A real-time operating system (RTOS) is a special type of embedded OS. In a general-purpose OS, embedded or not, the system uses a scheduler in order to balance processor time for each running process or user. This can make task completion times variable depending on a number of factors. In an RTOS, the scheduler is much more predictable and consistent. This makes an RTOS ideal for embedded systems, as they tend to have strict requirements for when a task should be completed, and do not have particularly taxing workloads.

Like other embedded OSs, RTOSs often do not incorporate security features like Data Execution Prevention (DEP), though this depends on the OS and the actual hardware product it runs on. There have been several vulnerabilities discovered in RTOSs. Examples include:

  • Remote code execution against Broadcom Wi-Fi chips running the VxWorks RTOS (CVE-2017-9417).
  • Denial of service against the RPC protocol running on VxWorks (CVE-2015-7599).
  • Buffer overflow against BlackBerry devices using QNX Neutrino RTOS enabling denial of service or code execution (CVE-2013-2688).
  • Buffer overflow against QNX Momentics RTOS enabling privilege escalation (CVE-2008-3024).

As with other embedded components and systems, these exploits are highly specialized and only certain ones may apply to your target environment.