TRUSTED RUNTIME ENVIRONMENTS FOR EMBEDDED SYSTEMS: FROM MEMORY PROTECTION TO SECURE VIRTUALIZATION

The proliferation of embedded systems and IoT devices has introduced critical security challenges, particularly in environments constrained by limited computational and memory resources. This thesis addresses these challenges by proposing lightweight, scalable mechanisms for runtime memory protection and secure execution, with an emphasis on minimizing device overhead through remote verification. To strengthen spatial memory safety, the thesis introduces a fat pointer–based monitoring system that detects errors across heap, stack, and global memory regions. By combining detailed crash reporting with root-cause vulnerability localization, the system enables precise identification of the code responsible for violations and provides developers with clearer diagnostic information to support efficient patching. For temporal memory safety, a novel remote attestation protocol is presented to model heap state and detect use-after-free vulnerabilities. The approach relies on a precomputation analysis to identify a minimal set of control-flow checkpoints that encapsulate sequences of pointer operations. Instrumentation at these semantically meaningful points reduces runtime and communication overhead. A remote verifier reconstructs execution traces and emulates memory state, enabling accurate detection of temporal violations with minimal impact on constrained devices. Since all proposed mechanisms depend on Trusted Execution Environments (TEEs), the thesis also introduces VS-TEE, a secure virtualization framework that extends ARM-based TEEs to multi-tenant cloud environments. VS-TEE enables multiple virtual machines to securely share TEE resources, overcoming the limitations of current hardware-backed confidential computing solutions. It integrates hypervisor-level communication and driver support, ensuring compatibility with legacy ARM TrustZone software and libraries, while addressing challenges of memory isolation, resource management, and interoperability. Overall, this thesis demonstrates that carefully designed architectural approaches can deliver effective security in highly constrained embedded environments. The proposed solutions achieve precise vulnerability detection, efficient runtime protection, and scalable secure execution across both IoT devices and cloud infrastructures.