Vol. 7 No. 1 (2021): Special Issue on Embedded System Security
Special Issue on Embedded System Security

Randomization as Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Real-Time Systems with Task Replication

Kristin Krüger
Department of Electrical and Computer Engineering, Technische Universität Kaiserslautern
Nils Vreman
Department of Automatic Control, Lund University
Richard Pates
Department of Automatic Control, Lund University
Martina Maggio
Department of Automatic Control, Lund University Department of Computer Science, Saarland University
Marcus Völp
SnT - Université du Luxembourg
Gerhard Fohler
Department of Electrical and Computer Engineering, Technische Universität Kaiserslautern

Published 2021-08-12

Keywords

  • real-time systems,
  • time-triggered systems,
  • security

How to Cite

[1]
Krüger, K., Vreman, N., Pates, R., Maggio, M., Völp, M. and Fohler, G. 2021. Randomization as Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Real-Time Systems with Task Replication. Leibniz Transactions on Embedded Systems. 7, 1 (Aug. 2021), 01:1–01:29. DOI:https://doi.org/10.4230/LITES.7.1.1.

Abstract

Time-triggered real-time systems achieve deterministic behavior using schedules that are constructed offline, based on scheduling constraints. Their deterministic behavior makes time-triggered systems suitable for usage in safety-critical environments, like avionics. However, this determinism also allows attackers to fine-tune attacks that can be carried out after studying the behavior of the system through side channels, targeting safety-critical victim tasks. Replication -- i.e., the execution of task variants across different cores -- is inherently able to tolerate both accidental and malicious faults (i.e. attacks) as long as these faults are independent of one another. Yet, targeted attacks on the timing behavior of tasks which utilize information gained about the system behavior violate the fault independence assumption fault tolerance is based on. This violation may give attackers the opportunity to compromise all replicas simultaneously, in particular if they can mount the attack from already compromised components. In this paper, we analyze vulnerabilities of time-triggered systems, focusing on safety-certified multicore real-time systems. We introduce two runtime mitigation strategies to withstand directed timing inference based attacks: (i) schedule randomization at slot level, and (ii) randomization within a set of offline constructed schedules. We evaluate these mitigation strategies with synthetic experiments and a real case study to show their effectiveness and practicality.

References

  1. Dakshi Agrawal, Bruce Archambeault, Josyula Rao, and Pankaj Rohatgi. The EM side-channel(s). In 4th International Workshop on Cryptographic Hardware and Embedded Systems, CHES, 2002. URL: https://doi.org/10.1007/3-540-36400-5_4
  2. Amotz Bar-Noy, Danny Dolev, Cynthia Dwork, and H. Raymond Strong.Shifting Gears: Changing Algorithms on the Fly to Expedite Byzantine Agreement. Inf. Comput., 97(2):205-233, 1992. URL: https://doi.org/10.1016/0890-5401(92)90035-E
  3. Michael G. Bechtel and Heechul Yun. Denial-of-service attacks on shared cache in multicore: Analysis and prevention. In 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), 2019. URL: https://doi.org/10.1109/RTAS.2019.00037
  4. Enrico Bini and Giorgio Buttazzo. Measuring the performance of schedulability tests. Real-Time Systems, 30(1-2), 2005. URL: https://doi.org/10.1007/s11241-005-0507-9
  5. Peter K. Boucher, Raymond K. Clark, Ira B. Greenberg, E. Douglas Jensen, and Douglas M. Wells. Toward a Multilevel-Secure, Best-Effort Real-Time Scheduler, pages 49-68. Springer Vienna, Vienna, 1995. URL: https://doi.org/10.1007/978-3-7091-9396-9_8
  6. Luis Brandao and Alysson Bessani.On the Reliability and Availability of Systems Tolerant to Stealth Intrusion. In 5th Latin-American Symposium on Dependable Computing (LADC'11), Brazil, April 2011. URL: https://doi.org/10.1109/LADC.2011.27
  7. Luis Brandao and Alysson Bessani.On the Reliability and Availability of Replicated and Rejuvenating Systems under Stealth Attacks and Intrusions. Journal of the Brazilian Computer Society, 18:61-80, March 2012. URL: https://doi.org/10.1007/s13173-012-0062-x
  8. Xi Chen, Juejing Feng, Martin Hiller, and Vera Lauer. Application of software watchdog as a dependability software service for automotive safety relevant systems. In 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2007. URL: https://doi.org/10.1109/DSN.2007.14
  9. Silviu S. Craciunas and Ramon Serna Oliver.SMT-based Task- and Network-level Static Schedule Generation for Time-Triggered Networked Systems. In Proceedings of the 22Nd International Conference on Real-Time Networks and Systems, RTNS '14, pages 45:45-45:54, New York, NY, USA, 2014. ACM. URL: https://doi.org/10.1145/2659787.2659812
  10. Joanne Bechta Dugan and Randy Van Buren. Reliability evaluation of fly-by-wire computer systems. Journal of Systems and Software, 25(1):109-120, 1994. URL: https://doi.org/10.1016/0164-1212(94)90061-2
  11. Christian Ferdinand and Reinhard Wilhelm. Efficient and precise cache behavior prediction for real-time systems. Real-Time Systems, 17(2):131-181, November 1999. URL: https://doi.org/10.1023/A:1008186323068
  12. G. Fohler.Joint scheduling of distributed complex periodic and hard aperiodic tasks in statically scheduled systems. In Proceedings 16th IEEE Real-Time Systems Symposium, pages 152-161, December 1995. URL: https://doi.org/10.1109/REAL.1995.495205
  13. Gerhard Fohler.Advances in Real-Time Systems, Chapter Predictably Flexible Real-time Scheduling. SPRINGER, 2012.
  14. Alain Girault, Hamoudi Kalla, and Yves Sorel. An active replication scheme that tolerates failures in distributed embedded real-time systems. In Design Methods and Applications for Distributed Embedded Systems, pages 83-92. Springer, 2004. URL: https://doi.org/10.1007/1-4020-8149-9_9
  15. Monowar Hasan, Sibin Mohan, Rodolfo Pellizzoni, and Rakesh B. Bobba. A design-space exploration for allocating security tasks in multicore real-time systems. In Design, Automation & Test in Europe, DATE, 2018. URL: https://doi.org/10.23919/DATE.2018.8342007
  16. J.M. Hendrickx, K.H. Johansson, R.M. Jungers, H. Sandberg, and K.C. Sou. Efficient computations of a security index for false data attacks in power networks. IEEE TAC, 59(12):3194-3208, 2014. URL: https://doi.org/10.1109/TAC.2014.2351625
  17. W. M. Hu.Lattice scheduling and covert channels. In Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pages 52-61, May 1992. URL: https://doi.org/10.1109/RISP.1992.213271
  18. B. K. Huynh, L. Ju, and A. Roychoudhury. Scope-aware data cache analysis for wcet estimation. In 2011 17th IEEE Real-Time and Embedded Technology and Applications Symposium, pages 203-212, April 2011. URL: https://doi.org/10.1109/RTAS.2011.27
  19. Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems, 2010.
  20. Rolf Isermann, Ralf Schwarz, and Stefan Stolzl. Fault-tolerant drive-by-wire systems. IEEE Control Systems, 22(5):64-81, 2002. URL: https://doi.org/10.1109/MCS.2002.1035218
  21. Road vehicles – Functional safety, 2011.
  22. P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1-19, 2019. URL: https://doi.org/10.1109/SP.2019.00002
  23. Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution. meltdownattack.com, 2018. URL: https://spectreattack.com/spectre.pdf.
  24. H. Kopetz.Sparse time versus dense time in distributed real-time systems. In [1992] Proceedings of the 12th International Conference on Distributed Computing Systems, pages 460-467, June 1992. URL: https://doi.org/10.1109/ICDCS.1992.235008
  25. Kristin Krüger, Gerhard Fohler, Marcus Völp, and Paulo Esteves-Verissimo. Improving security for time-triggered real-time systems with task replication. In 24th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, August 2018. URL: https://doi.org/10.1109/RTCSA.2018.00036
  26. Kristin Krüger, Marcus Völp, and Gerhard Fohler. Improving security for time-triggered real-time systems against timing inference based attacks by schedule obfuscation. In Work-in-Progress Proceedings of the 29th Euromicro Conference on Real-Time Systems, ECRTS, 2017.
  27. Kristin Kruger, Marucs Völp, and Gerhard Fohler. Vulnerability analysis and mitigation of directed timing inference based attacks on time-triggered systems. In Euromicro Conference on Real-Time Systems, ECRTS, 2018. URL: https://doi.org/10.4230/LIPIcs.ECRTS.2018.22
  28. Leslie Lamport, Robert E. Shostak, and Marshall C. Pease.The Byzantine Generals Problem.ACM Trans. Program. Lang. Syst., 4(3):382-401, 1982. URL: https://doi.org/10.1145/357172.357176
  29. J. Liedtke, H. Hartig, and M. Hohmuth.OS-controlled cache predictability for real-time systems. In Proceedings Third IEEE Real-Time Technology and Applications Symposium, pages 213-224, June 1997. URL: https://doi.org/10.1109/RTTAS.1997.601360
  30. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown. ArXiv e-prints, 2018. URL: http://arxiv.org/abs/1801.01207arXiv:1801.01207.
  31. Songran Liu, Nan Guan, Dong Ji, Weichen Liu, Xue Liu, and Wang Yi. Leaking your engine speed by spectrum analysis of real-time scheduling sequences. Journal of Systems Architecture, 2019. URL: https://doi.org/10.1016/j.sysarc.2019.01.004
  32. Sixing Lu, Minjun Seo, and Roman Lysecky. Timing-based anomaly detection in embedded systems. In 20th Asia and South Pacific Design Automation Conference (ASP-DAC), 2015. URL: https://doi.org/10.1109/ASPDAC.2015.7059110
  33. Keith Marzullo. Tolerating failures of continuous-valued sensors. ACM Transactions on Computer Systems, 8(4):284-304, November 1990. URL: https://doi.org/10.1145/128733.128735
  34. Edgar Mateos and Catherine Gebotys. A new correlation frequency analysis of the side channel. In Workshop on Embedded Systems Security, 2010. URL: https://doi.org/10.1145/1873548.1873552
  35. Robert Mitchell and Ing-Ray Chen. A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys (CSUR), 46(4), 2014. URL: https://doi.org/10.1145/2542049doi:10.1145/2542049.
  36. Sibin Mohan, Man-Ki Yoon, Rodolfo Pellizzoni, and Rakesh B Bobba. Integrating security constraints into fixed priority real-time schedulers. Real-Time Systems, pages 1-31, 2016. URL: https://doi.org/10.1007/s11241-016-9252-5
  37. Mitra Nasri, Thidapat Chantem, Gedare Bloom, and Ryan M. Gerdes. On the pitfalls and vulnerabilities of schedule randomization against schedule-based attacks. In Björn B. Brandenburg, editor, 25th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2019, Montreal, QC, Canada, April 16-18, 2019, pages 103-116. IEEE, 2019. URL: https://doi.org/10.1109/RTAS.2019.00017
  38. C. Pagetti, D. Saussié, R. Gratia, E. Noulard, and P. Siron.The ROSACE case study: From Simulink specification to multi/many-core execution. In 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 309-318, April 2014. URL: https://doi.org/10.1109/RTAS.2014.6926012
  39. Dorottya Papp, Zhendong Ma, and Levente Buttyan. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In 13th Annual Conference on Privacy, Security and Trust, PST, 2015. URL: https://doi.org/10.1109/PST.2015.7232966
  40. Marshall C. Pease, Robert E. Shostak, and Leslie Lamport.Reaching Agreement in the Presence of Faults. J. ACM, 27(2):228-234, 1980. URL: https://doi.org/10.1145/322186.322188
  41. Thomas Popp, Stefan Mangard, and Elisabeth Oswald. Power analysis attacks and countermeasures. IEEE Design & test of Computers, 24(6), 2007. URL: https://doi.org/10.1109/MDT.2007.200
  42. Stefan Schorr.Adaptive Real-Time Scheduling and Resource Management on Multicore Architectures. PhD thesis, Technical University of Kaiserslautern, March 2015. URL: https://kluedo.ub.uni-kl.de/frontdoor/index/index/docId/4008.
  43. Florian Skopik, Albert Treytl, Arjan Geven, Bernd Hirschler, Thomas Bleier, Andreas Eckel, Christian El-Salloum, and Armin Wasicek. Towards Secure Time-Triggered Systems, pages 365-372. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012. URL: https://doi.org/10.1007/978-3-642-33675-1_33
  44. Joon Son and Jim Alves-Foss. Covert timing channel capacity of rate monotonic real-time scheduling algorithm in MLS systems. In Communication, Network, and Information Security, 2006. URL: https://doi.org/10.1109/IAW.2006.1652117
  45. P. Sousa, N. F. Neves, and P. Verissimo. Proactive resilience through architectural hybridization. In ACM Symposium on Applied Computing, pages 686-690, 2006. URL: https://doi.org/10.1145/1141277.1141435
  46. Paulo Sousa, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves, and Paulo Verissimo.Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery. IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 4, pp. 452-465, Apr. 2010., 2010. URL: http://www.navigators.di.fc.ul.pt/archive/papers/ieeetpds-prrw-final-version.pdf.
  47. Raphael Spreitzer, Veelasha Moonsamy, Thomas Korak, and Stefan Mangard. Systematic classification of side-channel attacks: A case study for mobile devices.IEEE Communications Surveys and Tutorials, 20(1), 2018. URL: https://doi.org/10.1109/COMST.2017.2779824
  48. A. Teixeira, I. Shames, H. Sandberg, and K.H. Johansson. Revealing stealthy attacks in control systems. In Allerton Conference on Communication, Control, and Computing, pages 1806-1813, 2012. URL: https://doi.org/10.1109/Allerton.2012.6483441
  49. A. Teixeira, I. Shames, H. Sandberg, and K.H. Johansson. Distributed fault detection and isolation resilient to network model uncertainties. IEEE Transactions on Cybernetics, 44(11):2024-2037, November 2014. URL: https://doi.org/10.1109/TCYB.2014.2350335
  50. Mankuan Vai, Roger Khazan, Daniil Utin, Sean O'Melia, David Whelihan, and Benjamin Nahill. Secure embedded systems. Technical report, MIT Lincoln Laboratory Lexington United States, 2016.
  51. M. Völp, B. Engel, C. J. Hamann, and H. Härtig.On confidentiality-preserving real-time locking protocols. In IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), April 2013. URL: https://doi.org/10.1109/RTAS.2013.6531088
  52. Marcus Völp, Claude-Joachim Hamann, and Hermann Härtig. Avoiding timing channels in fixed-priority schedulers. In Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS '08, pages 44-55, New York, NY, USA, 2008. ACM. URL: https://doi.org/10.1145/1368310.1368320
  53. Nils Vreman, Richard Pates, Kristin Krüger, Gerhard Fohler, and Martina Maggio. Minimizing side-channel attack vulnerability via schedule randomization. In 58th IEEE Conference on Decision and Control (CDC), December 2019. URL: https://doi.org/10.1109/CDC40024.2019.9030144
  54. A. Wasicek, C. El-Salloum, and H. Kopetz. Authentication in time-triggered systems using time-delayed release of keys. In 2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing, pages 31-39, March 2011. URL: https://doi.org/10.1109/ISORC.2011.14
  55. Armin Rudolf Wasicek. Security in Time-Triggered Systems. PhD thesis, Technische Universität Wien, 2011.
  56. C. B. Watkins and R. Walter.Transitioning from federated avionics architectures to Integrated Modular Avionics. In 2007 IEEE/AIAA 26th Digital Avionics Systems Conference, pages 2.A.1-1-2.A.1-10, October 2007. URL: https://doi.org/10.1109/DASC.2007.4391842
  57. Steve H. Weingart. Physical security devices for computer subsystems: A survey of attacks and defenses. In Cryptographic Hardware and Embedded Systems, CHES, 2000. URL: https://doi.org/10.1007/3-540-44499-8_24
  58. Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, and Lui Sha.TaskShuffler: A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems. In IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS, 2016. URL: https://doi.org/10.1109/RTAS.2016.7461362
  59. H. Yun, R. Mancuso, Z. P. Wu, and R. Pellizzoni.PALLOC: DRAM bank-aware memory allocator for performance isolation on multicore platforms. In 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 155-166, April 2014. URL: https://doi.org/10.1109/RTAS.2014.6925999
  60. Christopher Zimmer, Balasubramanya Bhat, Frank Mueller, and Sibin Mohan. Time-based intrusion detection in cyber-physical systems. In 1st ACM/IEEE International Conference on Cyber-Physical Systems, 2010. URL: https://doi.org/10.1145/1795194.1795210