RIOT-POLICE: An implementation of spatial memory safety for the RIOT operating system
Sören Tempel, Nora Bruns
TL;DR
RIOT-POLICE addresses the lack of memory safety in the RIOT IoT operating system by integrating the safe C dialect Checked C, while preserving compatibility with legacy C compilers. The authors implement an optional safety model using macros and bounds-safe interfaces to convert key network-stack modules (IPv6, UDP, CoAP) to Checked C incrementally. They report on design choices, the engineering effort, and an executable-size overhead of about 37% for converted modules, driven by limited optimization and tool maturity. The work demonstrates that spatial memory safety can be introduced without forcing a full migration, offering a practical path for hardening legacy IoT software, while highlighting tooling improvements needed for broader adoption.
Abstract
We present an integration of a safe C dialect, Checked C, for the Internet of Things operating system RIOT. We utilize this integration to convert parts of the RIOT network stack to Checked C, thereby achieving spatial memory safety in these code parts. Similar to prior research done on IoT operating systems and safe C dialects, our integration of Checked C remains entirely optional, i.e. compilation with a standard C compiler not supporting the Checked C language extension is still possible. We believe this to be the first proposed integration of a safe C dialect for the RIOT operating system. We present an incremental process for converting RIOT modules to Checked C, evaluate the overhead introduced by the conversions, and discuss our general experience with utilizing Checked C in the Internet of Things domain.