AutoPatch: Automated Generation of Hotpatches for Real-Time Embedded Devices

TL;DR

AutoPatch automates hotpatch generation for real-time embedded devices, enabling quick, reliable, and hardware-independent security updates with minimal delay and resource overhead.

Contribution

AutoPatch introduces an automated, static analysis-based hotpatching method that works across diverse embedded systems without hardware support or virtualization.

Findings

Fixes over 90% of CVEs successfully

Average patch delay less than 12.7 microseconds

Compatible with all tested devices without modifications

Abstract

Real-time embedded devices like medical or industrial devices are increasingly targeted by cyber-attacks. Prompt patching is crucial to mitigate the serious consequences of such attacks on these devices. Hotpatching is an approach to apply a patch to mission-critical embedded devices without rebooting them. However, existing hotpatching approaches require developers to manually write the hotpatch for target systems, which is time-consuming and error-prone. To address these issues, we propose AutoPatch, a new hotpatching technique that automatically generates functionally equivalent hotpatches via static analysis of the official patches. AutoPatch introduces a new software triggering approach that supports diverse embedded devices, and preserves the functionality of the official patch. In contrast to prior work, AutoPatch does not rely on hardware support for triggering patches, or on executing patches in specialized virtual machines. We implemented AutoPatch using the LLVM compiler, and evaluated its efficiency, effectiveness and generality using 62 real CVEs on four embedded devices with different specifications and architectures running popular RTOSes. We found that AutoPatch can fix more than 90% of CVEs, and resolve the vulnerability successfully. The results revealed an average total delay of less than 12.7 $\mu s$ for fixing the vulnerabilities, representing a performance improvement of 50% over RapidPatch, a state-of-the-art approach. Further, our memory overhead, on average, was slightly lower than theirs (23%). Finally, AutoPatch was able to generate hotpatches for all four devices without any modifications.