Digital Security by Design: Programme case study 

Unprecedented levels of cybercrime continue to undermine the UK’s Industrial Strategy, threatening data security, stalling the growth of startups and SMEs, and burdening businesses with costly repairs and remediation. In response, the UK Government launched the Digital Security by Design Technology Access Programme in 2022 as part of a broader initiative to establish a more resilient digital future. 

Delivered by Digital Catapult in collaboration with the University of Cambridge, ARM and lowRISC, the Digital Security by Design initiative aimed to address critical memory-safety vulnerabilities in legacy programming languages like C and C++. These languages are particularly prone to bugs and security flaws, making it easier for hackers and cybercriminals to exploit weaknesses, gain unauthorised access to protected memory, and steal or manipulate sensitive data. 

To solve this challenge, the programme accelerated the practical application of deep tech within specific sectors, enabling businesses to test the viability of solutions underpinned by the CHERI (Capability Hardware Enhanced RISC Instructions) framework. CHERI is a technology architecture which embeds security by design and aims to significantly strengthen systems security through the use of memory safe pointer architecture and secure compartmentalisation of memory.  

Typically, 70% of total reported vulnerabilities stem from memory safety errors and can be mitigated by CHERI.

During the three years of the programme, Digital Catapult brought together expertise to test the prototype technology, providing technological and innovation consultancy to businesses across sectors including defence, transport and telecommunications. The initiative engaged with 51 SMEs (including Kaze Consulting, Systems Security Consulting and Cambridge Consultants), along with industry partners (lowRISC, ARM and TechUK) and academic institutions (University of Cambridge, The University of Edinburgh, and Kings College London) to drive innovation and strengthen cybersecurity, demonstrating the value of Digital Catapult’s convening capabilities across the country and bespoke data and software services offerings. 

How the programme supported businesses  

During the programme, Digital Catapult provided participating startups and SMEs with; ongoing consultancy, £15,000 funding to qualifying companies, and technological support. Of most significance was the access to the ARM Morello Board and CHERI infrastructure, which provided a unique opportunity to work with cutting-edge, prototype technology that isn’t commercially available. This technology, when fully mature and market-ready, has the potential to open up whole new markets for cyber secure by design products, providing competitive advantage to companies who are already familiar with it. 

In providing access to startups, they were able to work to overcome specific market challenges ranging from protecting the security of vehicles to addressing vulnerabilities in defence and security environments. One startup which benefitted from its participation on the programme is Sensor IT, a company that sought to find a way to solve one of the more common memory-related security concerns – buffer overflow insecurities. 

The Sensor IT team found the capabilities of the Morello board to be enormous, including functionality they had not tested, such as memory compartmentalisation. They found the system can increase the data security of standard critical applications by several orders of magnitude, just by porting existing code to the new platform without any significant changes. 

Sensor IT received essential support from key partners. Digital Catapult provided £15,000 in funding, along with technical support through 1-1 sessions, Peer to Peer collaborations, and networking opportunities. The University of Cambridge and ARM offered access to hardware and technical assistance, crucial for the cohort’s progress. 

CAN-PHANTOM, another participant on the programme aimed to determine if CHERI could detect and prevent memory vulnerabilities, such as stack overflows and underflows, which have the potential to cause denial of service or allow hackers to gain control of a system. 

Digital Catapult provided CAN-PHANTOM with the opportunity to discover how CHERI might allow for the identification of bugs and errors much earlier in the design process. This reduced the need for future firmware/software security updates.  

Impact and Results

The innovation programme directly benefited cohort companies by enhancing application security and reducing attack surfaces. 15 companies identified and resolved previously unknown issues in their own or third-party code. Other companies validated that CHERI would have identified known issues much more quickly and helped mitigate vulnerabilities before product deployment. Many companies plan to continue using CHERI, with 18 identifying clear business opportunities. 

Externally, three cohort companies secured institutional investment within 18 months of completing Digital Catapult’s Technology Access Programme, totalling £1,155,997 in announced funding. 

Several cohort companies have also directly supported the University of Cambridge’s work, particularly in developing the co-process compartmentalisation model and creating CheriTree tooling. The programme has contributed to wider academic efforts as well, supporting publications from Imperial College London and Heriot-Watt University. 

The programme also garnered significant media attention, resulting in 94 press articles with a total readership of over 46 million. This coverage raised awareness of CHERI technologies and highlighted solutions to memory-safety vulnerabilities in the industry. 

Interested in partnering on future DSbD opportunities?
We’d like to hear from you – get in touch at dsbdprogramme@digicatapult.org.uk to explore how we can collaborate.