Existing high-end embedded systems face frequent security attacks. Software
compartmentalization is one technique to limit the attacks' effects to the
compromised compartment and not the entire system. Unfortunately, the existing
state-of-the-art embedded hardware-software solutions do not work well to
enforce software compartmentalization for high-end embedded systems. MPUs are
not fine-grained and suffer from significant scalability limitations as they
can only protect a small and fixed number of memory regions. On the other hand,
MMUs suffer from non-determinism and coarse-grained protection. This paper
introduces CompartOS as a lightweight linkage-based compartmentalization model
for high-end, complex, mainstream embedded systems. CompartOS builds on CHERI,
a capability-based hardware architecture, to meet scalability, availability,
compatibility, and fine-grained security goals. Microbenchmarks show that
CompartOS' protection-domain crossing is 95% faster than MPU-based IPC. We
applied the CompartOS model, with low effort, to complex existing systems,
including TCP servers and a safety-critical automotive demo. CompartOS not only
catches 10 out of 13 FreeRTOS-TCP published vulnerabilities that MPU-based
protection (e.g., uVisor) cannot catch but can also recover from them. Further,
our TCP throughput evaluations show that our CompartOS prototype is 52% faster
than relevant MPU-based compartmentalization models (e.g., ACES), with a 15%
overhead compared to an unprotected system. This comes at an FPGA's LUTs
overhead of 10.4% to support CHERI for an unprotected baseline RISC-V
processor, compared to 7.6% to support MPU, while CHERI only incurs 1.3% of the
registers area overhead compared to 2% for MPU