Improving Security for Time-Triggered Real-Time Systems against Timing Inference Based Attacks by Schedule Obfuscation

Covert timing channels in real-time systems allow adversaries to not only exfiltrate application secrets but also to mount timing inference based attacks. Much effort has been put into improving real-time system predictability with the additional benefit of reducing the former class of confidentiality attacks. However, the more predictable the system behaves, the easier timing inference based attacks become. Time-triggered scheduling is particularly vulnerable to these types of attacks due to offline constructed tables that are scheduled with clock synchronization and OS-timer predictability. In this paper, we obfuscate timetriggered scheduling to complicate timing inference based attacks while maintaining strong protection against exfiltration attacks. I. APPLICATION DOMAIN & CHALLENGE Time-triggered (TT) real-time systems [1] are often used in safety-critical environments where they provide highly predictable scheduling behavior to meet stringent timing constraints. While online scheduling provides predictability, i.e, guarantees that deadlines will be met, but not exact times of execution, TT systems provide determinism, i.e., given schedule and time, the task executing is known. Leaking the scheduling information of safety-critical tasks enables adversaries to mount targeted attacks misusing this knowledge to defy detection and jeopardize the timeliness and thereby the safety that these tasks contribute to. Security is thus of high concern for safety-critical systems. Having compromised a large enough set of non real-time or low safety-critical tasks, an attacker can make use of leaked scheduling-related information to fine-tune its behavior such that the set generates maximum interference on subsequently executing victims. For example, to stay undetected, an adversary could continue normal operation of its compromised tasks up to the point when one of its tasks is executed immediately before a safety-critical task. At this time the compromised task exploits all of its accessible memory to create a cache and memory access pattern that maximizes cache-related delays of the safety-critical task. Naturally, tools analyzing only the legitimate task behavior to determine cacherelated preemption delays are blind to such malicious behavior. Short of anticipating maximum preemption delays for all tasks, TT schedules remain susceptible to such attacks. Furthermore, due to its predictability, TT scheduling is inherently vulnerable to timing inference based attacks [2]. In this work, we show how we can use an offline constructed TT schedule to impede timing inference based attacks.

[1]  Gerhard Fohler Predictably Flexible Real-Time Scheduling , 2012, Advances in Real-Time Systems.

[2]  Man-Ki Yoon,et al.  Integrating security constraints into fixed priority real-time schedulers , 2016, Real-Time Systems.

[3]  Stefan Schorr,et al.  Adaptive Real-Time Scheduling and Resource Management on Multicore Architectures , 2015 .

[4]  J. Alves-Foss,et al.  Covert Timing Channel Analysis of Rate Monotonic Real-Time Scheduling Algorithm in MLS Systems , 2006, 2006 IEEE Information Assurance Workshop.

[5]  Günter Grünsteidl,et al.  TTP - A Protocol for Fault-Tolerant Real-Time Systems , 1994, Computer.

[6]  Hermann Härtig,et al.  On confidentiality-preserving real-time locking protocols , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[7]  Lui Sha,et al.  TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[8]  Hermann Kopetz,et al.  Sparse time versus dense time in distributed real-time systems , 1992, [1992] Proceedings of the 12th International Conference on Distributed Computing Systems.

[9]  Silviu S. Craciunas,et al.  SMT-based Task- and Network-level Static Schedule Generation for Time-Triggered Networked Systems , 2014, RTNS.

[10]  Sibin Mohan,et al.  Schedule-Based Side-Channel Attack in Fixed-Priority Real-time Systems , 2015 .

[11]  Gerhard Fohler,et al.  Joint scheduling of distributed complex periodic and hard aperiodic tasks in statically scheduled systems , 1995, Proceedings 16th IEEE Real-Time Systems Symposium.