Embedded systems face multifaceted security threats originating from applications, kernels, and peripherals, yet existing defenses often fail to provide comprehensive protection. This work proposes a novel capability-based architecture that, without requiring modifications to peripheral hardware, integrates tokenized capabilities with hardware-enforced isolation to decompose the Zephyr RTOS into mutually isolated components. For the first time, this approach realizes a soft real-time operating system that is fully untrusted at runtime, thereby eliminating reliance on the trustworthiness of conventional kernel components—including the scheduler, memory allocator, and DMA drivers. The resulting prototype system features no software trusted computing base (TCB) at runtime, establishing a scalable and formally verifiable security foundation for high-assurance embedded devices.

Embedded devices face an ever-expanding threat landscape: vulnerabilities in application software, operating system kernels, and peripherals threaten the embedded device integrity. Existing computer-architectural defenses fully consider at most two of these threat vectors in their security model. This paper aims at addressing this gap using a novel capability architecture. To this end, we combine a token capability approach suitable for building an untrusted operating system with protection against malicious devices without requiring hardware changes to peripherals. First, we develop and evaluate a full FPGA implementation of our capability architecture around legacy hardware components. Further, we present a soft real-time operating system based on Zephyr that has no run-time software TCB. To this end, we disaggregate Zephyr's subsystems into small, mutually isolated components. All subsystems that exist at run time, including scheduler, allocator and DMA drivers, and all peripherals are fully untrusted. We believe that our work offers a foundation for more rigorous security-by-design in tomorrow's security-critical embedded devices.