Microcontrollers are widely used among embedded and internet-of-things devices, powering various products such as medical devices, smart home devices, and industrial control units. These devices predominantly execute software written in low-level programming languages like C, which exposes them to control-flow hijacking attacks, including stack-based buffer overflows. However, due to resource constraints, microcontrollers typically do not include hardware features such as a memory management unit. Moreover, they often operate without security mechanisms such as privilege separation and address space layout randomization. This absence of fundamental security layers can lead to more significant damage than systems powered by more powerful microprocessors, such as x86 or Cortex-A architectures. Given the extensive deployment of microcontrollers, understanding and enhancing the control-flow security of microcontroller-based systems is increasingly critical.

This dissertation focuses on securing control-flows within microcontroller-based systems, exploring the interplay between hardware and software facets. It is segmented into four distinct yet interconnected parts. The first part thoroughly examines control-flow security within microcontroller-based systems. We expose the limitations and issues of the hardware design, investigate real-world vulnerabilities, and systemize the related research projects.

Motivated by insights from the first part, the second and third parts evaluate existing security mechanisms. Specifically, in the second part, we discuss the TrustZone, a hardware extension that isolates device resources. During our detailed analysis of TrustZone, we identified a novel control-flow attack method called return-to-non-secure (ret2ns). This attack can escalate privilege and allow arbitrary execution in the non-secure state. In the third part, we investigate the stack canary, a software layer that mitigates control-flow attacks. However, we also reveal the limitations of stack canaries when applied to microcontroller-based systems due to the global canary value and lack of randomness.

The fourth and final part of the dissertation introduces SHERLOC, which provides holistic and secure control-flow violation detections for microcontroller-based systems. SHERLOC ensures security by configuring the hardware tracing unit, storing trace records, and executing the violation detection algorithm in a trusted execution environment, which prevents privileged programs from bypassing monitoring or tampering with the trace.