Randomization as Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Real-Time Systems with Task Replication

Time-triggered real-time systems achieve deterministic behavior using schedules that are constructed offline, based on scheduling constraints. Their deterministic behavior makes time-triggered systems suitable for usage in safety-critical environments, like avionics. However, this determinism also allows attackers to fine-tune attacks that can be carried out after studying the behavior of the system through side channels, targeting safety-critical victim tasks. Replication -- i.e., the execution of task variants across different cores -- is inherently able to tolerate both accidental and malicious faults (i.e. attacks) as long as these faults are independent of one another. Yet, targeted attacks on the timing behavior of tasks which utilize information gained about the system behavior violate the fault independence assumption fault tolerance is based on. This violation may give attackers the opportunity to compromise all replicas simultaneously, in particular if they can mount the attack from already compromised components. In this paper, we analyze vulnerabilities of time-triggered systems, focusing on safety-certified multicore real-time systems. We introduce two runtime mitigation strategies to withstand directed timing inference based attacks: (i) schedule randomization at slot level, and (ii) randomization within a set of offline constructed schedules. We evaluate these mitigation strategies with synthetic experiments and a real case study to show their effectiveness and practicality. (Less)

[1]  Joanne Bechta Dugan,et al.  Reliability evaluation of fly-by-wire computer systems , 1994, J. Syst. Softw..

[2]  Stefan Schorr,et al.  Adaptive Real-Time Scheduling and Resource Management on Multicore Architectures , 2015 .

[3]  Rodolfo Pellizzoni,et al.  PALLOC: DRAM bank-aware memory allocator for performance isolation on multicore platforms , 2014, 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[4]  Alysson Neves Bessani,et al.  On the reliability and availability of replicated and rejuvenating systems under stealth attacks and intrusions , 2012, Journal of the Brazilian Computer Society.

[5]  Wang Yi,et al.  Leaking your engine speed by spectrum analysis of real-Time scheduling sequences , 2019, J. Syst. Archit..

[6]  Miguel Correia,et al.  Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery , 2010, IEEE Transactions on Parallel and Distributed Systems.

[7]  Levente Buttyán,et al.  Embedded systems security: Threats, vulnerabilities, and attack taxonomy , 2015, 2015 13th Annual Conference on Privacy, Security and Trust (PST).

[8]  Giorgio C. Buttazzo,et al.  Measuring the Performance of Schedulability Tests , 2005, Real-Time Systems.

[9]  Reinhard Wilhelm,et al.  Efficient and Precise Cache Behavior Prediction for Real-Time Systems , 1999, Real-Time Systems.

[10]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[11]  Raymond K. Clark,et al.  Toward a Multilevel-Secure, Best-Effort Real-Time Scheduler , 1995 .

[12]  Jim Alves-Foss,et al.  Covert timing channel capacity of rate monotonic real-time scheduling algorithm in MLS systems , 2006, Communication, Network, and Information Security.

[13]  Hermann Härtig,et al.  On confidentiality-preserving real-time locking protocols , 2013, 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[14]  Lui Sha,et al.  TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems , 2016, 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[15]  Henrik Sandberg,et al.  Distributed Fault Detection and Isolation Resilient to Network Model Uncertainties , 2014, IEEE Transactions on Cybernetics.

[16]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[17]  Gerhard Fohler,et al.  Joint scheduling of distributed complex periodic and hard aperiodic tasks in statically scheduled systems , 1995, Proceedings 16th IEEE Real-Time Systems Symposium.

[18]  Frank Mueller,et al.  Time-based intrusion detection in cyber-physical systems , 2010, ICCPS '10.

[19]  Claire Pagetti,et al.  The ROSACE case study: From Simulink specification to multi/many-core execution , 2014, 2014 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS).

[20]  Hermann Härtig,et al.  Avoiding timing channels in fixed-priority schedulers , 2008, ASIACCS '08.

[21]  Catherine H. Gebotys,et al.  A new correlation frequency analysis of the side channel , 2010, WESS '10.

[22]  Saravanan Sinnadurai Secure Embedded Systems , 2005 .

[23]  Xi Chen,et al.  Application of Software Watchdog as a Dependability Software Service for Automotive Safety Relevant Systems , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[24]  Rakesh Bobba,et al.  A design-space exploration for allocating security tasks in multicore real-time systems , 2017, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[25]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[26]  Stefan Mangard,et al.  Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices , 2016, IEEE Communications Surveys & Tutorials.

[27]  Hermann Kopetz,et al.  Sparse time versus dense time in distributed real-time systems , 1992, [1992] Proceedings of the 12th International Conference on Distributed Computing Systems.

[28]  Paulo Veríssimo,et al.  Proactive resilience through architectural hybridization , 2006, SAC.

[29]  Hermann Kopetz,et al.  Authentication in Time-Triggered Systems Using Time-Delayed Release of Keys , 2011, 2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing.

[30]  Gedare Bloom,et al.  On the Pitfalls and Vulnerabilities of Schedule Randomization Against Schedule-Based Attacks , 2019, 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[31]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[32]  Gerhard Fohler,et al.  Minimizing Side-Channel Attack Vulnerability via Schedule Randomization , 2019, 2019 IEEE 58th Conference on Decision and Control (CDC).

[33]  Gerhard Fohler,et al.  Vulnerability Analysis and Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Systems , 2018, ECRTS.

[34]  Karl Henrik Johansson,et al.  Efficient Computations of a Security Index for False Data Attacks in Power Networks , 2012, IEEE Transactions on Automatic Control.

[35]  C.B. Watkins,et al.  Transitioning from federated avionics architectures to Integrated Modular Avionics , 2007, 2007 IEEE/AIAA 26th Digital Avionics Systems Conference.

[36]  Danny Dolev,et al.  Shifting gears: changing algorithms on the fly to expedite Byzantine agreement , 1987, PODC '87.

[37]  Man-Ki Yoon,et al.  Integrating security constraints into fixed priority real-time schedulers , 2016, Real-Time Systems.

[38]  Gerhard Fohler,et al.  Improving Security for Time-Triggered Real-Time Systems against Timing Inference Based Attacks by Schedule Obfuscation , 2017 .

[39]  Karl Henrik Johansson,et al.  Revealing stealthy attacks in control systems , 2012, 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[40]  Krithi Ramamritham,et al.  Advances in Real-Time Systems , 1993 .

[41]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[42]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[43]  Alysson Neves Bessani,et al.  On the Reliability and Availability of Systems Tolerant to Stealth Intrusion , 2011, 2011 5th Latin-American Symposium on Dependable Computing.

[44]  Paulo Veríssimo,et al.  Improving Security for Time-Triggered Real-Time Systems with Task Replication , 2018, 2018 IEEE 24th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA).

[45]  Rolf Isermann,et al.  Fault-tolerant drive-by-wire systems , 2002 .

[46]  Abhik Roychoudhury,et al.  Scope-Aware Data Cache Analysis for WCET Estimation , 2011, 2011 17th IEEE Real-Time and Embedded Technology and Applications Symposium.

[47]  Steve H. Weingart Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defences , 2000, CHES.

[48]  Yves Sorel,et al.  An Active Replication Scheme that Tolerates Failures in Distributed Embedded Real-Time Systems , 2004, DIPES.

[49]  Stefan Mangard,et al.  Power Analysis Attacks and Countermeasures , 2007, IEEE Design & Test of Computers.

[50]  Silviu S. Craciunas,et al.  SMT-based Task- and Network-level Static Schedule Generation for Time-Triggered Networked Systems , 2014, RTNS.

[51]  Roman L. Lysecky,et al.  Timing-based anomaly detection in embedded systems , 2015, The 20th Asia and South Pacific Design Automation Conference.