On the Pitfalls and Vulnerabilities of Schedule Randomization Against Schedule-Based Attacks

Schedule randomization is one of the recently introduced security defenses against schedule-based attacks, i.e., attacks whose success depends on a particular ordering between the execution window of an attacker and a victim task within the system. It falls into the category of information hiding (as opposed to deterministic isolation-based defenses) and is designed to reduce the attacker's ability to infer the future schedule. This paper aims to investigate the limitations and vulnerabilities of schedule randomization-based defenses in real-time systems. We first provide definitions, categorization, and examples of schedule-based attacks, and then discuss the challenges of employing schedule randomization in real-time systems. Further, we provide a preliminary security test to determine whether a certain timing relation between the attacker and victim tasks will never happen in systems scheduled by a fixed-priority scheduling algorithm. Finally, we compare fixed-priority scheduling against schedule-randomization techniques in terms of the success rate of various schedule-based attacks for both synthetic and real-world applications. Our results show that, in many cases, schedule randomization either has no security benefits or can even increase the success rate of the attacker depending on the priority relation between the attacker and victim tasks.

[1]  Man-Ki Yoon,et al.  Real-Time Systems Security through Scheduler Constraints , 2014, 2014 26th Euromicro Conference on Real-Time Systems.

[2]  Sibin Mohan,et al.  REORDER: Securing Dynamic-Priority Real-Time Systems Using Schedule Obfuscation , 2018, ArXiv.

[3]  Hyungbo Shim,et al.  When adversary encounters uncertain cyber-physical systems: Robust zero-dynamics attack with disclosure resources , 2016, 2016 IEEE 55th Conference on Decision and Control (CDC).

[4]  Bruno Sinopoli,et al.  Secure control against replay attacks , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[5]  Roy S. Smith,et al.  A Decoupled Feedback Structure for Covertly Appropriating Networked Control Systems , 2011 .

[6]  Man-Ki Yoon,et al.  A Reconnaissance Attack Mechanism for Fixed-Priority Real-Time Systems , 2017, ArXiv.

[7]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[8]  Andrew N. Sloss,et al.  ARM System Developer's Guide: Designing and Optimizing System Software , 2004 .

[9]  Christina Delimitrou,et al.  Bolt: I Know What You Did Last Summer... In The Cloud , 2017, ASPLOS.

[10]  Zhongshu Gu,et al.  Securing Real-Time Microcontroller Systems through Customized Memory View Switching , 2018, NDSS.

[11]  Alan Burns,et al.  Applying new scheduling theory to static priority pre-emptive scheduling , 1993, Softw. Eng. J..

[12]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[13]  Florian Dörfler,et al.  Cyber-physical attacks in power networks: Models, fundamental limitations and monitor design , 2011, IEEE Conference on Decision and Control and European Control Conference.

[14]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[15]  Henrik Sandberg,et al.  From control system security indices to attack identifiability , 2016, 2016 Science of Security for Cyber-Physical Systems Workshop (SOSCYPS).

[16]  Mitra Nasri,et al.  An Exact and Sustainable Analysis of Non-preemptive Scheduling , 2017, 2017 IEEE Real-Time Systems Symposium (RTSS).

[17]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[18]  Saurabh Bagchi,et al.  Protecting Bare-Metal Embedded Systems with Privilege Overlays , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[19]  Aman Kansal,et al.  Q-clouds: managing performance interference effects for QoS-aware clouds , 2010, EuroSys '10.

[20]  Thomas A. Henzinger,et al.  Embedded Control Systems Development with Giotto , 2001 .

[21]  Eddie Kohler,et al.  Harbor: software-based memory protection for sensor nodes , 2007, IPSN '07.

[22]  Karl-Erik Årzén,et al.  The Jitter Margin and Its Application in the Design of Real-Time Control Systems , 2004 .

[23]  Marco Aurelio Antonio Sanvido,et al.  A computer system for model helicopter flight control , 1999 .

[24]  Karl Henrik Johansson,et al.  Attack models and scenarios for networked control systems , 2012, HiCoNS '12.

[25]  E. F. Vogel,et al.  A plant-wide industrial process control problem , 1993 .

[26]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[27]  Alberto L. Sangiovanni-Vincentelli,et al.  A hierarchical coordination language for interacting real-time tasks , 2006, EMSOFT '06.

[28]  Karl Henrik Johansson,et al.  Revealing stealthy attacks in control systems , 2012, 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[29]  Herbert Bos,et al.  Poking Holes in Information Hiding , 2016, USENIX Security Symposium.

[30]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[31]  Ruochi Zhang,et al.  Stealthy Control Signal Attacks in Linear Quadratic Gaussian Control Systems: Detectability Reward Tradeoff , 2017, IEEE Transactions on Information Forensics and Security.

[32]  Hyungbo Shim,et al.  A Zero-stealthy Attack for Sampled-data Control Systems via Input Redundancy , 2018, ArXiv.

[33]  Rakesh Bobba,et al.  ScheduLeak: A Novel Scheduler Side-Channel Attack Against Real-Time Autonomous Control Systems , 2018, ArXiv.

[34]  Karl Henrik Johansson,et al.  A secure control framework for resource-limited adversaries , 2012, Autom..

[35]  Carsten Willems,et al.  Practical Timing Side Channel Attacks against Kernel Space ASLR , 2013, 2013 IEEE Symposium on Security and Privacy.

[36]  Edward A. Lee,et al.  Cyber-physical system design contracts , 2013, 2013 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS).

[37]  Saurabh Bagchi,et al.  ACES: Automatic Compartments for Embedded Systems , 2018, USENIX Security Symposium.

[38]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[39]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[40]  Francisco J. Cazorla,et al.  Cache Side-Channel Attacks and Time-Predictability in High-Performance Critical Real-Time Systems , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[41]  Herbert Bos,et al.  Out of Control: Overcoming Control-Flow Integrity , 2014, 2014 IEEE Symposium on Security and Privacy.

[42]  Carlo Rossi,et al.  Giotto a time-triggered language for embedded programming , 2011 .

[43]  Wolfgang Pree,et al.  Modeling with the Timing Definition Language (TDL) , 2006, ASWSD.

[44]  Chao Zhang,et al.  Practical Control Flow Integrity and Randomization for Binary Executables , 2013, 2013 IEEE Symposium on Security and Privacy.

[45]  Mani B. Srivastava,et al.  A System For Coarse Grained Memory Protection In Tiny Embedded Processors , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[46]  Thomas A. Henzinger,et al.  A Giotto-Based Helicopter Control System , 2002, EMSOFT.

[47]  Christoph M. Kirsch,et al.  Giotto: a time-triggered language for embedded programming , 2003 .

[48]  Herbert Bos,et al.  Undermining Information Hiding (and What to Do about It) , 2016, USENIX Security Symposium.

[49]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[50]  Andreas Zeller,et al.  Quantifying the Information Leakage in Cache Attacks via Symbolic Execution , 2019, ACM Trans. Embed. Comput. Syst..

[51]  Man-Ki Yoon,et al.  A generalized model for preventing information leakage in hard real-time systems , 2015, 21st IEEE Real-Time and Embedded Technology and Applications Symposium.

[52]  Taesoo Kim,et al.  Breaking Kernel Address Space Layout Randomization with Intel TSX , 2016, CCS.

[53]  Lui Sha,et al.  TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[54]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[55]  Nataliia Bielova Short Paper: Dynamic leakage: A Need for a New Quantitative Information Flow Measure , 2016, PLAS@CCS.

[56]  Hyungbo Shim,et al.  Zero-stealthy attack for sampled-data control systems: The case of faster actuation than sensing , 2016, 2016 IEEE 55th Conference on Decision and Control (CDC).

[57]  H. Shim,et al.  Stealthiness of Zero-dynamics Attacks against Uncertain Nonlinear Systems : A Case Study with Quadruple-tank Process , 2018 .

[58]  Gerhard Fohler,et al.  Joint scheduling of distributed complex periodic and hard aperiodic tasks in statically scheduled systems , 1995, Proceedings 16th IEEE Real-Time Systems Symposium.

[59]  Gerhard Fohler,et al.  Vulnerability Analysis and Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Systems , 2018, ECRTS.