You are here

Security enhancement in embedded hard real-time systems

Team and supervisors
Department / Team: 
DepartmentTeam
Team Web Site: 
https://team.inria.fr/pacap/
PhD Director
PUAUT Isabelle
Co-director(s), co-supervisor(s)
Hiet Guillaume
Tronel Frédéric
Contact(s)
NameEmail addressPhone Number
PUAUT Isabelle
isabelle.puaut@irisa.fr
02 99 84 73 10
PhD subject
Abstract

Context and motivation

The context of this thesis is the context of real-time embedded systems, that are ubiquitous and proliferating. Examples of such systems are transportation systems (cars, subways, aircraft, railways), traffic control, process control for power plants, medical systems, communications, computer games, multimedia systems, monitoring of household appliances to cite only a few of them. In hard real-time systems, it is imperative that an event be reacted to within a strict deadline. Not reacting in a certain interval of time would cause great loss in some manner. Hard real-time systems have to come with a proof, called schedulability analysis, that all tasks are meeting their timing constraints under a given scheduling policy. To be trustworthy, this proof has to have knowledge of the worst-case execution conditions (worst-case arrival time of tasks, worst-case execution time – WCET - of tasks).

Security in general-purpose systems is their protection from theft or damage to their hardware, software or data, as well as from disruption or misdirection of the services they provide. To protect from attacks, systems integrate a number of countermeasures that reduce the vulnerabilities, eliminate of prevent attacks of simply report the attack so that a corrective action can be taken. There exists a huge number of countermeasures (access control, cryptography, compiler-inserted canaries to detect buffer overflows, firewalls, intrusion detection systems, hardware protection mechanisms, etc.).

Real-time systems designed in the past were closed systems running on specialized hardware. Consequently, security had been given little attention, as no access from the outside to these systems was possible. However, recent trends show the reuse of more and more (hardware and software) components for real-time systems. In particular they are now including software developed by third-party companies (for example by original equipment manufacturers -- OEMs -- in the automotive industry) sharing the same hardware platform. Multi-cores, executing software from different sources, are also increasingly used. Moreover, there is a growing connectivity of these systems (in cars, detection control, failure monitoring interfaces, collision avoidance, accessible internal network).

These trends lead to an increase in the complexity of real-time systems in general and in particular at the real-time application level. This increased complexity implies that real-time systems cannot be considered closed and inaccessible anymore but instead demands anticipating more vulnerabilities. Security has to be considered during system design and deployment to prevent unauthorized information disclosure and exploitation of vulnerabilities by a potentially malicious, safety-threatening attacker.

Thesis: towards more secure real-time embedded systems

Security in real-time systems has some particularities as compared to general-purpose systems. First, since it must be ensured that all tasks meet their timing constraints [WILH:08a] even if specific countermeasures are deployed. Thus, the countermeasures themselves have to be time-predictable and their (potentially indirect) impact on predictability has to be evaluated. Second, for the sake of predictability, a common class of scheduling strategies for safety-critical systems is time-triggered scheduling, for which tasks are executed at predefined times, according to a schedule generated off-line. This class of scheduler is vulnerable to attacks since a given task, targeted by an attacker, executes at regular time intervals. Finally, predictable timing can also be a strength and not only a weakness. Since the timing of a task (its Worst-Case Execution Time - WCET) is known, deviations from the task expected behavior due to an intrusion of the system (actual execution time higher than WCET) can be detected, which is not possible in general-purpose systems because the timing of tasks is in general unknown.

Research on security in the real-time domain, despite its impact, is still in its infancy. The first carjacking exploits took place only very recently, and shown that cars are vulnerable to hacking as any other connected device. The first research studies on security in real-time systems are recent and not that numerous. The first works are [ZIMM:10] and [YOON:13] that use worst-case task information to detect intrusions. [MOHA:08] is the first study we are aware of aiming at analyzing the timing of security countermeasures. [FELL:18] analyzes the indirect impact of address space randomization techniques (ASLR and variations) on tasks WCETs. [KRUG:18] introduces randomization in time-triggered schedule to mitigate direct directed timing attacks without compromising predictability.

The small number of research studies targeting security in real-time embedded systems opens an avenue for research work on this domain. Our research will be organized along three directions, detailed below: (i) exploitation of timing information to detect attacks, (ii) predictability analysis of countermeasures, (iii) mitigation of directed timing attacks.

  • Exploiting timing information to detect attacks. In order to be amenable to schedulability analysis, hard real-time systems need the WCETs of all tasks in the system to be known. This offers the possibility to detect intrusions in the system, if the observed execution time of a task exceeds its WCET. Preliminary research on the topic [ZIMM:10, YOON:13] detect intrusions at the level of an entire task. We will leverage our expertise in WCET estimation tools and in particular their ability to generate partial task WCETs to refine the granularity of such intrusion monitoring, and thus augment the intrusion detection efficiency. The challenge is to insert monitoring points at the correct frequency without impairing the real-time constraints. Moreover, all preliminary research operates entirely in software, introducing overheads when measuring tasks execution times. We will explore the definition of dedicated hardware to mitigate the monitoring overhead.
  • Predictability analysis of countermeasures. Security countermeasures were designed originally for general-purpose systems, since at that time hard real-time systems were closed enough to be considered non-vulnerable to security attacks. Consequently, they were not designed with time predictability in mind. Some countermeasures will inevitably not be amenable to timing analysis. Some countermeasures might not be analyzable using static WCET estimation tools, because for example they contain unbounded numbers of loop iterations. Some other countermeasures, implemented as tasks, might not be directly analyzable by schedulability analysis tools because the arrival instants of security tasks do not conform to the supported arrival laws of state-of-the-art schedulability analyses [HASA:17]. Finally, some countermeasures, such as for example address randomization (ASLR) or the introduction of canaries in the code of tasks to detect buffer overflows, have an indirect impact on the WCETs of tasks. For example, using ALSR, manipulated addresses are not known at compile-time. The introduction of canaries introduces potentially unpredictable codes in tasks using compiler techniques. The challenge there will not be to define new security mechanisms per se, but rather to adapt them to timing validation. In a first step, we will extensively characterize the predictability of existing countermeasures and their impact on task WCET estimation (cryptographic protocols, intrusion detection mechanisms, etc). In a second phase, we will refine them if needed such that they become time-predictable. The only related research we are aware of [MOHA:08] only provide a roadmap for future research and not yet any extensive predictability analyses of security activities.
  • Mitigation of directed timing attacks. A classical scheduling strategy for hard real-time systems is time-triggered scheduling, in which each task is started at a given time decide off-line. Although highly predictable, these scheduling strategies are also vulnerable to directed attacks, because the generated schedule is cyclic and it is thus easy for an attacked to specifically target a given task. Following the seminal work by [KRUG:18], our objective will be to introduce a certain degree of randomization in the schedules to mitigate such timing attacks, without compromising predictability. We will extend the work to other classes of scheduling strategies and compare their respective vulnerability to directed attacks.

The predictability of countermeasures will be evaluated using aiT, from AbsInt (https://www.absint.com/), state-of-the-art commercial static timing analysis tool based on abstract interpretation.

Bibliography
  • [FELL:18] Joachim Fellmuth, Thomas Göthel, Sabine Glesner. Instruction Caches in Static WCET Analysis of Artificially Diversified Software. ECRTS 2018: 21:1-21:23
  • [HASA:17] Monowar Hasan, Sibin Mohan, Rodolfo Pellizzoni, Rakesh B. Bobba. Contego: An Adaptive Framework for Integrating Security Tasks in Real-Time Systems. ECRTS 2017
  • [KRUG:18] Kristin Krüger, Marcus Völp, Gerhard Fohler. Vulnerability Analysis and Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Systems. ECRTS 2018: 22:1-22:17
  • [MOHA:08] Sibin Mohan. Worst-case execution time analysis of security policies for deeply embedded real-time systems. SIGBED Review 5(1): 8 (2008)
  • [MOHA:14] Sibin Mohan, Man-Ki Yoon, Rodolfo Pellizzoni, Rakesh Bobba. Real-Time Systems Security through Scheduler Constraints. ECRTS 2014: 129-140
  • [YOON:13] Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui Sha. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. IEEE Real-Time and Embedded Technology and Applications Symposium 2013: 21-32
  • [YOON:16] Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, Lui Sha. TaskShuffler: A Schedule Randomization Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems. RTAS 2016: 111-122
  • [YOON:17] Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Mihai Christodorescu, Lui Sha: Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System. IoTDI 2017: 191-196
Keywords: 
Sécurité, temps-réel
Place: 
IRISA - Campus universitaire de Beaulieu, Rennes