This paper presents WATSON, a shadow-stack defense for embedded systems (like IoT devices) that protects against control-flow hijacking by using the hardware debug unit's data watchpoints to enforce write protection on the shadow stack. Unlike prior shadow-stack solutions for embedded systems, WATSON provides system-wide protection (including interrupts and exceptions), introduces low overhead (7.33% on BEEBS, 1.81% on CoreMark-Pro), doesn't require a trusted execution environment, and is compatible with other security mechanisms that use similar hardware features. The authors implement it on ARM Cortex-M and show it integrates with compiler-based forward-edge control-flow integrity.
Main takeaways:
- Uses hardware data watchpoints (standard debug feature) to enforce write protection on the shadow stack, preventing control-flow hijacking on embedded systems.
- Provides system-wide protection including interrupts and exceptions, which prior solutions miss.
- Introduces 7.33% overhead on BEEBS and 1.81% on CoreMark-Pro benchmarks—lower than prior shadow-stack methods.
- Doesn't depend on trusted execution environments (TEEs), making it applicable to a wider range of embedded devices.
- Compatible with compiler-enforced forward-edge control-flow integrity and avoids conflicts with other hardware-based security mechanisms.