ACES: Automatic Compartments for Embedded Systems

Securing the rapidly expanding Internet of Things (IoT) is critical. Many of these "things" are vulnerable baremetal embedded systems, where the application executes directly on hardware without an operating system. Unfortunately, the integrity of current systems may be compromised by a single vulnerability, as recently shown by Google's P0 team against Broadcom's WiFi SoC. We present ACES (Automatic Compartments for Embedded Systems), an LLVM-based compiler that automatically infers and enforces inter-component isolation on bare-metal systems, thus applying the principle of least privileges. ACES takes a developerspecified compartmentalization policy and then automatically creates an instrumented binary that isolates compartments at run-time, while handling the hardware limitations of bare-metal embedded devices. We demonstrate ACES' ability to implement arbitrary compartmentalization policies by implementing three policies and comparing the compartment isolation, run-time overhead, and memory overhead. Our results show that ACES compartments can have low run-time overheads (13% on our largest test application), while using 59% less Flash, and 84% less RAM than the Mbed µVisor-the current state-of-the-art compartmentalization technique for baremetal systems. ACES compartments protect the integrity of privileged data, provide control-flow integrity between compartments, and reduce exposure to ROP attacks by 94.3% compared to µVisor.