Building Resilient IoT Devices: Binary Hardening with Yocto and Clang

This paper addresses the critical need for enhanced security in Internet of Things (IoT) devices by evaluating the implementation of binary hardening techniques using Clang security features within the Yocto build environment. Recognizing that product managers are often resistant to adopting binary hardening security features due to perceived performance impacts on resource-constrained devices, a cost-benefit analysis was conducted to assess the actual performance impact of various Clang security flags on key metrics such as binary size, device boot time, and service response time. Binaries are compiled using default settings and individual security flags to identify which security enhancements impose minimal performance costs and can be enabled by default. In contrast, enhancements that incur higher costs are identified and should be selectively implemented for critical services. Additionally, a tool was introduced designed to simplify the addition and management of Clang security flags within Yocto, facilitating easier testing and experimenting within the Yocto build system. The study’s findings provide actionable insights for product managers and developers, offering practical recommendations for balancing security and performance in IoT devices. By demonstrating that certain security features can be implemented without significant performance degradation, this research encourages the adoption of security measures essential to modern server-class systems, ultimately contributing to the development of more resilient IoT devices.