Protecting Bare-metal Embedded Systems with Privilege Overlays

Explore a comprehensive conference talk on enhancing security for bare-metal embedded systems through privilege overlays. Delve into the innovative EPOXY compiler, which employs privilege overlaying to execute only necessary operations in privileged mode. Discover how this technique enables code integrity, control-flow hijacking defenses, and protection for sensitive IO. Learn about fine-grained randomization schemes designed to prevent code injection and ROP attacks from scaling across multiple devices. Examine the performance impact of these combined defense mechanisms through extensive benchmarking and real-world IoT application case studies. Gain insights into the challenges and solutions for securing low-cost, resource-constrained embedded systems in the expanding Internet of Things landscape.

Intro
BARE-METAL SYSTEMS
DEFENSE CHALLENGES
THREAT MODEL AND REQUIREMENTS
PRIVILEGE OVERLAY EXAMPLE
EPOXY - AFTER PRIVILEGE OVERLAY
SAFESTACK
DIVERSIFICATION
EPOXY - ALL PROTECTIONS
PERFORMANCE
ROP COMPILER
PRIVILEGED INSTRUCTIONS EXECUTED
CONCLUSION