This work addresses security vulnerabilities in embedded real-time operating systems (RTOS) arising from performance-oriented optimizations, using ThreadX as a case study. It identifies a kernel object manipulation vulnerability caused by the removal of parameter validation during kernel configuration. We propose Kernel Object Masquerading (KOM), a novel attack paradigm that exploits system call semantic ambiguity to impersonate legitimate kernel objects, thereby bypassing access controls and escalating privileges via unauthorized field access. To systematically uncover such under-validation flaws, we introduce the first under-constrained symbolic execution technique tailored for embedded kernels—integrating system call modeling with kernel reverse engineering. We fully reproduce KOM on real ThreadX hardware, leading to official acknowledgment and thanks from Amazon FreeRTOS and Microsoft ThreadX. This work is the first to expose the fundamental security-performance trade-off inherent in RTOS design, offering critical insights and methodological foundations for secure embedded kernel development.

Microcontroller-based IoT devices often use embedded real-time operating systems (RTOSs). Vulnerabilities in these embedded RTOSs can lead to compromises of those IoT devices. Despite the significance of security protections, the absence of standardized security guidelines results in various levels of security risk across RTOS implementations. Our initial analysis reveals that popular RTOSs such as FreeRTOS lack essential security protections. While Zephyr OS and ThreadX are designed and implemented with essential security protections, our closer examination uncovers significant differences in their implementations of system call parameter sanitization. We identify a performance optimization practice in ThreadX that introduces security vulnerabilities, allowing for the circumvention of parameter sanitization processes. Leveraging this insight, we introduce a novel attack named the Kernel Object Masquerading (KOM) Attack (as the attacker needs to manipulate one or multiple kernel objects through carefully selected system calls to launch the attack), demonstrating how attackers can exploit these vulnerabilities to access sensitive fields within kernel objects, potentially leading to unauthorized data manipulation, privilege escalation, or system compromise. We introduce an automated approach involving under-constrained symbolic execution to identify the KOM attacks and to understand the implications. Experimental results demonstrate the feasibility of KOM attacks on ThreadX-powered platforms. We reported our findings to the vendors, who recognized the vulnerabilities, with Amazon and Microsoft acknowledging our contribution on their websites.