Velox VM: A safe execution environment for resource-constrained IoT applications

Abstract

We present Velox, a virtual machine architecture that provides a safe execution environment for applications in resource-constrained IoT devices. Our goal with this architecture is to support developers in writing and deploying safe IoT applications, in a manner similar to smartphones with application stores. To this end, we provide a resource and security policy framework that enables fine-grained control of the execution environment of IoT applications. This framework allows device owners to configure, e.g., the amount of bandwidth, energy, and memory that each IoT application can use. Velox's features also include support for high-level programming languages, a compact bytecode format, and preemptive multi-threading.In the context of IoT devices, there are typically severe energy, memory, and processing constraints that make the design and implementation of a virtual machine with such features challenging. We elaborate on how Velox is implemented in a resource-efficient manner, and describe our port of Velox to the Contiki OS. Our experimental evaluation shows that we can control the resource usage of applications with a low overhead. We further show that, for typical I/O-driven IoT applications, the CPU and energy overhead of executing Velox bytecode is as low as 1–5% compared to corresponding applications compiled to machine code. Lastly, we demonstrate how application policies can be used to mitigate the possibility of exploiting vulnerable applications.