,
Owen Rice,
Ryan Burrow
,
Nathan Burow
,
Bryan C. Ward
Creative Commons Attribution 4.0 International license
Embedded and real-time systems are increasingly connected and deployed in safety and mission-critical environments, making them a persistent target for attacks capable of compromising industrial control systems and other embedded devices. At the same time, these devices often have strict real-time requirements that require predictable worst-case performance. However, many strong and widely deployed software-security defenses are designed and evaluated with respect to average-case performance, a more important metric in enterprise systems. The worst-case performance of such defenses is not well understood and indeed such defenses are less commonly deployed in embedded systems. In particular, one class of commonly deployed defenses in enterprise systems is code randomization, which protects a system by altering the layout of the virtual address space so that attackers cannot easily target specific parts of a vulnerable application, but randomization is often seen as fundamentally counter to real-time predictability. This paper presents DART, a real-time address randomization defense with page-level randomization. DART randomizes code in the virtual address space at page-level granularity under placement constraints that move cache behavior from a runtime OS-allocator property to a statically encoded binary property, allowing for timing analysis. An analysis of DART’s timing behavior on a real-time testbed demonstrates how the design makes layout-induced timing variance bounded and characterizable across the space of layouts produced, supporting predictable execution-time analysis. The resulting layout search space is then analyzed, and a closed-form expression for the randomization entropy induced by DART is derived. Evaluation results across TACLeBench binaries show increased combinatorial entropy with modest numbers of virtual memory pages per cache color, providing a suitable defense that outperforms traditional virtual-memory protections for attacks such as partial-pointer overwriting or more broadly control-flow hijacking.
@InProceedings{dobranowski_et_al:LIPIcs.ECRTS.2026.10,
author = {Dobranowski, Patrick and Rice, Owen and Burrow, Ryan and Burow, Nathan and Ward, Bryan C.},
title = {{DART: A Real-Time Address-Randomization Defense with Predictable Timing}},
booktitle = {38th European Conference on Real-Time Systems (ECRTS 2026)},
pages = {10:1--10:26},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {978-3-95977-429-1},
ISSN = {1868-8969},
year = {2026},
volume = {375},
editor = {Kritikakou, Angeliki},
publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
address = {Dagstuhl, Germany},
URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ECRTS.2026.10},
URN = {urn:nbn:de:0030-drops-266021},
doi = {10.4230/LIPIcs.ECRTS.2026.10},
annote = {Keywords: real-time systems, address-space layout randomization, code randomization, worst-case execution time, cache coloring, embedded systems security}
}