Existing embedded shadow stack solutions commonly suffer from inadequate protection against interrupts and exceptions, high performance overhead, or reliance on specialized hardware. This work proposes the first approach that leverages the generic data watchpoints in the standard ARM Cortex-M debug unit to enforce write protection on the shadow stack through address matching, thereby mitigating control-flow hijacking attacks without requiring additional security extensions. The method inherently supports interrupt and exception handling and seamlessly integrates with compiler-based forward-edge control-flow integrity mechanisms. Experimental evaluation on BEEBS and CoreMark-Pro demonstrates low overheads of only 7.33% and 1.81% in performance, respectively, with a code size increase of at most 2.11%, achieving an effective balance of minimal overhead, strong security, and high compatibility.

Embedded and Internet-of-Things (IoT) devices play a critical role in modern life. Their software and firmware, often developed in memory-unsafe languages like C, are susceptible to memory safety vulnerabilities that can lead to control-flow hijacking attacks. Shadow stack is a defense mechanism against control-flow hijacking that targets return addresses. However, existing shadow stack solutions for embedded systems have the following limitations. First, they lack system-wide protection, particularly for interrupts and exceptions. Second, they introduce high performance overhead. Third, they depend on security extensions like a trusted execution environment, which are not universally available on embedded devices. Finally, they rely on hardware features that have inherent configurable constraints, which pose compatibility challenges when integrating security mechanisms that require similar hardware support. To overcome these limitations, we present WATSON, an efficient and effective shadow stack solution. It leverages a standard hardware debug unit named data watchpoints for shadow stack protection on embedded systems. To prevent unauthorized access to the shadow stack, WATSON leverages the address-matching features of the debug unit to enforce the write protection of the shadow stack. Additionally, WATSON is compatible with compiler options to enforce forward-edge control-flow integrity. We implemented a prototype of WATSON on the ARM CortexM architecture, and the concept also applies to other platforms. The introduced overhead is 7.33% and 1.81% on BEEBS and CoreMark-Pro benchmarks, respectively. We also evaluate WATSON on exception handling and two real-world applications, observing negligible performance overhead and a worst-case code size overhead of 2.11%. Furthermore, our security evaluation demonstrates that WATSON effectively prevents attacks.