Skip to content
Root Repo for the EPOXY tool that applies Privilege Overlays on bare-metal systems
C Makefile Assembly HTML C++ Shell
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.

EPOXY Embedded Privilege Overlays for X hardware with Y software

This is the compiler used in "Protecting Bare-metal Embedded Systems With Privilege Overlays", from IEEE Security and Privacy 2017 Paper


This tool has only been tested on Ubuntu 14.04, using Clang 3.9 to build LLVM Other versions may work, but are untested.


Building LLVM is memory intensive recommend >=16GB of memory.


To setup clone this repo to a directory <YOUR_DIR>, this can be any name you choose

git clone

Then cd into EPOXY and run the following scripts

./  #this will clone and setup the llvm and clang repos
./  #this will run the properly cmake command for llvm
./  #this will download a copy of arm-none-eabi gcc toolchain
		# and build it with the linker plugin support
		# EPOXY uses arm-none-eabi-ld and the standard libs from this build

This will build the arm-none-eabi toolchain with libraries, and create the following directory structure.

  |--> EPOXY (This Repo)
  |--> EPOXY-llvm   (The EPOXY-llvm repo)
  |--> EPOXY-clang  (The EPOXY-clang repo)
  |--> llvm_build   (The directory llvm will be built in)
  |--> llvm_bin     (The directory llvm's binaries will be installed)
  |--> gcc
        |-->bins    (Where the arm-none-eabi-gcc tool chain gets installed to)


It appears that URL used to download GCC changes from time to time. This will cause to fail. EPOXY has been tested using the 6-2017-q1-update release from Their build was modified to add support for the plugin with the linker by modifying the script to the options under the binutils target.

    --enable-plugins \
    --enable-lto \
    --enable-gold \

Building LLVM

After completing setup

cd <YOUR_DIR>/llvm_build
ninja install

Now build EPOXY's runtime


Any program using EPOXY should include the created rt_edivert.o in its final linking step in order to use it runtime support code

Building Beebs Benchmarks

After successfully compiling LLVM you can build the beebs benchmarks for the STM32F4Discovery board.

cd <YOUR_DIR>/EPOXY/beebs/tools
python -s #Sets up all the benchmarks for building
python -m -n=1 #Builds all benchmarks with 1 variants of each
python -c  #Cleans all the benchmarks

All binaries are placed in <YOUR_DIR>/EPOXY/beebs/bins

Individual benchmarks can be built by cd(ing) into the appropriate benchmark directory (i.e. <YOUR_DIR>/EPOXY/beebs/src/) and running make See for options for make.


This repo includes a version of the BEEBs benchmarks, which are GPL licensed Their repo can be found at

It also includes a the STM32CubeF4 HAL which uses a BSD license.


Our modifications and tools are distributed using license in

You can’t perform that action at this time.