TrackOS: A Security-Aware Real-Time Operating System

  • Lee PikeEmail author
  • Pat Hickey
  • Trevor Elliott
  • Eric Mertens
  • Aaron Tomb
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10012)


We describe an approach to control-flow integrity protection for real-time systems. We present TrackOS, a security-aware real-time operating system. TrackOS checks a task’s control stack against a statically-generated call graph, generated by an abstract interpretation-based tool that requires no source code. The monitoring is done from a dedicated task, the schedule of which is controlled by the real-time operating system scheduler. Finally, we implement a version of software-based attestation (SWATT) to ensure program-data integrity to strengthen our control-flow integrity checks. We demonstrate the feasibility of our approach by monitoring an open source autopilot in flight.


Return Address Call Graph Program Memory Interrupt Service Routine Task Schedule Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work is supported in part by Air Force contract FA8650-11-C-1003. All findings herein are the authors’ alone. Pat Hickey performed the work while at Galois, Inc.


  1. 1.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1), 1–40 (2009)CrossRefGoogle Scholar
  2. 2.
    Source code, December 2012.
  3. 3.
    Castelluccia, C., Francillon, A., Perito, D., Soriente, C.: On the difficulty of software-based attestation of embedded devices. In: Computer and Communications Security (CCS), pp. 400–409. ACM (2009)Google Scholar
  4. 4.
    Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security (2011)Google Scholar
  5. 5.
    Cowan, C., Calton, P., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: SSYM 1998: Proceedings of the 7th Conference on USENIX Security Symposium. USENIX Association (1998)Google Scholar
  6. 6.
    de Clercq, R., De Keulenaer, R., Coppens, B., Yang, B., Maene, P., de Bosschere, K., Preneel, B., de Sutter, B., Verbauwhede, S.I.: Software and control flow integrity architecture. In: Proceedings of the 2016 Conference on Design, Automation & Test in Europe (2016)Google Scholar
  7. 7.
    Diatchki, I., Pike, L., Erkök, L.: Practical considerations in control-flow integrity monitoring. In: Proceedings of the The Second International Workshop on Security Testing (SECTEST 2011). IEEE, March 2011Google Scholar
  8. 8.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Computer and Communications Security (CCS), pp. 15–26. ACM (2008)Google Scholar
  9. 9.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure execution of Untrusted Code, SecuCode 2009, pp. 19–26. ACM (2009)Google Scholar
  10. 10.
    Frantzen, M., Shuey, M., Stackghost: hardware facilitated stack protection. In: SSYM 2001, Proceedings of the 10th Conference on USENIX Security Symposium (2001)Google Scholar
  11. 11.
    Hofmann, O., Dunn, A.M., Kim, S., Roy, I., Witchel, E.: Ensuring operating system kernel integrity with OSck. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS). ACM (2011)Google Scholar
  12. 12.
    Mohan, S., Bak, S., Betti, E., Yun, H., Sha, L., Caccamo, M., S3A: secure system simplex architecture for enhanced security of cyber-physical systems. CoRR (2012)Google Scholar
  13. 13.
    Perrig, A., van Doorn, L.: Refutation of “on the difficulty of software-based attestation of embedded devices” (2010) (Unpublished).
  14. 14.
    Petroni, Jr., N.L., Hicks, M.: Automated detection of persistent kernel control-flow attacks. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 103–115. ACM (2007)Google Scholar
  15. 15.
    Reeves, J., Ramaswamy, A., Locasto, M., Bratus, S., Smith, S.: Lightweight intrusion detection for resource-constrained embedded control systems. In: Butts, J., Shenoi, S. (eds.) ICCIP 2011. IAICT, vol. 367, pp. 31–46. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24864-1_3 CrossRefGoogle Scholar
  16. 16.
    Regehr, J., Reid, A., Webb, K.: Eliminating stack overflow by abstract interpretation. ACM Trans. Embed. Comput. Syst. 4(4), 751–778 (2005)CrossRefGoogle Scholar
  17. 17.
    Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 1–34 (2012)CrossRefGoogle Scholar
  18. 18.
    Seshadri, A., Luk, M., Perrig, A., van Doorn, L., Khosla, S.P.: Secure code update by attestation in sensor networks. In: ACM Workshop on Wireless Security (WiSe 2006), September 2006Google Scholar
  19. 19.
    Seshadri, A., Perrig, A., van Doorn, L., Pradeep Khosla, S.: Software-based attestation for embedded devices. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2004Google Scholar
  20. 20.
    Sha, L.: Using simplicity to control complexity. IEEE Softw. 18(4), 20–28 (2001)CrossRefGoogle Scholar
  21. 21.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 298–307. ACM (2004)Google Scholar
  22. 22.
    Zeng, B., Tan, G., Morrisett, G.: Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Lee Pike
    • 1
    Email author
  • Pat Hickey
    • 2
  • Trevor Elliott
    • 1
  • Eric Mertens
    • 1
  • Aaron Tomb
    • 1
  1. 1.Galois, Inc.PortlandUSA
  2. 2.HeliumPortlandUSA

Personalised recommendations