The Cost of Performance: Breaking ThreadX with Kernel Object Masquerading Attacks
Xinhui Shao
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · System Security 4: Kernel and Low-Level System Security
This talk, presented by Xinhui Shao, unveils a novel and potent attack methodology dubbed **Kernel Object Masquerading (COM) attacks** against **ThreadX**, a widely deployed real-time operating system (RTOS) in embedded and IoT devices. The research, a collaborative effort among Southeast University, Drexel University, Angu University of Technology, and UMass Law, highlights a critical tension between performance optimization and security. Specifically, ThreadX's aggressive shortcuts in parameter sanitization, designed to enhance speed, inadvertently create a broad attack surface that can be exploited by unprivileged user threads.
AI review
Solid original research exposing a class of attacks — Kernel Object Masquerading — that emerges directly from ThreadX's performance-driven design shortcuts in parameter sanitization. The four-step attack chain, automated framework, and MPU-disable PoC on real hardware give this work genuine teeth. Not a 5 because the attack class isn't entirely unprecedented (confused deputy and type-confusion exploits in RTOS kernels have precedent), and the defensive recommendations section reads like a grad student's thesis appendix — generic and padded.