Type of Publication: Article in Collected Edition

MPUsh: Applying Security Hotpatches Instead Of MPU Barriers

Author(s):

Niesler, Christian; Scholz, Christian; Davi, Lucas

Title of Anthology:

Proc. of 2nd Constructive Approaches for SeCurity Analysis and Design of Embedded systems Conference (CASCADE'26)

Publisher:

Springer

Location(s):

Regensburg, Germany

Publication Date:

2026

Citation:

Download BibTeX

Abstract

Due to hardware limitations and stringent timing demands, runtime hotpatching of security vulnerabilities on flash-constrained, hard real-time embedded systems remains a significant challenge. We present MPUsh, a novel Memory Protection Unit (MPU)-based hotpatching approach. MPUsh leverages the MPU to render vulnerable flash regions non-executable. Fault handlers then intercept these violations and redirect execution to RAM-resident patches. Our proof-of-concept prototype, implemented on an ARM Cortex-M4 (NUCLEO-F446RE) processor, activates patches in 15 cycles and redirects execution in 46 cycles. MPUsh outperforms interpreter-based alternatives while supporting arbitrary patch locations without pre-inserted hooks. Furthermore, MPUsh provides more patch slots than approaches that use hardware breakpoints. When evaluated on a safety-critical syringe pump, MPUsh successfully demonstrated real-time capability.