WATSON: Leveraging Data Watchpoints for Shadow Stack Protection on Embedded Systems
Authors: Xi Tan, Sagar Mohan, Ziming Zhao
Summary
This paper presents WATSON, a shadow-stack defense for embedded systems (like IoT devices) that protects against control-flow hijacking by using the hardware debug unit's data watchpoints to enforce write protection on the shadow stack. Unlike prior shadow-stack solutions for embedded systems, WATSON provides system-wide protection (including interrupts and exceptions), introduces low overhead (7.33% on BEEBS, 1.81% on CoreMark-Pro), doesn't require a trusted execution environment, and is compatible with other security mechanisms that use similar hardware features. The authors implement it on ARM Cortex-M and show it integrates with compiler-based forward-edge control-flow integrity.
Main takeaways:
- Uses hardware data watchpoints (standard debug feature) to enforce write protection on the shadow stack, preventing control-flow hijacking on embedded systems.
- Provides system-wide protection including interrupts and exceptions, which prior solutions miss.
- Introduces 7.33% overhead on BEEBS and 1.81% on CoreMark-Pro benchmarks—lower than prior shadow-stack methods.
- Doesn't depend on trusted execution environments (TEEs), making it applicable to a wider range of embedded devices.
- Compatible with compiler-enforced forward-edge control-flow integrity and avoids conflicts with other hardware-based security mechanisms.
Relevance
No connection to my LLM persona or midtraining work—this is low-level embedded-systems security (stack protection for IoT devices). Included because it's a specialized defense technique with no overlap with behavioral installation or language model research.
Threat model
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, evaluation, benchmark.
Abstract
arXiv:2605.08604v1 Announce Type: new Abstract: Embedded and Internet-of-Things (IoT) devices play a critical role in modern life. Their software and firmware, often developed in memory-unsafe languages like C, are susceptible to memory safety vulnerabilities that can lead to control-flow hijacking attacks. Shadow stack is a defense mechanism against control-flow hijacking that targets return addresses. However, existing shadow stack solutions for embedded systems have the following limitations. First, they lack system-wide protection, particularly for interrupts and exceptions. Second, they introduce high performance overhead. Third, they depend on security extensions like a trusted execution environment, which are not universally available on embedded devices. Finally, they rely on hardware features that have inherent configurable constraints, which pose compatibility challenges when integrating security mechanisms that require similar hardware support. To overcome these limitations, we present WATSON, an efficient and effective shadow stack solution. It leverages a standard hardware debug unit named data watchpoints for shadow stack protection on embedded systems. To prevent unauthorized access to the shadow stack, WATSON leverages the address-matching features of the debug unit to enforce the write protection of the shadow stack. Additionally, WATSON is compatible with compiler options to enforce forward-edge control-flow integrity. We implemented a prototype of WATSON on the ARM CortexM architecture, and the concept also applies to other platforms. The introduced overhead is 7.33% and 1.81% on BEEBS and CoreMark-Pro benchmarks, respectively. We also evaluate WATSON on exception handling and two real-world applications, observing negligible performance overhead and a worst-case code size overhead of 2.11%. Furthermore, our security evaluation demonstrates that WATSON effectively prevents attacks.