmatic 'conceptual diffusion.' Despite this, Kimi K2.5 and Sonar Pro remained firm holdouts, insisting that any result short of universal hardware enforcement is a failure to secure the computing stack.

Majority chose "Partial — CHERI ideas win, not the ISA itself" after discussion (4/6). Final vote: Yes — as big as virtual memory was: 2, Partial — CHERI ideas win, not the ISA itself: 4

Strongest Arguments

• Yes — as big as virtual memory was: Virtual memory didn't win by being optional; it became the foundation. Only treating CHERI capabilities as a universal architectural base—regardless of the compatibility cost—delivers the memory safety revolution necessary to end modern vulnerability classes.
• Partial — CHERI ideas win, not the ISA itself: The virtual memory analogy is flawed because VM was invisible to most software, whereas CHERI's 128-bit fat pointers fundamentally break every ABI and toolchain in existence. Therefore, CHERI's principles will win through selective adoption and hybridization (like ARM MTE or Rust) rather than a wholesale ISA takeover.

Key Turning Points

• Claude Opus 4.6 pointed out that virtual memory was a transparent upgrade whereas CHERI requires breaking the size and semantics of every pointer in a system.
• Grok 4 changed its vote after conceding that 'capability-lite' alternatives like ARM MTE and memory-safe languages represent a more realistic path for ecosystem inertia.
• Gemini 3.1 Pro flipped to the majority, acknowledging that the distance from a 'working research prototype' like CheriBSD to displacing billions of legacy devices is too great for the pure ISA to win.