Control-Flow Integrity for Real-Time Embedded Systems

Authors Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, Bryan C. Ward

Thumbnail PDF


  • Filesize: 0.54 MB
  • 24 pages

Document Identifiers

Author Details

Robert J. Walls
  • Worcester Polytechnic Institute, Worcester, Massachusetts, USA
Nicholas F. Brown
  • Worcester Polytechnic Institute, Worcester, Massachusetts, USA
Thomas Le Baron
  • Worcester Polytechnic Institute, Worcester, Massachusetts, USA
Craig A. Shue
  • Worcester Polytechnic Institute, Worcester, Massachusetts, USA
Hamed Okhravi
  • MIT Lincoln Laboratory, Lexington, Massachusetts, USA
Bryan C. Ward
  • MIT Lincoln Laboratory, Lexington, Massachusetts, USA

Cite AsGet BibTex

Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, and Bryan C. Ward. Control-Flow Integrity for Real-Time Embedded Systems. In 31st Euromicro Conference on Real-Time Systems (ECRTS 2019). Leibniz International Proceedings in Informatics (LIPIcs), Volume 133, pp. 2:1-2:24, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)


Attacks on real-time embedded systems can endanger lives and critical infrastructure. Despite this, techniques for securing embedded systems software have not been widely studied. Many existing security techniques for general-purpose computers rely on assumptions that do not hold in the embedded case. This paper focuses on one such technique, control-flow integrity (CFI), that has been vetted as an effective countermeasure against control-flow hijacking attacks on general-purpose computing systems. Without the process isolation and fine-grained memory protections provided by a general-purpose computer with a rich operating system, CFI cannot provide any security guarantees. This work proposes RECFISH, a system for providing CFI guarantees on ARM Cortex-R devices running minimal real-time operating systems. We provide techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection. We empirically evaluate RECFISH and its performance implications for real-time systems. Our results suggest RECFISH can be directly applied to binaries without compromising real-time performance; in a test of over six million realistic task systems running FreeRTOS, 85% were still schedulable after adding RECFISH.

Subject Classification

ACM Subject Classification
  • Security and privacy → Embedded systems security
  • Control-flow integrity


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. The Capstone Disassembly Engine. URL:
  2. The Keystone Assembler. URL:
  3. pyelftools. URL:
  4. FreeRTOS FAQ relating to memory management and usage., 2017. Accessed: 2017-03-28.
  5. Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security (TISSEC), 13(1):4, 2009. Google Scholar
  6. ARM Limited. Cortex-R4 and Cortex-R4F Technical Reference Manual, 2011. Google Scholar
  7. Michael Backes and Stefan Nürnberger. Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing. In 23rd USENIX Security Symposium, 2014. Google Scholar
  8. B. Brandenburg. Scheduling and Locking Multiprocessor Real-Time Operating Systems. PhD thesis, The University of North Carolina at Chapel Hill, 2011. Google Scholar
  9. Nathan Burow, Scott A Carr, Stefan Brunthaler, Mathias Payer, Joseph Nash, Per Larsen, and Michael Franz. Control-flow integrity: Precision, security, and performance. ACM Computing Surveys, 50(1), 2017. Google Scholar
  10. Nicholas Carlini, Antonio Barresi, Mathias Payer, David Wagner, and Thomas R Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium, 2015. Google Scholar
  11. Tzi-cker Chiueh and Fu-Hau Hsu. RAD: A Compile-Time Solution to Buffer Overflow Attacks. In 21st International Conference on Distributed Computing Systems(ICDCS). IEEE, 2001. Google Scholar
  12. Abraham A Clements, Naif Saleh Almakhdhub, Khaled S Saab, Prashast Srivastava, Jinkyu Koo, Saurabh Bagchi, and Mathias Payer. Protecting Bare-metal Embedded Systems With Privilege Overlays. In IEEE Symposium on Security and Privacy, 2017. Google Scholar
  13. Marc L. Corliss, E. Christopher Lewis, and Amir Roth. Using DISE to Protect Return Addresses from Attack. SIGARCH Computer Architecture News, 2005. Google Scholar
  14. Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Battie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptative Detection and Prevention of Buffer-Overflow Attacks. In 7th USENIX Security Symposium, 1998. Google Scholar
  15. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium, 2014. Google Scholar
  16. Richard Earnshaw. Procedure call standard for the ARM architecture. ARM Limited, October, 2003. Google Scholar
  17. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 2015. Google Scholar
  18. Shay Gal-On and Markus Levy. Exploring CoreMark - A benchmark maximizing simplicity and efficacy. The Embedded Microprocessor Benchmark Consortium, 2012. Google Scholar
  19. Jacob Grycel and Robert J. Walls. A Random Number Generator Built from Repurposed Hardware in Embedded Systems. CoRR, abs/1903.09365, 2019. URL:
  20. Jan Gustafsson, Adam Betts, Andreas Ermedahl, and Björn Lisper. The Mälardalen WCET benchmarks: Past, present and future. In OASIcs-OpenAccess Series in Informatics, volume 15. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2010. Google Scholar
  21. Matthew R Guthaus, Jeffrey S Ringenberg, Dan Ernst, Todd M Austin, Trevor Mudge, and Richard B Brown. MiBench: A free, commercially representative embedded benchmark suite. In IEEE International Workshop on Workload Characterization. IEEE, 2001. Google Scholar
  22. Monowar Hasan, Sibin Mohan, Rakesh Bobba, and Rodolfo Pellizzoni. Exploring opportunistic execution for integrating security in legacy hard real-time systems. In 37th IEEE Real-Time Systems Symposium, RTSS, 2016. Google Scholar
  23. J. Hiser, A. Nguyen, M. Co, M. Hall, and J.W. Davidson. ILR: Where'd my gadgets go. In IEEE Symposium on Security and Privacy, 2012. Google Scholar
  24. T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-Generated Software Diversity. In Moving Target Defense, Advances in Information Security. Springer, 2011. Google Scholar
  25. Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. Code-Pointer Integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI, 2014. Google Scholar
  26. Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, S&P, 2014. Google Scholar
  27. J. Lehoczky, L. Sha, and Y. Ding. The rate monotonic scheduling algorithm, Exact characterization and average case behavior. In 1989 IEEE Real-Time Systems Symposium (RTSS'89), December 1989. Google Scholar
  28. C. L. Liu and James W. Layland. Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment. Journal of the ACM, 20(1):46-61, January 1973. Google Scholar
  29. Sibin Mohan, Man-ki Yoon, Rodolfo Pellizzoni, and Rakesh Bobba. Real-time systems security through scheduler constraints. In 26th Euromicro Conference on Real-Time Systems, ECRTS, 2014. Google Scholar
  30. Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. SoftBound: Highly compatible and complete spatial memory safety for C. In ACM Sigplan Notices, PLDI, 2009. Google Scholar
  31. Santosh Nagarakatte, Jianzhou Zhao, Milo MK Martin, and Steve Zdancewic. CETS: compiler enforced temporal safety for C. In ACM Sigplan Notices, 2010. Google Scholar
  32. Nicholas Nethercote and Julian Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In ACM Sigplan Notices, volume 42 (6), 2007. Google Scholar
  33. Aleph One. Smashing the stack for fun and profit. Phrack magazine, 7(49):14-16, 1996. Google Scholar
  34. James Pallister, Simon Hollis, and Jeremy Bennett. BEEBS: Open benchmarks for energy measurements on embedded platforms. arXiv preprint, 2013. URL:
  35. Rodolfo Pellizzoni, Neda Paryab, Man-Ki Yoon, Stanley Bak, Sibin Mohan, and Rakesh Bobba. A generalized model for preventing information leakage in hard real-time systems. In 21st Real-Time and Embedded Technology and Applications Symposium, RTAS, 2015. Google Scholar
  36. Danbing Seto, John P Lehoczky, Lui Sha, and Kang G Shin. On task schedulability in real-time control systems. In 17th IEEE Real-Time Systems Symposium, 1996. Google Scholar
  37. Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In 14th ACM conference on Computer and communications security. ACM, 2007. Google Scholar
  38. Bryan Ward, Abhilash Thekkilakattil, and James Anderson. Optimizing Preemption-Overhead Accounting in Multiprocessor Real-Time Systems. In 22nd International Conference on Real-Time and Network Systems, RTNS, 2014. Google Scholar
  39. Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, and Liu Sha. TaskShuffler: A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems. In 22nd Real-Time embedded Technology and Applications Symposium, RTAS, 2016. Google Scholar
  40. Tom Zanussi. microYocto and the internet of tiny. Embedded Linux Conference, 2015. Google Scholar
  41. Mingwei Zhang and R Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security Symposium, volume 13, 2013. Google Scholar
  42. Vojin Zivojnovic, Harald Schraut, M Willems, and R Schoenen. DSPs, GPPs, and multimedia applications-an evaluation using dspstone. In International Conference on Signal Processing Applications and Technology, 1995. Google Scholar