A Reconnaissance Attack Mechanism for Fixed-Priority Real-Time Systems

In real-time embedded systems (RTS), failures due to security breaches can cause serious damage to the system, the environment and/or injury to humans. Therefore, it is very important to understand the potential threats and attacks against these systems. In this paper we present a novel reconnaissance attack that extracts the exact schedule of real-time systems designed using fixed priority scheduling algorithms. The attack is demonstrated on both a real hardware platform and a simulator, with a high success rate. Our evaluation results show that the algorithm is robust even in the presence of execution time variation.

[1]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[2]  Chung Laung Liu,et al.  Scheduling Algorithms for Multiprogramming in a Hard-Real-Time Environment , 1989, JACM.

[3]  Theodore P. Baker,et al.  An analysis of EDF schedulability on a multiprocessor , 2005, IEEE Transactions on Parallel and Distributed Systems.

[4]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  Man-Ki Yoon,et al.  Real-Time Systems Security through Scheduler Constraints , 2014, 2014 26th Euromicro Conference on Real-Time Systems.

[6]  Marco Caccamo,et al.  S3A: secure system simplex architecture for enhanced security and robustness of cyber-physical systems , 2013, HiCoNS '13.

[7]  Giorgio Buttazzo,et al.  Hard Real-Time Computing Systems: Predictable Scheduling Algorithms and Applications , 1997 .

[8]  A. Puri A Survey of Unmanned Aerial Vehicles ( UAV ) for Traffic Surveillance , 2005 .

[9]  Lui Sha,et al.  Memory Heat Map: Anomaly detection in real-time embedded systems using memory behavior , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[10]  Hermann Härtig,et al.  Avoiding timing channels in fixed-priority schedulers , 2008, ASIACCS '08.

[11]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[12]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[13]  Sebastian Fischmeister,et al.  SiPTA: Signal processing for trace-based anomaly detection , 2014, 2014 International Conference on Embedded Software (EMSOFT).

[14]  Gorka Irazoqui Apecechea,et al.  Fine Grain Cross-VM Attacks on Xen and VMware , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[15]  Lui Sha,et al.  SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[16]  Xun Gong,et al.  Timing Side Channels in Shared Queues , 2014, ArXiv.

[17]  Jane W.-S. Liu Real-Time Systems , 2000, Encyclopedia of Algorithms.

[18]  Kevin Fu,et al.  They can hear your heartbeats: non-invasive security for implantable medical devices , 2011, SIGCOMM.

[19]  Xiao Qin,et al.  Improving security for periodic tasks in embedded systems through scheduling , 2007, TECS.

[20]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[21]  Thomas M. Chen,et al.  Lessons from Stuxnet , 2011, Computer.

[22]  Alan Burns,et al.  Predicting computation time for advanced processor architectures , 2000, Proceedings 12th Euromicro Conference on Real-Time Systems. Euromicro RTS 2000.

[23]  Petru Eles,et al.  Robustness Analysis of Real-Time Scheduling Against Differential Power Analysis Attacks , 2014, 2014 IEEE Computer Society Annual Symposium on VLSI.

[24]  J. Alves-Foss,et al.  Covert Timing Channel Analysis of Rate Monotonic Real-Time Scheduling Algorithm in MLS Systems , 2006, 2006 IEEE Information Assurance Workshop.

[25]  Yuting Zhang,et al.  Process-Aware Interrupt Scheduling and Accounting , 2006, 2006 27th IEEE International Real-Time Systems Symposium (RTSS'06).

[26]  Bruce Schneier,et al.  Side channel cryptanalysis of product ciphers , 2000 .

[27]  Hermann Härtig,et al.  On confidentiality-preserving real-time locking protocols , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[28]  Xun Gong,et al.  Capacity limit of queueing timing channel in shared FCFS schedulers , 2015, 2015 IEEE International Symposium on Information Theory (ISIT).

[29]  Dan Page,et al.  Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel , 2002, IACR Cryptol. ePrint Arch..

[30]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[31]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[32]  Parv Venkitasubramaniam,et al.  Mitigating Timing Side Channel in Shared Schedulers , 2013, IEEE/ACM Transactions on Networking.

[33]  Man-Ki Yoon,et al.  A generalized model for preventing information leakage in hard real-time systems , 2015, 21st IEEE Real-Time and Embedded Technology and Applications Symposium.

[34]  Meikang Qiu,et al.  Static Security Optimization for Real-Time Systems , 2009, IEEE Transactions on Industrial Informatics.

[35]  Gabriel A. Moreno,et al.  Statistical-Based WCET Estimation and Validation , 2009, WCET.

[36]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[37]  Liliana Cucu-Grosjean,et al.  PROARTIS: Probabilistically Analyzable Real-Time Systems , 2013, TECS.