Abstract
Traditionally, most real-time systems (RTS) were considered to be invulnerable to security breaches and external attacks. This was mainly due to the use of proprietary hardware and protocols in such systems along with physical isolation. Hence, security and RTS were considered to be separate domains. This assumption is being challenged by recent events that highlight the vulnerabilities in such systems. In this paper, we focus on how to integrate security as a first-class principle in the design of RTS. We demonstrate how certain security requirements can be cast as real-time scheduling constraints. We use information leakage as a motivating problem to illustrate our techniques and focus on the class of fixed-priority real-time schedulers. We evaluate our approach both analytically as well as using simulations and discuss the tradeoffs in using such an approach. Our work shows that many real-time task sets can be scheduled using our methods without significant performance impact.
Similar content being viewed by others
Notes
Information leakage happens when sensitive data leaks to unauthorized or unintended parties from a system that is supposed to be closed or secure.
A covert channel is a an unintended and unauthorized channel for information transfer between two processes. A covert timing channel refers to a covert channel where information is transmitted to receiving process by varying the timing of actions or resource usage.
Other than the processor core of course.
Sometimes referred to as “storage channels with timing exploitation”.
We will discuss techniques to avoid an inordinate number of cache flushes later on in the paper.
We will relax this assumption later in the paper to obtain tighter bounds.
Note that a PF technique that invokes a FT during both high-to-low and low-to-high task transitions essentially can support security labels that from a partial order. This is because when a security label \(s_i\) is unrelated to \(s_j\) information leakage should not be allowed in either direction.
Essentially to flush and refill the cache.
As an example, a 6th generation Intel Core i7 processor (Intel Corporation 2015) has an 8 MB Level 3 cache and up to 31.128 GB/s memory bandwidth. This results in a best-case time of \(257 \mu s\) to flush the entire L3 cache content to main memory. We further experimented with a Xilinx FPGA platform using an ARM Cortex A9 hard core processor to obtain experimental measurements on an embedded system. Using the available flushing functionality in the cache controller, we measured a worst-case running time for FT equal to \(380\, \mu s\).
We get these bounds based on the upper bounds on the number of preemptions for basic and non-preemptive FP algorithms.
While the typical schedulability tests for FP put the theoretical upper bound at \(69~\%\) (Liu and Layland 1973), it is possible for FP to schedule task sets with higher utilizations—e.g., if they are harmonic in nature.
We also saw similar trends for other values of \(c_{ft}\) but omit them here since they don’t really add any new information.
We generated new task sets since the number of task sets in the original evaluation was not enough to show the differences in running times.
References
Ahmed Q, Vrbsky S (1998) Maintaining security in firm real-time database systems. In Proceedings 14th annual computer security applications conference, pp 83–90
Audsley AN, Burns A, Richardson M, Tindell K (1993) Applying new scheduling theory to static priority pre-emptive scheduling. Softw Eng J 8:284–292
Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H, Savage S, Koscher K, Czeskis A, Roesner F, Kohno T (2011) Comprehensive experimental analyses of automotive attack surfaces. In USENIX security
Cormen T, Leiserson C, Charles E (1993) Introduction to algorithms. MIT Press, Cambridge
Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(5):236–243
European Organisation for Civil Aviation Electronics (1992) DO-178B: software considerations in airborne systems and equipment certification
Falliere N, Murchu L and EC (Symantec) (2011) W32.stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Goguen J, Meseguer J (1982) Security policies and security models. In IEEE symposium on security and privacy, pp 11–20
Grumman N. RePLACE. http://www.northropgrumman.com/Capabilities/RePLACE/Pages/default.aspx
Grumman N. Reverse engineering for large applications. http://www.northropgrumman.com/Capabilities/RELA/Pages/default.aspx
Hu W-M (1991) Reducing timing channels with fuzzy time. In Proceedings IEEE computer society symposium on 1991, research in security and privacy, pp 8–20
Hu W-M (1992) Lattice scheduling and covert channels. In Proceedings of the IEEE symposium on security and privacy
Intel Corporation (2015) Intel product specifications. http://ark.intel.com
Kim T, Peinado M, Mainar-Ruiz G (2012) Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In Proceedings of the 21st USENIX conference on security symposium, Security’12, USENIX Association, Berkeley, pp 11–11
Kocher P, Lee R, McGraw G, Raghunathan A, Ravi S (2004) Security as a new dimension in embedded system design. In Proceedings of the 41st annual conference on design automation, pp 753–760
Kocher PC (1996) Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In Proceedings advances in cryptology—CRYPTO ’96, 16th annual international cryptology conference, Santa Barbara, California, USA, Aug 18–22, 1996, vol 1109 of Lecture Notes in Computer Science, Springer, New York, pp 104–113
Koscher K, Czeskis A, Roesner F, Patel S, Kohno T, Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H, Savage S (2010) Experimental security analysis of a modern automobile. In IEEE symposium on security and privacy (SP), pp 447–462
Lin M, Xu L, Yang L, Qin X, Zheng N, Wu Z, Qiu M (2009) Static security optimization for real-time systems. IEEE Trans Ind Inform 5(1):22–37
Liu CL, Layland JW (1973) Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1):46–61
Liu J (2000) Real-time systems. Prentice Hall, Upper Saddle River
Mohan S, Bak S, Betti E, Yun H, Sha L, Caccamo M (2013) S3A: secure system simplex architecture for enhanced security and robustness of cyber-physical systems. In ACM Conference on High Confidence Networked Systems
Mohan S, Yoon M, Pellizzoni R, Bobba R (2014) Real-time systems security through scheduler constraints. In 26th Euromicro Conference on Real-Time Systems, ECRTS 2014, Madrid, Spain, 8–11 July 2014, pp 129–140
Nam M-Y, Pellizzoni R, Sha L, Bradford R (2009) Asiist: application specific i/o integration support tool for real-time bus architecture designs. In 14th IEEE international conference on engineering of complex computer systems, pp 11–22
Orlin J (2013) Max flows in O(nm) time, or better. In Proceedings of the ACM symposium on theory of computing (STOC13), Palo Alto
Percival C (2005) Cache missing for fun and profit. In Proceedings of BSDCan
Rajkumar R, Sha L, Lehoczky J (1988) Real-time synchronization protocols for multiprocessors. In IEEE real-time systems symposium, pp 259–269
Reinhardt D (2006) Certification criteria for emulation technology in the australian defence force military avionics context. In Proceedings of the Eleventh Australian Workshop on Safety Critical Systems and Software, Vol 69, SCS ’06, Australian Computer Society Inc, Darlinghurst, Australia, pp 79–92
Sampigethaya K, Poovendran R, Bushnell L (2008) Secure operation, control, and maintenance of future E-enabled airplanes. IEEE Proc 96(12):1992–2007
Shepard D, Bhatti J, Humphreys T (2012) Drone hack: spoofing attack demonstration on a civilian unmanned aerial vehicle. GPS World
Shi W, Lee H-HS, Falk L, Ghosh M (2006) An integrated framework for dependable and revivable architectures using multicore processors. In Proceedings of the 33rd annual international symposium on Computer Architecture, ISCA ’06, pp 102–113
Son J, Alves-Foss J (2006) Covert timing channel analysis of rate monotonic real-time scheduling algorithm in mls systems. In IEEE on information assurance workshop, pp 361–368
Son S (1997) Supporting timeliness and security in real-time database systems. In Proceedings Ninth euromicro workshop on real-time systems, pp 266–273
Son S, Chaney C, Thomlinson N (1998) Partial security policies to support timeliness in secure real-time databases. In Proceedings IEEE symposium on security and privacy, pp 136–147
Son S, Mukkamala R, David R (2000) Integrating security and real-time requirements using covert channel capacity. IEEE Trans Knowl Data Eng 12(6):865–879
Suh GE, Lee JW, Zhang D, Devadas S (2004) Secure program execution via dynamic information flow tracking. In Proceedings of the 11th international conference on architectural support for programming languages and operating systems, ASPLOS-XI, pp 85–96
Teso H (2013) Aicraft hacking. In Fourth Annual HITB security conference in Europe
Völp M, Engel B, Hamann C-J, Härtig H (2013) On confidentiality preserving real-time locking protocols. In IEEE real-time embedded technology and applications symposium
Völp M, Hamann C-J, Härtig H (2008) Avoiding timing channels in fixed-priority schedulers. In ACM symposium on information, computer and communication security, ACM, New York, pp 44–55
Xie T, Qin X (2007) Improving security for periodic tasks in embedded systems through scheduling. ACM Trans Embed Comput Syst 6(3):20
Yomsi PM, Sorel Y (2007) Extending rate monotonic analysis with exact cost of preemptions for hard real-time systems. In Euromicro Conference on Real-Time Systems (ECRTS), 2007 19th IEEE, pp 280–290
Yoon M-K, Mohan S, Choi J, Kim J-E, Sha L (2013) SecureCore: a multicore based intrusion detection architecture for real-time embedded systems. In IEEE real-time embedded technology and applications symposium
Zimmer C, Bhatt B, Mueller F, Mohan S (2010) Time-based intrusion detection in cyber-physical systems. In International conference on cyber-physical systems
Acknowledgments
This work is supported in part by a grant from the U.S. Office of Naval Research (ONR; N00014-13-1-0707). Any opinions, findings, and conclusions or recommendations expressed here are those of the authors and do not necessarily reflect the views of the sponsors.
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an extended version of one that was previously published in ECRTS 2014 (Mohan et al. 2014). The main changes/differences are: (a) we elaborate more on the adversary model, the system model and motivations for both in Sects. II and III; (b) we have updated the analysis in Sect. IV—the graph-based algorithm now computes the upper bounds on the number of invocations of the flush task in polynomial time instead of pseudo-polynomial time (as was the case with the previous paper); (c) a new Sect. (VI-D) compares the performance of the two graph algorithms—the original one (Mohan et al. 2014) and the more efficient one presented in this paper and (d) other editorial changes to most sections, especially the introduction, abstract and conclusion.
Rights and permissions
About this article
Cite this article
Mohan, S., Yoon, MK., Pellizzoni, R. et al. Integrating security constraints into fixed priority real-time schedulers. Real-Time Syst 52, 644–674 (2016). https://doi.org/10.1007/s11241-016-9252-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11241-016-9252-5