Embedded systems deployed in critical infrastructure and edge devices face escalating security threats, yet existing defenses fail to effectively reduce the attack surface of core components such as the network stack. This paper presents the first implementation of a fine-grained, capability-domain–based isolation mechanism for the network protocol stack on the Arm Morello platform under the CHERI architecture. It partitions the application, TCP/IP library, and network driver into distinct capability domains, leveraging CheriBSD and hardware-enforced capabilities to ensure memory safety and modular execution. The design incurs minimal performance overhead—less than 12% throughput degradation—making it suitable for resource-constrained embedded environments. Crucially, it substantially reduces the attack surface and prevents common memory corruption vulnerabilities. Our evaluation demonstrates the practical feasibility and effectiveness of deploying CHERI-based memory safety in real-world edge network stacks, establishing a deployable, hardware-rooted security enhancement paradigm for resource-limited devices.

The widespread deployment of embedded systems in critical infrastructures, interconnected edge devices like autonomous drones, and smart industrial systems requires robust security measures. Compromised systems increase the risks of operational failures, data breaches, and -- in safety-critical environments -- potential physical harm to people. Despite these risks, current security measures are often insufficient to fully address the attack surfaces of embedded devices. CHERI provides strong security from the hardware level by enabling fine-grained compartmentalization and memory protection, which can reduce the attack surface and improve the reliability of such devices. In this work, we explore the potential of CHERI to compartmentalize one of the most critical and targeted components of interconnected systems: their network stack. Our case study examines the trade-offs of isolating applications, TCP/IP libraries, and network drivers on a CheriBSD system deployed on the Arm Morello platform. Our results suggest that CHERI has the potential to enhance security while maintaining performance in embedded-like environments.