Advertisement

Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Integrating security constraints into fixed priority real-time schedulers

  • 551 Accesses

  • 7 Citations

Abstract

Traditionally, most real-time systems (RTS) were considered to be invulnerable to security breaches and external attacks. This was mainly due to the use of proprietary hardware and protocols in such systems along with physical isolation. Hence, security and RTS were considered to be separate domains. This assumption is being challenged by recent events that highlight the vulnerabilities in such systems. In this paper, we focus on how to integrate security as a first-class principle in the design of RTS. We demonstrate how certain security requirements can be cast as real-time scheduling constraints. We use information leakage as a motivating problem to illustrate our techniques and focus on the class of fixed-priority real-time schedulers. We evaluate our approach both analytically as well as using simulations and discuss the tradeoffs in using such an approach. Our work shows that many real-time task sets can be scheduled using our methods without significant performance impact.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Notes

  1. 1.

    Information leakage happens when sensitive data leaks to unauthorized or unintended parties from a system that is supposed to be closed or secure.

  2. 2.

    A covert channel is a an unintended and unauthorized channel for information transfer between two processes. A covert timing channel refers to a covert channel where information is transmitted to receiving process by varying the timing of actions or resource usage.

  3. 3.

    Other than the processor core of course.

  4. 4.

    While earlier work (Mohan et al. 2014) presented these methods and analyses, we expand on this to improve the efficiency of the analysis—see Sect. 6.4.

  5. 5.

    Sometimes referred to as “storage channels with timing exploitation”.

  6. 6.

    We will discuss techniques to avoid an inordinate number of cache flushes later on in the paper.

  7. 7.

    We will relax this assumption later in the paper to obtain tighter bounds.

  8. 8.

    Note that a PF technique that invokes a FT during both high-to-low and low-to-high task transitions essentially can support security labels that from a partial order. This is because when a security label \(s_i\) is unrelated to \(s_j\) information leakage should not be allowed in either direction.

  9. 9.

    Essentially to flush and refill the cache.

  10. 10.

    As an example, a 6th generation Intel Core i7 processor (Intel Corporation 2015) has an 8 MB Level 3 cache and up to 31.128 GB/s memory bandwidth. This results in a best-case time of \(257 \mu s\) to flush the entire L3 cache content to main memory. We further experimented with a Xilinx FPGA platform using an ARM Cortex A9 hard core processor to obtain experimental measurements on an embedded system. Using the available flushing functionality in the cache controller, we measured a worst-case running time for FT equal to \(380\, \mu s\).

  11. 11.

    We get these bounds based on the upper bounds on the number of preemptions for basic and non-preemptive FP algorithms.

  12. 12.

    While the typical schedulability tests for FP put the theoretical upper bound at \(69~\%\) (Liu and Layland 1973), it is possible for FP to schedule task sets with higher utilizations—e.g., if they are harmonic in nature.

  13. 13.

    We also saw similar trends for other values of \(c_{ft}\) but omit them here since they don’t really add any new information.

  14. 14.

    We generated new task sets since the number of task sets in the original evaluation was not enough to show the differences in running times.

References

  1. Ahmed Q, Vrbsky S (1998) Maintaining security in firm real-time database systems. In Proceedings 14th annual computer security applications conference, pp 83–90

  2. Audsley AN, Burns A, Richardson M, Tindell K (1993) Applying new scheduling theory to static priority pre-emptive scheduling. Softw Eng J 8:284–292

  3. Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H, Savage S, Koscher K, Czeskis A, Roesner F, Kohno T (2011) Comprehensive experimental analyses of automotive attack surfaces. In USENIX security

  4. Cormen T, Leiserson C, Charles E (1993) Introduction to algorithms. MIT Press, Cambridge

  5. Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(5):236–243

  6. European Organisation for Civil Aviation Electronics (1992) DO-178B: software considerations in airborne systems and equipment certification

  7. Falliere N, Murchu L and EC (Symantec) (2011) W32.stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  8. Goguen J, Meseguer J (1982) Security policies and security models. In IEEE symposium on security and privacy, pp 11–20

  9. Grumman N. RePLACE. http://www.northropgrumman.com/Capabilities/RePLACE/Pages/default.aspx

  10. Grumman N. Reverse engineering for large applications. http://www.northropgrumman.com/Capabilities/RELA/Pages/default.aspx

  11. Hu W-M (1991) Reducing timing channels with fuzzy time. In Proceedings IEEE computer society symposium on 1991, research in security and privacy, pp 8–20

  12. Hu W-M (1992) Lattice scheduling and covert channels. In Proceedings of the IEEE symposium on security and privacy

  13. Intel Corporation (2015) Intel product specifications. http://ark.intel.com

  14. Kim T, Peinado M, Mainar-Ruiz G (2012) Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In Proceedings of the 21st USENIX conference on security symposium, Security’12, USENIX Association, Berkeley, pp 11–11

  15. Kocher P, Lee R, McGraw G, Raghunathan A, Ravi S (2004) Security as a new dimension in embedded system design. In Proceedings of the 41st annual conference on design automation, pp 753–760

  16. Kocher PC (1996) Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In Proceedings advances in cryptology—CRYPTO ’96, 16th annual international cryptology conference, Santa Barbara, California, USA, Aug 18–22, 1996, vol 1109 of Lecture Notes in Computer Science, Springer, New York, pp 104–113

  17. Koscher K, Czeskis A, Roesner F, Patel S, Kohno T, Checkoway S, McCoy D, Kantor B, Anderson D, Shacham H, Savage S (2010) Experimental security analysis of a modern automobile. In IEEE symposium on security and privacy (SP), pp 447–462

  18. Lin M, Xu L, Yang L, Qin X, Zheng N, Wu Z, Qiu M (2009) Static security optimization for real-time systems. IEEE Trans Ind Inform 5(1):22–37

  19. Liu CL, Layland JW (1973) Scheduling algorithms for multiprogramming in a hard-real-time environment. J. ACM 20(1):46–61

  20. Liu J (2000) Real-time systems. Prentice Hall, Upper Saddle River

  21. Mohan S, Bak S, Betti E, Yun H, Sha L, Caccamo M (2013) S3A: secure system simplex architecture for enhanced security and robustness of cyber-physical systems. In ACM Conference on High Confidence Networked Systems

  22. Mohan S, Yoon M, Pellizzoni R, Bobba R (2014) Real-time systems security through scheduler constraints. In 26th Euromicro Conference on Real-Time Systems, ECRTS 2014, Madrid, Spain, 8–11 July 2014, pp 129–140

  23. Nam M-Y, Pellizzoni R, Sha L, Bradford R (2009) Asiist: application specific i/o integration support tool for real-time bus architecture designs. In 14th IEEE international conference on engineering of complex computer systems, pp 11–22

  24. Orlin J (2013) Max flows in O(nm) time, or better. In Proceedings of the ACM symposium on theory of computing (STOC13), Palo Alto

  25. Percival C (2005) Cache missing for fun and profit. In Proceedings of BSDCan

  26. Rajkumar R, Sha L, Lehoczky J (1988) Real-time synchronization protocols for multiprocessors. In IEEE real-time systems symposium, pp 259–269

  27. Reinhardt D (2006) Certification criteria for emulation technology in the australian defence force military avionics context. In Proceedings of the Eleventh Australian Workshop on Safety Critical Systems and Software, Vol 69, SCS ’06, Australian Computer Society Inc, Darlinghurst, Australia, pp 79–92

  28. Sampigethaya K, Poovendran R, Bushnell L (2008) Secure operation, control, and maintenance of future E-enabled airplanes. IEEE Proc 96(12):1992–2007

  29. Shepard D, Bhatti J, Humphreys T (2012) Drone hack: spoofing attack demonstration on a civilian unmanned aerial vehicle. GPS World

  30. Shi W, Lee H-HS, Falk L, Ghosh M (2006) An integrated framework for dependable and revivable architectures using multicore processors. In Proceedings of the 33rd annual international symposium on Computer Architecture, ISCA ’06, pp 102–113

  31. Son J, Alves-Foss J (2006) Covert timing channel analysis of rate monotonic real-time scheduling algorithm in mls systems. In IEEE on information assurance workshop, pp 361–368

  32. Son S (1997) Supporting timeliness and security in real-time database systems. In Proceedings Ninth euromicro workshop on real-time systems, pp 266–273

  33. Son S, Chaney C, Thomlinson N (1998) Partial security policies to support timeliness in secure real-time databases. In Proceedings IEEE symposium on security and privacy, pp 136–147

  34. Son S, Mukkamala R, David R (2000) Integrating security and real-time requirements using covert channel capacity. IEEE Trans Knowl Data Eng 12(6):865–879

  35. Suh GE, Lee JW, Zhang D, Devadas S (2004) Secure program execution via dynamic information flow tracking. In Proceedings of the 11th international conference on architectural support for programming languages and operating systems, ASPLOS-XI, pp 85–96

  36. Teso H (2013) Aicraft hacking. In Fourth Annual HITB security conference in Europe

  37. Völp M, Engel B, Hamann C-J, Härtig H (2013) On confidentiality preserving real-time locking protocols. In IEEE real-time embedded technology and applications symposium

  38. Völp M, Hamann C-J, Härtig H (2008) Avoiding timing channels in fixed-priority schedulers. In ACM symposium on information, computer and communication security, ACM, New York, pp 44–55

  39. Xie T, Qin X (2007) Improving security for periodic tasks in embedded systems through scheduling. ACM Trans Embed Comput Syst 6(3):20

  40. Yomsi PM, Sorel Y (2007) Extending rate monotonic analysis with exact cost of preemptions for hard real-time systems. In Euromicro Conference on Real-Time Systems (ECRTS), 2007 19th IEEE, pp 280–290

  41. Yoon M-K, Mohan S, Choi J, Kim J-E, Sha L (2013) SecureCore: a multicore based intrusion detection architecture for real-time embedded systems. In IEEE real-time embedded technology and applications symposium

  42. Zimmer C, Bhatt B, Mueller F, Mohan S (2010) Time-based intrusion detection in cyber-physical systems. In International conference on cyber-physical systems

Download references

Acknowledgments

This work is supported in part by a grant from the U.S. Office of Naval Research (ONR; N00014-13-1-0707). Any opinions, findings, and conclusions or recommendations expressed here are those of the authors and do not necessarily reflect the views of the sponsors.

Author information

Correspondence to Sibin Mohan.

Additional information

This paper is an extended version of one that was previously published in ECRTS 2014 (Mohan et al. 2014). The main changes/differences are: (a)  we elaborate more on the adversary model, the system model and motivations for both in Sects. II and III; (b)  we have updated the analysis in Sect. IV—the graph-based algorithm now computes the upper bounds on the number of invocations of the flush task in polynomial time instead of pseudo-polynomial time (as was the case with the previous paper); (c)  a new Sect. (VI-D) compares the performance of the two graph algorithms—the original one (Mohan et al. 2014) and the more efficient one presented in this paper and (d)  other editorial changes to most sections, especially the introduction, abstract and conclusion.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mohan, S., Yoon, M., Pellizzoni, R. et al. Integrating security constraints into fixed priority real-time schedulers. Real-Time Syst 52, 644–674 (2016). https://doi.org/10.1007/s11241-016-9252-5

Download citation

Keywords

  • Security
  • Real-time systems
  • Scheduling
  • Fixed priority schedulers
  • Information leakage
  • Security for real-time systems