diff --git a/_posts/2024-09-19-cheriot-dsbd-all-hands.markdown b/_posts/2024-09-19-cheriot-dsbd-all-hands.markdown
new file mode 100644
index 0000000..d6eb73a
--- /dev/null
+++ b/_posts/2024-09-19-cheriot-dsbd-all-hands.markdown
@@ -0,0 +1,46 @@
+---
+layout: post
+title: "CHERIoT at the Digital Security by Design All Hands meeting"
+date: 2024-09-19
+categories: conference
+author: "David Chisnall"
+---
+
+Several companies presented CHERIoT-related things at the [Digital Security by Design](https://www.dsbd.tech) all-hands meeting yesterday!
+
+[lowRISC](https://lowrisc.org), whose [Sonata](https://cheriot.org/fpga/ibex/2024/06/10/sonata-quick-start.html) board was used by all of the demos, presented a demonstration of an automotive system where a bug in the volume control would overwrite the speed controller value (on a non-CHERI system).
+The source for this [is in the Sonata software repo](https://github.com/lowRISC/sonata-software/tree/main/examples/automotive), as is the [snake example](https://github.com/lowRISC/sonata-software/tree/main/examples/snake) that lowRISC also showed.
+
+
+
+[ConfiguredThings](https://www.configuredthings.com) presented an extended version of the [configuration management demonstration](https://cheriot.org/security/philosophy/2024/07/30/configuration-management.html) that they've previously contributed to the project.
+The updated version integrated the CHERIoT network stack to talk to their back-end secure configuration management system.
+The code for [the original version of their demo](https://github.com/CHERIoT-Platform/cheriot-demos/tree/main/configuration_broker) is open and the network-connected version should appear in the same place soon.
+
+
+
+This showed how a CHERIoT system can provide additional defence in depth.
+Each configuration block from the server was parsed in a separate compartment, so bugs in the JSON parsing are not exploitable.
+The worst that can happen is that an invalid configuration update is ignored.
+CrowdStrike provided a good demonstration of how bad this can be without CHERI.
+
+Finally, we at [SCI Semiconductor](https://www.scisemi.com) presented a demonstration of the network-stack restart work that we released over the summer.
+This ran on Sonata, but (as with the other demonstrators) will be trivial to port to our [ICENI CHERIoT chips, which are expected early next year](https://www.scisemi.com/press-release-cheriot-ibex/).
+This showed a simple multi-colour light that was connected to the Internet via MQTT.
+The CHERIoT network stack runs the FreeRTOS TCP/IP stack ('[FreeRTOS+TCP](https://github.com/FreeRTOS/FreeRTOS-Plus-TCP)') in a compartment.
+We introduced a memory-safety bug into this code, which forms a key part of the attack surface (it's the thing that has to process packets that come from the Internet, where all of the bad people live).
+When this is triggered, we see a CHERI exception on Sonata's CHERI fault LEDs and the network connection is dropped.
+The TCP/IP compartment is then restarted automatically and the application code resumes:
+
+
+
+The [code for this demo](https://github.com/CHERIoT-Platform/cheriot-demos/tree/main/HughTheLightbulb) is available.
+Note that there's *nothing* in the application-specific part of the code related to the TCP/IP stack crashing.
+From the perspective of a consumer of the TCP/IP APIs, sockets just return a disconnection error.
+The normal reconnection paths then succeed once the TCP/IP stack has been restarted.
+
diff --git a/images/2024-09-19-configuredthings-demo.jpeg b/images/2024-09-19-configuredthings-demo.jpeg
new file mode 100644
index 0000000..ef8a58c
Binary files /dev/null and b/images/2024-09-19-configuredthings-demo.jpeg differ
diff --git a/images/2024-09-19-lowRISC-demo.jpeg b/images/2024-09-19-lowRISC-demo.jpeg
new file mode 100644
index 0000000..3c41e88
Binary files /dev/null and b/images/2024-09-19-lowRISC-demo.jpeg differ
diff --git a/images/Hugh the Lightbulb.mp4 b/images/Hugh the Lightbulb.mp4
new file mode 100644
index 0000000..fe3d611
Binary files /dev/null and b/images/Hugh the Lightbulb.mp4 differ
+
+[ConfiguredThings](https://www.configuredthings.com) presented an extended version of the [configuration management demonstration](https://cheriot.org/security/philosophy/2024/07/30/configuration-management.html) that they've previously contributed to the project.
+The updated version integrated the CHERIoT network stack to talk to their back-end secure configuration management system.
+The code for [the original version of their demo](https://github.com/CHERIoT-Platform/cheriot-demos/tree/main/configuration_broker) is open and the network-connected version should appear in the same place soon.
+
+
+
+This showed how a CHERIoT system can provide additional defence in depth.
+Each configuration block from the server was parsed in a separate compartment, so bugs in the JSON parsing are not exploitable.
+The worst that can happen is that an invalid configuration update is ignored.
+CrowdStrike provided a good demonstration of how bad this can be without CHERI.
+
+Finally, we at [SCI Semiconductor](https://www.scisemi.com) presented a demonstration of the network-stack restart work that we released over the summer.
+This ran on Sonata, but (as with the other demonstrators) will be trivial to port to our [ICENI CHERIoT chips, which are expected early next year](https://www.scisemi.com/press-release-cheriot-ibex/).
+This showed a simple multi-colour light that was connected to the Internet via MQTT.
+The CHERIoT network stack runs the FreeRTOS TCP/IP stack ('[FreeRTOS+TCP](https://github.com/FreeRTOS/FreeRTOS-Plus-TCP)') in a compartment.
+We introduced a memory-safety bug into this code, which forms a key part of the attack surface (it's the thing that has to process packets that come from the Internet, where all of the bad people live).
+When this is triggered, we see a CHERI exception on Sonata's CHERI fault LEDs and the network connection is dropped.
+The TCP/IP compartment is then restarted automatically and the application code resumes:
+
+
+
+The [code for this demo](https://github.com/CHERIoT-Platform/cheriot-demos/tree/main/HughTheLightbulb) is available.
+Note that there's *nothing* in the application-specific part of the code related to the TCP/IP stack crashing.
+From the perspective of a consumer of the TCP/IP APIs, sockets just return a disconnection error.
+The normal reconnection paths then succeed once the TCP/IP stack has been restarted.
+
diff --git a/images/2024-09-19-configuredthings-demo.jpeg b/images/2024-09-19-configuredthings-demo.jpeg
new file mode 100644
index 0000000..ef8a58c
Binary files /dev/null and b/images/2024-09-19-configuredthings-demo.jpeg differ
diff --git a/images/2024-09-19-lowRISC-demo.jpeg b/images/2024-09-19-lowRISC-demo.jpeg
new file mode 100644
index 0000000..3c41e88
Binary files /dev/null and b/images/2024-09-19-lowRISC-demo.jpeg differ
diff --git a/images/Hugh the Lightbulb.mp4 b/images/Hugh the Lightbulb.mp4
new file mode 100644
index 0000000..fe3d611
Binary files /dev/null and b/images/Hugh the Lightbulb.mp4 differ