IsolatOS: Detecting Double Fetch Bugs in COTS RTOS by Re-enabling Kernel Isolation
Yingjie Cao
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Systems Security
Real-time operating systems (RTOS) are the invisible backbone of cyber-physical systems -- from automotive ECUs and aerospace systems to power plants and medical devices. With over **2.2 billion embedded devices** relying on RTOS, the security of these systems is critical. This talk presents **IsolatOS**, a novel approach to detecting **double fetch vulnerabilities** in commercial off-the-shelf (COTS) RTOS by strategically re-enabling hardware kernel isolation features (**SMAP** on x86, **PAN** on ARM) that vendors intentionally disable for performance.
AI review
A devastatingly effective approach to finding double fetch bugs in commercial RTOS by weaponizing the very hardware features that vendors disabled for performance. 43 vulnerabilities across QNX, VxWorks, and seL4 -- including a 19-year-old QNX privilege escalation affecting production vehicles -- with 39 CVEs assigned. The 76% exploit success rate in 125 CPU cycles on the legacy QNX bug is real-world exploitation against safety-critical infrastructure. This is the kind of research that changes how people think about RTOS security.