Randomization as Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Real-Time Systems with Task Replication
- real-time systems,
- time-triggered systems,
How to Cite
Copyright (c) 2021 Kristin Krüger, Nils Vreman, Richard Pates, Martina Maggio, Marcus Völp, and Gerhard Fohler
This work is licensed under a Creative Commons Attribution 4.0 International License.
AbstractTime-triggered real-time systems achieve deterministic behavior using schedules that are constructed offline, based on scheduling constraints. Their deterministic behavior makes time-triggered systems suitable for usage in safety-critical environments, like avionics. However, this determinism also allows attackers to fine-tune attacks that can be carried out after studying the behavior of the system through side channels, targeting safety-critical victim tasks. Replication -- i.e., the execution of task variants across different cores -- is inherently able to tolerate both accidental and malicious faults (i.e. attacks) as long as these faults are independent of one another. Yet, targeted attacks on the timing behavior of tasks which utilize information gained about the system behavior violate the fault independence assumption fault tolerance is based on. This violation may give attackers the opportunity to compromise all replicas simultaneously, in particular if they can mount the attack from already compromised components. In this paper, we analyze vulnerabilities of time-triggered systems, focusing on safety-certified multicore real-time systems. We introduce two runtime mitigation strategies to withstand directed timing inference based attacks: (i) schedule randomization at slot level, and (ii) randomization within a set of offline constructed schedules. We evaluate these mitigation strategies with synthetic experiments and a real case study to show their effectiveness and practicality.
- Dakshi Agrawal, Bruce Archambeault, Josyula Rao, and Pankaj Rohatgi. The EM side-channel(s). In 4th International Workshop on Cryptographic Hardware and Embedded Systems, CHES, 2002. URL: https://doi.org/10.1007/3-540-36400-5_4
- Amotz Bar-Noy, Danny Dolev, Cynthia Dwork, and H. Raymond Strong.Shifting Gears: Changing Algorithms on the Fly to Expedite Byzantine Agreement. Inf. Comput., 97(2):205-233, 1992. URL: https://doi.org/10.1016/0890-5401(92)90035-E
- Michael G. Bechtel and Heechul Yun. Denial-of-service attacks on shared cache in multicore: Analysis and prevention. In 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), 2019. URL: https://doi.org/10.1109/RTAS.2019.00037
- Enrico Bini and Giorgio Buttazzo. Measuring the performance of schedulability tests. Real-Time Systems, 30(1-2), 2005. URL: https://doi.org/10.1007/s11241-005-0507-9
- Peter K. Boucher, Raymond K. Clark, Ira B. Greenberg, E. Douglas Jensen, and Douglas M. Wells. Toward a Multilevel-Secure, Best-Effort Real-Time Scheduler, pages 49-68. Springer Vienna, Vienna, 1995. URL: https://doi.org/10.1007/978-3-7091-9396-9_8
- Luis Brandao and Alysson Bessani.On the Reliability and Availability of Systems Tolerant to Stealth Intrusion. In 5th Latin-American Symposium on Dependable Computing (LADC'11), Brazil, April 2011. URL: https://doi.org/10.1109/LADC.2011.27
- Luis Brandao and Alysson Bessani.On the Reliability and Availability of Replicated and Rejuvenating Systems under Stealth Attacks and Intrusions. Journal of the Brazilian Computer Society, 18:61-80, March 2012. URL: https://doi.org/10.1007/s13173-012-0062-x
- Xi Chen, Juejing Feng, Martin Hiller, and Vera Lauer. Application of software watchdog as a dependability software service for automotive safety relevant systems. In 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2007. URL: https://doi.org/10.1109/DSN.2007.14
- Silviu S. Craciunas and Ramon Serna Oliver.SMT-based Task- and Network-level Static Schedule Generation for Time-Triggered Networked Systems. In Proceedings of the 22Nd International Conference on Real-Time Networks and Systems, RTNS '14, pages 45:45-45:54, New York, NY, USA, 2014. ACM. URL: https://doi.org/10.1145/2659787.2659812
- Joanne Bechta Dugan and Randy Van Buren. Reliability evaluation of fly-by-wire computer systems. Journal of Systems and Software, 25(1):109-120, 1994. URL: https://doi.org/10.1016/0164-1212(94)90061-2
- Christian Ferdinand and Reinhard Wilhelm. Efficient and precise cache behavior prediction for real-time systems. Real-Time Systems, 17(2):131-181, November 1999. URL: https://doi.org/10.1023/A:1008186323068
- G. Fohler.Joint scheduling of distributed complex periodic and hard aperiodic tasks in statically scheduled systems. In Proceedings 16th IEEE Real-Time Systems Symposium, pages 152-161, December 1995. URL: https://doi.org/10.1109/REAL.1995.495205
- Gerhard Fohler.Advances in Real-Time Systems, Chapter Predictably Flexible Real-time Scheduling. SPRINGER, 2012.
- Alain Girault, Hamoudi Kalla, and Yves Sorel. An active replication scheme that tolerates failures in distributed embedded real-time systems. In Design Methods and Applications for Distributed Embedded Systems, pages 83-92. Springer, 2004. URL: https://doi.org/10.1007/1-4020-8149-9_9
- Monowar Hasan, Sibin Mohan, Rodolfo Pellizzoni, and Rakesh B. Bobba. A design-space exploration for allocating security tasks in multicore real-time systems. In Design, Automation & Test in Europe, DATE, 2018. URL: https://doi.org/10.23919/DATE.2018.8342007
- J.M. Hendrickx, K.H. Johansson, R.M. Jungers, H. Sandberg, and K.C. Sou. Efficient computations of a security index for false data attacks in power networks. IEEE TAC, 59(12):3194-3208, 2014. URL: https://doi.org/10.1109/TAC.2014.2351625
- W. M. Hu.Lattice scheduling and covert channels. In Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pages 52-61, May 1992. URL: https://doi.org/10.1109/RISP.1992.213271
- B. K. Huynh, L. Ju, and A. Roychoudhury. Scope-aware data cache analysis for wcet estimation. In 2011 17th IEEE Real-Time and Embedded Technology and Applications Symposium, pages 203-212, April 2011. URL: https://doi.org/10.1109/RTAS.2011.27
- Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems, 2010.
- Rolf Isermann, Ralf Schwarz, and Stefan Stolzl. Fault-tolerant drive-by-wire systems. IEEE Control Systems, 22(5):64-81, 2002. URL: https://doi.org/10.1109/MCS.2002.1035218
- Road vehicles – Functional safety, 2011.
- P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom. Spectre attacks: Exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1-19, 2019. URL: https://doi.org/10.1109/SP.2019.00002
- Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution. meltdownattack.com, 2018. URL: https://spectreattack.com/spectre.pdf.
- H. Kopetz.Sparse time versus dense time in distributed real-time systems. In  Proceedings of the 12th International Conference on Distributed Computing Systems, pages 460-467, June 1992. URL: https://doi.org/10.1109/ICDCS.1992.235008
- Kristin Krüger, Gerhard Fohler, Marcus Völp, and Paulo Esteves-Verissimo. Improving security for time-triggered real-time systems with task replication. In 24th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, August 2018. URL: https://doi.org/10.1109/RTCSA.2018.00036
- Kristin Krüger, Marcus Völp, and Gerhard Fohler. Improving security for time-triggered real-time systems against timing inference based attacks by schedule obfuscation. In Work-in-Progress Proceedings of the 29th Euromicro Conference on Real-Time Systems, ECRTS, 2017.
- Kristin Kruger, Marucs Völp, and Gerhard Fohler. Vulnerability analysis and mitigation of directed timing inference based attacks on time-triggered systems. In Euromicro Conference on Real-Time Systems, ECRTS, 2018. URL: https://doi.org/10.4230/LIPIcs.ECRTS.2018.22
- Leslie Lamport, Robert E. Shostak, and Marshall C. Pease.The Byzantine Generals Problem.ACM Trans. Program. Lang. Syst., 4(3):382-401, 1982. URL: https://doi.org/10.1145/357172.357176
- J. Liedtke, H. Hartig, and M. Hohmuth.OS-controlled cache predictability for real-time systems. In Proceedings Third IEEE Real-Time Technology and Applications Symposium, pages 213-224, June 1997. URL: https://doi.org/10.1109/RTTAS.1997.601360
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown. ArXiv e-prints, 2018. URL: http://arxiv.org/abs/1801.01207arXiv:1801.01207.
- Songran Liu, Nan Guan, Dong Ji, Weichen Liu, Xue Liu, and Wang Yi. Leaking your engine speed by spectrum analysis of real-time scheduling sequences. Journal of Systems Architecture, 2019. URL: https://doi.org/10.1016/j.sysarc.2019.01.004
- Sixing Lu, Minjun Seo, and Roman Lysecky. Timing-based anomaly detection in embedded systems. In 20th Asia and South Pacific Design Automation Conference (ASP-DAC), 2015. URL: https://doi.org/10.1109/ASPDAC.2015.7059110
- Keith Marzullo. Tolerating failures of continuous-valued sensors. ACM Transactions on Computer Systems, 8(4):284-304, November 1990. URL: https://doi.org/10.1145/128733.128735
- Edgar Mateos and Catherine Gebotys. A new correlation frequency analysis of the side channel. In Workshop on Embedded Systems Security, 2010. URL: https://doi.org/10.1145/1873548.1873552
- Robert Mitchell and Ing-Ray Chen. A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys (CSUR), 46(4), 2014. URL: https://doi.org/10.1145/2542049doi:10.1145/2542049.
- Sibin Mohan, Man-Ki Yoon, Rodolfo Pellizzoni, and Rakesh B Bobba. Integrating security constraints into fixed priority real-time schedulers. Real-Time Systems, pages 1-31, 2016. URL: https://doi.org/10.1007/s11241-016-9252-5
- Mitra Nasri, Thidapat Chantem, Gedare Bloom, and Ryan M. Gerdes. On the pitfalls and vulnerabilities of schedule randomization against schedule-based attacks. In Björn B. Brandenburg, editor, 25th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2019, Montreal, QC, Canada, April 16-18, 2019, pages 103-116. IEEE, 2019. URL: https://doi.org/10.1109/RTAS.2019.00017
- C. Pagetti, D. Saussié, R. Gratia, E. Noulard, and P. Siron.The ROSACE case study: From Simulink specification to multi/many-core execution. In 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 309-318, April 2014. URL: https://doi.org/10.1109/RTAS.2014.6926012
- Dorottya Papp, Zhendong Ma, and Levente Buttyan. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In 13th Annual Conference on Privacy, Security and Trust, PST, 2015. URL: https://doi.org/10.1109/PST.2015.7232966
- Marshall C. Pease, Robert E. Shostak, and Leslie Lamport.Reaching Agreement in the Presence of Faults. J. ACM, 27(2):228-234, 1980. URL: https://doi.org/10.1145/322186.322188
- Thomas Popp, Stefan Mangard, and Elisabeth Oswald. Power analysis attacks and countermeasures. IEEE Design & test of Computers, 24(6), 2007. URL: https://doi.org/10.1109/MDT.2007.200
- Stefan Schorr.Adaptive Real-Time Scheduling and Resource Management on Multicore Architectures. PhD thesis, Technical University of Kaiserslautern, March 2015. URL: https://kluedo.ub.uni-kl.de/frontdoor/index/index/docId/4008.
- Florian Skopik, Albert Treytl, Arjan Geven, Bernd Hirschler, Thomas Bleier, Andreas Eckel, Christian El-Salloum, and Armin Wasicek. Towards Secure Time-Triggered Systems, pages 365-372. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012. URL: https://doi.org/10.1007/978-3-642-33675-1_33
- Joon Son and Jim Alves-Foss. Covert timing channel capacity of rate monotonic real-time scheduling algorithm in MLS systems. In Communication, Network, and Information Security, 2006. URL: https://doi.org/10.1109/IAW.2006.1652117
- P. Sousa, N. F. Neves, and P. Verissimo. Proactive resilience through architectural hybridization. In ACM Symposium on Applied Computing, pages 686-690, 2006. URL: https://doi.org/10.1145/1141277.1141435
- Paulo Sousa, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves, and Paulo Verissimo.Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery. IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 4, pp. 452-465, Apr. 2010., 2010. URL: http://www.navigators.di.fc.ul.pt/archive/papers/ieeetpds-prrw-final-version.pdf.
- Raphael Spreitzer, Veelasha Moonsamy, Thomas Korak, and Stefan Mangard. Systematic classification of side-channel attacks: A case study for mobile devices.IEEE Communications Surveys and Tutorials, 20(1), 2018. URL: https://doi.org/10.1109/COMST.2017.2779824
- A. Teixeira, I. Shames, H. Sandberg, and K.H. Johansson. Revealing stealthy attacks in control systems. In Allerton Conference on Communication, Control, and Computing, pages 1806-1813, 2012. URL: https://doi.org/10.1109/Allerton.2012.6483441
- A. Teixeira, I. Shames, H. Sandberg, and K.H. Johansson. Distributed fault detection and isolation resilient to network model uncertainties. IEEE Transactions on Cybernetics, 44(11):2024-2037, November 2014. URL: https://doi.org/10.1109/TCYB.2014.2350335
- Mankuan Vai, Roger Khazan, Daniil Utin, Sean O'Melia, David Whelihan, and Benjamin Nahill. Secure embedded systems. Technical report, MIT Lincoln Laboratory Lexington United States, 2016.
- M. Völp, B. Engel, C. J. Hamann, and H. Härtig.On confidentiality-preserving real-time locking protocols. In IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), April 2013. URL: https://doi.org/10.1109/RTAS.2013.6531088
- Marcus Völp, Claude-Joachim Hamann, and Hermann Härtig. Avoiding timing channels in fixed-priority schedulers. In Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS '08, pages 44-55, New York, NY, USA, 2008. ACM. URL: https://doi.org/10.1145/1368310.1368320
- Nils Vreman, Richard Pates, Kristin Krüger, Gerhard Fohler, and Martina Maggio. Minimizing side-channel attack vulnerability via schedule randomization. In 58th IEEE Conference on Decision and Control (CDC), December 2019. URL: https://doi.org/10.1109/CDC40024.2019.9030144
- A. Wasicek, C. El-Salloum, and H. Kopetz. Authentication in time-triggered systems using time-delayed release of keys. In 2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing, pages 31-39, March 2011. URL: https://doi.org/10.1109/ISORC.2011.14
- Armin Rudolf Wasicek. Security in Time-Triggered Systems. PhD thesis, Technische Universität Wien, 2011.
- C. B. Watkins and R. Walter.Transitioning from federated avionics architectures to Integrated Modular Avionics. In 2007 IEEE/AIAA 26th Digital Avionics Systems Conference, pages 2.A.1-1-2.A.1-10, October 2007. URL: https://doi.org/10.1109/DASC.2007.4391842
- Steve H. Weingart. Physical security devices for computer subsystems: A survey of attacks and defenses. In Cryptographic Hardware and Embedded Systems, CHES, 2000. URL: https://doi.org/10.1007/3-540-44499-8_24
- Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, and Lui Sha.TaskShuffler: A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems. In IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS, 2016. URL: https://doi.org/10.1109/RTAS.2016.7461362
- H. Yun, R. Mancuso, Z. P. Wu, and R. Pellizzoni.PALLOC: DRAM bank-aware memory allocator for performance isolation on multicore platforms. In 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 155-166, April 2014. URL: https://doi.org/10.1109/RTAS.2014.6925999
- Christopher Zimmer, Balasubramanya Bhat, Frank Mueller, and Sibin Mohan. Time-based intrusion detection in cyber-physical systems. In 1st ACM/IEEE International Conference on Cyber-Physical Systems, 2010. URL: https://doi.org/10.1145/1795194.1795210