This work addresses the fundamental tension between memory safety and side-channel resistance—two security properties that traditionally constrain each other. We propose a hardware-assisted, data-oblivious programming support mechanism. Our approach extends the CHERI capability architecture with “blinded capabilities,” enforcing data-obliviousness semantics at the hardware level: non-oblivious operations trigger explicit faults, and sensitive data paths remain strictly isolated throughout user-mode execution. This is the first capability-based hardware design to provide fine-grained, verifiable data-obliviousness guarantees. We realize end-to-end support via a CHERI-Toooba FPGA soft-core, custom instructions, extensions to CHERI-Clang, and modifications to CheriBSD. Evaluation shows that our mechanism simultaneously strengthens both memory safety and side-channel resilience, incurring only a 1.5% geometric mean performance overhead.

Lack of memory-safety and exposure to side channels are two prominent, persistent challenges for the secure implementation of software. Memory-safe programming languages promise to significantly reduce the prevalence of memory-safety bugs, but make it more difficult to implement side-channel-resistant code. We aim to address both memory-safety and side-channel resistance by augmenting memory-safe hardware with the ability for data-oblivious programming. We describe an extension to the CHERI capability architecture to provide blinded capabilities that allow data-oblivious computation to be carried out by userspace tasks. We also present BLACKOUT, our realization of blinded capabilities on a FPGA softcore based on the speculative out-of-order CHERI-Toooba processor and extend the CHERI-enabled Clang/LLVM compiler and the CheriBSD operating system with support for blinded capabilities. BLACKOUT makes writing side-channel-resistant code easier by making non-data-oblivious operations via blinded capabilities explicitly fault. Through rigorous evaluation we show that BLACKOUT ensures memory operated on through blinded capabilities is securely allocated, used, and reclaimed and demonstrate that, in benchmarks comparable to those used by previous work, BLACKOUT imposes only a small performance degradation (1.5% geometric mean) compared to the baseline CHERI-Toooba processor.