A Design-Space Exploration for Allocating Security Tasks in Multicore Real-Time Systems

The increased capabilities of modern real-time systems (RTS) expose them to various security threats. Recently, frameworks that integrate security tasks without perturbing the real-time tasks have been proposed, but they only target single core systems. However, modern RTS are migrating towards multicore platforms. This makes the problem of integrating security mechanisms more complex, as designers now have multiple choices for where to allocate the security tasks. In this paper we propose HYDRA, a design space exploration algorithm that finds an allocation of security tasks for multicore RTS using the concept of opportunistic execution. HYDRA allows security tasks to operate with existing real-time tasks without perturbing system parameters or normal execution patterns, while still meeting the desired monitoring frequency for intrusion detection. Our evaluation uses a representative real-time control system (along with synthetic task sets for a broader exploration) to illustrate the efficacy of HYDRA.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

11/27/2019

Period Adaptation for Continuous Security Monitoring in Multicore Real-Time Systems

We propose a design-time framework (named HYDRA-C) for integrating secur...
04/29/2017

Contego: An Adaptive Framework for Integrating Security Tasks in Real-Time Systems

Embedded real-time systems (RTS) are pervasive. Many modern RTS are expo...
12/07/2020

Real-time monitoring as a supplementary security component of vigilantism in modern network environments

The phenomenon of network vigilantism is autonomously attributed to how ...
03/22/2010

Integrating Real-Time Analysis With The Dendritic Cell Algorithm Through Segmentation

As an immune inspired algorithm, the Dendritic Cell Algorithm (DCA) has ...
01/08/2019

A C-DAG task model for scheduling complex real-time tasks on heterogeneous platforms: preemption matters

Recent commercial hardware platforms for embedded real-time systems feat...
03/01/2020

Securing of Unmanned Aerial Systems (UAS) against security threats using human immune system

UASs form a large part of the fighting ability of the advanced military ...
08/18/2018

Runtime Analysis of Whole-System Provenance

Identifying the root cause and impact of a system intrusion remains a fo...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Real-time systems (RTS) rely on a variety of inputs for their correct operation and have to meet stringent safety and timing requirements. The drive towards remote monitoring and control, increased connectivity through unreliable media such as the Internet and the use of component-based subsystems from different vendors are exposing modern RTS a multitude of threats. A successful attack on systems with real-time properties can have disastrous effects – from loss of human life to damage to the environment and/or hard to replace equipment. A number of high-profile attacks on real systems, (e.g., denial-of-service (DoS) attacks from Internet-of-Things devices [1], Stuxnet [2], BlackEnergy [3], etc.) have shown that the threat is real. Hence it is essential to retrofit existing critical RTS with detection, survival and recovery mechanisms. As the use of multicore platforms in safety-critical real-time systems is increasingly becoming common, the focus of this work is on integrating or retrofitting security mechanisms into multicore RTS. It is not straightforward to retrofit RTS with security mechanisms that were developed for more general purpose computing scenarios since, security mechanisms have to (a) co-exist with the real-time tasks in the system and (b) operate without impacting the timing and safety constraints of the control logic. Further, it may not be feasible to adjust the parameters (such as run-times, period, and execution order, etc.) of real-time tasks to accommodate security tasks. This creates an apparent tension between security and real-time requirements. Unlike single core systems, integrating security into multicore platforms is more challenging since designers have multiple choices across cores to retrofit security mechanisms. For instance, is it better to dedicate a core to all the security tasks or is it better to spread them out (in conjunction with the real-time tasks) and if so, to which cores? Our goal is to improve the security posture of multicore RTS by integrating security mechanisms without violating real-time constraints. Security mechanism could include protection, detection or response mechanisms, depending on the system requirements – for instance, a sensor correlation task (to detect sensor manipulation) or an intrusion detection task. As an illustrative example, consider the open source intrusion detection mechanisms Tripwire [4] and Bro [5] that detect integrity violations in the host and at the network level, respectively111We use Tripwire and Bro as examples of security applications to be integrated into multicore RTS – the ideas presented here apply more broadly.. The default configurations of Tripwire and Bro contain several tasks (see Table I).

*The corresponding application for each of the security tasks is specified in the parenthesis – TR: Tripwire, BR: Bro.
Task Function
Check own binary of the security routine (TR) Compare the hash value of the application binary (e.g., , , etc.)
Check executables (TR) Check hash of the file-system binary (, )
Check critical libraries (TR) Check library hashes ()
Check device and kernel (TR) Check hash of peripherals and kernel information in and
Check config files (TR) Check configuration hashes ()
Monitor network traffic (BR) Scan network interface (e.g., )
TABLE I: Illustration of Security Tasks*

We propose to incorporate security mechanisms into a multicore setup by implementing them as separate sporadic tasks. The challenge then, is to determine the right periods (viz., minimum inter-execution time) and core assignment for the security tasks. It is not trivial to determine the execution frequency and core assignment of security tasks (i.e., what security tasks will execute on which core and with what frequency). For instance, some critical security routines may be required to execute more frequently than others. However, if the frequency of execution is too high then it will use too much of the processor time and lower the system utilization for real-time tasks. Hence, the security mechanism itself might prove to be a hindrance to the system and reduce the overall functionality or worse, negatively impact the system safety. In contrast, if the period is too long, the security task may not always detect violations since attacks could be launched between two instances of the security task. Existing work that integrates security in RTS either focuses on single core systems [6, 7, 8, 9, 10, 11] and/or require modification of system parameters [6, 7, 8, 9, 11, 12] and thus are not applicable for systems where it is harder to change the real-time task parameters. In this paper we introduce HYDRA 222In Greek mythology Hydra is a serpent with multiple heads. We refer to our scheme as HYDRA since we are trying to maximize the potential across multiple ‘heads’ (cores)., a scheme for multicore RTS that finds a suitable assignment of security tasks in order to ensure that they can execute with a frequency close to what a designer expects. The main contributions of this work can be summarized as follows:

  • Integrating security mechanisms in a multicore setup where changing existing real-time task parameters is not an option.

  • A mathematical model to jointly obtain the assignment of security tasks to respective cores with execution frequency close to the desired values (Section III-A).

  • An iterative scheme, HYDRA, that jointly finds the assignment and period of the security tasks (Section III-B).

  • Comparisons of HYDRA with (i) assigning all security tasks to a single dedicated core and (ii) an ‘optimal’ multicore allocation scheme (Section IV).

We evaluate HYDRA with synthetic workloads as well as a representative real-time control system and security applications (Section IV).

Ii System and Security Model

Ii-a Real-time Tasks

Let us consider a multicore platform comprised of identical cores denoted by the set where we schedule a set of independent sporadic real-time tasks. Each real-time task is characterized by the tuple where is the worst-case execution time (WCET), is the minimum separation (e.g., period) between two successive invocations and is the relative deadline. In this work, we consider partitioned fixed-priority preemptive scheduling [13] since (a) it does not introduce task migration costs and (b) it is widely supported in many commercial and open-source real-time OSs (e.g., QNX, OKL4, real-time Linux, etc.). We assume that real-time task priorities are distinct and assigned according to rate monotonic (RM) [14] order. We also assume that tasks have implicit deadline, e.g., . We assume that real-time tasks are schedulable and assigned to the cores using existing multicore task partitioning algorithm [13]. Since the taskset is schedulable, the following necessary condition will hold [15]:

(1)

where the demand bound function computes the cumulative maximum execution requirements of the real-time task and it is defined as follows:

Ii-B Threat Model

In this work we consider a generic threat model where a malicious adversary can use various techniques to attack the RTS. For example, the adversary might intercept the information over the communication channel, forge messages or prevent normal requests from being processed. The adversary can also attack services within the OS, say, could compromise the file system resulting in corrupted information or could delay the delivery of control commands that may cause some tasks to miss deadline. Other than trying to aggressively crash the system, the adversary may utilize side-channels to monitor the system behavior and infer certain system information (e.g., user tasks, thermal profiles, cache information, etc.) that eventually leads to the attacker actively taking control of the system. Our focus is on threats that can be dealt with by integrating additional security tasks. The addition of such tasks may necessitate changing the schedule of real-time tasks as was the case in earlier work [11, 7, 6, 8, 9]. In this work we focus on situations where added security tasks are not allowed to impact the schedule of existing real-time tasks as is often the case when integrating security into existing multicore systems.

Ii-C Security Tasks

Since our goal is to ensure security without any modification of real-time task parameters, we propose to integrate security tasks as independent sporadic tasks. Let us consider additional security tasks denoted by the set . We follow the sporadic security task model [10] and characterize each security task by the tuple where is the WCET, is the best period (minimum inter-arrival time) between successive releases (i.e., is the desired frequency for effective security monitoring and/or intrusion detection) and is the maximum period beyond which security monitoring will not be effective. We assume that periods for security tasks are assigned based on the desired monitoring frequency. Hence if where denotes the priority of . Security tasks also have implicit deadlines (e.g., they are required to complete execution before its period). One fundamental problem while integrating security mechanisms is to determine which security tasks will be assigned to which core and executed when. Although security tasks can execute in any of the available cores and any period is acceptable, the actual task-to-core assignment and the periods of the security tasks are not known apriori. The goal of HYDRA therefore is to jointly find the core-to-task assignment and suitable periods for security tasks.

Iii Assignment of Security Tasks with Period Adaptation

One way to integrate security mechanisms into existing systems without perturbing real-time task behavior is to execute security tasks with the lowest priority as compared to the real-time tasks [10]. Thus security tasks will execute opportunistically in the slack time (e.g., when other real-time tasks are not running). As mentioned earlier, actual periods of the security tasks are not known and we need to adapt the periods within acceptable ranges to optimize the trade-offs between schedulability and defense against intrusions. We measure the security of the system by means of the achievable periodic monitoring and our goal is to minimize the perturbation between the achievable (unknown) period and the given desired period for all security tasks . Therefore we consider the following metric [10]:

(2)

that denotes the tightness of periodic monitoring (e.g., how close the period of the security task is to the desired period) and bounded by . As mentioned earlier, if the interval between consecutive monitoring events is too large, the adversary may remain undetected and harm the system between two invocations of the security task. On the other hand, very frequent execution of security tasks may impact the schedulability of the system (due to higher utilization). The metric in Eq. (2) allows us to measure how close the security tasks are able to get to their desired monitoring frequencies. Note that arbitrarily setting for all (or some) security tasks may lead to the system becoming unschedulable since low-priority security tasks may miss deadlines due to interference from higher priority tasks. Also exhaustively finding all possible acceptable periods for the security tasks for all available cores is not feasible. It will cause an exponential blow-up as numbers of tasks and cores increase. For instance for a given taskset , there is a total of assignments possible (where and denotes set cardinality) and for each combination the period for each security task can be any value within the range . In order to address this combinatorial problem we obtain the periods of the security tasks by framing it as an optimization problem.

Iii-a Formulation as an Optimization Problem

Iii-A1 Objective Function and Bounds on Period

Let us consider the vector

where if is assigned to and otherwise. Recall that our goal is to find a task assignment that minimizes the difference between achievable and desired periods (e.g., maximize the tightness) for all the security tasks. Hence we define the following objective function:

(3)

where is the (unknown) period vector that needs to be determined and reflects the priority (higher priority tasks would have large ). Besides, in order to satisfy the frequency of periodic monitoring, the security task needs to satisfy the following constraint:

(4)

Finally, each security task must be assigned to exactly one core:

Iii-A2 Schedulability Constraint

Since the security tasks are executed with a priority lower that all real-time tasks, they will suffer interference from all real-time and high priority security tasks executing in the same core. Let denote the set of security tasks with a higher priority than . The worst-case release pattern of occurs when and all high-priority tasks are released simultaneously [16]. Using response time analysis [17] we can determine an upper bound to the interference experienced by for a given core as follows:

(5)

where if the real-time task is partitioned to core and otherwise. The first and second term in Eq. (5) represent the amount of interference from real-time and high-priority security tasks, respectively. Note that the assignment of real-time tasks to cores is known by assumption. In order to ensure that each security task will complete its execution before its deadline on its assigned core, the following constraint needs to be satisfied:

(6)

The variables and in the above formulation turn the problem into a

non-linear combinatorial optimization problem

that is NP-hard. We therefore propose an iterative algorithm HYDRA that jointly finds the security tasks’ period and core assignment.

Iii-B Algorithm Development

As mentioned earlier, jointly finding the security task assignment and periods is an NP-hard problem. Even for fixed periods, finding the assignment for security tasks turns the problem to a bin-packing problem that is known to be NP-hard [15]

. Existing partitioning heuristics (

e.g., first-fit, best-fit, etc.) [13] are not directly applicable in our context since the real-time requirements (e.g., minimize the number of cores so that all real-time tasks can meet deadlines) are often different from the security requirements (e.g., execute security tasks more often to improve intrusion detection rate without violating real-time constraints). For a given task and allocation vector , let us rewrite the optimization problem as follows:

(7)

Notice that for a given assignment (see Algorithm 1), the period is the only variable (when the is known) in (see Eq. (5)). Although the period adaptation problem in Eq. (7) is a constraint optimization problem it can be transformed into a convex optimization problem (that is solvable in polynomial time). For details of this reformulation we refer the readers to the Appendix.

0:  Input taskset and the partition of real-time tasks
0:  The security task allocation and periods , if the taskset is schedulable, otherwise.
1:  Initialize
2:  for each security task (from higher to lower priority) do
3:      for each core  do
4:          Solve the optimization problem in Eq. (7)
5:      end for
6:      Let is the set of core(s) for which the optimization problem is feasible
7:      if  then
8:          /* Unable to find suitable period for */
9:          return  
10:      end if
11:      Find the core where is the tightness of obtained for
12:      Set   /* Assign to */
13:      Update period where is the period obtained by solving optimization for
14:  end for
15:  return     /* Return the allocation vector and periods */
Algorithm 1 HYDRA: Task Allocation and Period Adaptation

The proposed HYDRA algorithm (summarized in Algorithm 1) works as follows. We start with the highest priority security task and try to obtain the best period for all available core by solving the period adaptation problem introduced in Eq. (7) (Line 4). If there exists a set of cores for which the optimization problem is feasible (e.g., an optimal period is obtained satisfying the real-time constraint) we pick the core that gives the maximum tightness (Line 11) and allocate the security task to core (Line 12). This will ensure that the more critical security tasks will get a period close to the desired one. We repeat this process for all security tasks to jointly obtain the assignment and periods. If for any security task the set of available cores is empty (e.g., the optimization problem is infeasible) we return the taskset as unschedulable (Line 9) since it is not possible to find any suitable core with given taskset parameters. This unschedulability result will provide hints to the designers to update the parameters of security tasks (and/or the real-time tasks, if possible) in order to integrate security for the target system.

Iv Evaluation

We evaluated HYDRA along two fronts: (i) on parameters derived from a real UAV control system (Section IV-A) and (ii) synthetically generated tasksets to explore the design space (Section IV-B). Recall from Section I that our goal is to explore the possible ways in which security could be integrated in multicore-based real-time platforms. The HYDRA mechanism presented in this paper assumes that the real time tasks are distributed across all available cores. Another design choice available is to allocate a dedicated core for security while the real-time tasks are assigned to the remaining cores. In this Section, we compare HYDRA to this alternate mechanism for security task allocation – that we refer to henceforth as the “SingleCore” allocation mechanism. Given the taskset is schedulable, one of the benefits of the SingleCore scheme is that there is no requirement for assigning security tasks. While evaluating SingleCore, all the real-time tasks are partitioned into cores leaving the other core for security tasks. Notice that in the SingleCore scheme security tasks do not suffer any interference from real-time tasks (e.g., the first term in Eq. (5) is zero). For a given assigned core , the decision variable is known for all and the optimization problem can solved using an approach similar to the one described in the Appendix.

Iv-a Case-study with a UAV Control System and Security Applications

The goal of this experiment was to observe the runtime behavior of HYDRA. For a real-time application, we considered a UAV control system [18]. It includes following real-time tasks (refer to earlier work [18, Tab. 1] for the task parameters): Guidance (selects the reference trajectory), Slow and Fast navigation (read sensor values according to the required update frequency), Controller (executes the closed-loop control functions), Missile control (fires missile) and Reconnaissance (collects sensitive information and send data to the control center). For the security application, we considered Tripwire [4] and Bro [5] that detects integrity violations in the system both at host and network level, respectively (refer to Table I). We executed the security tasks on an 1 GHz ARM Cortex-A8 processor with Xenomai 2.6 [19] patched real-time Linux kernel (version 3.8.13-r72) and used ARM cycle counter registers (e.g., CCNT) to obtain the timing parameters (e.g., WCET). We used [20] library and [21] solver to obtain the periods.

Fig. 1: HYDRA vs. SingleCore: empirical CDF of intrusion detection time. The empirical CDF is defined as where is the total number of experimental observations, is time to detect the attack in at the -th experimental observation and represents the -axis values (e.g., detection time). The indicator function outputs if the condition is satisfied and otherwise.

The work-flow of our experiment was as follows. For each of the trials, we observed the schedule for and during any random time of execution we triggered synthetic attacks333Our goal here is to analyze the security from the scheduling perspective. Thus instead assuming any specific intrusion (or detection capabilities of security tasks), HYDRA allows designer to integrate any security mechanism required to defend targeted attack surfaces. (e.g., that corrupts the file system and network packets). We assume that the intrusions are correctly detected by the security tasks (e.g., there is no false positive/negative errors) and measured the empirical CDF of worst-case detection time. From Fig. 1 we can observe that paralleling security tasks across cores leads to faster intrusion detection time for HYDRA (e.g., higher empirical CDF). From our experiment we found that on average HYDRA can provide , and faster detection rate for , and core system, respectively. While SingleCore scheme does not experience any interference from real-time tasks, however, low priority security tasks can still suffer inference from high priority security tasks. Therefore running security tasks in a single core leads to higher periods and consequently poorer detection time.

Iv-B Experiment with Synthetic Tasksets

We used parameters similar to those in related work [22, 10]. We performed experiments for cores. Each taskset instance contained real-time and security tasks. Each real-time task had periods between . The desired periods for the security tasks were selected from and the maximum allowable period is assumed to be . The real-time tasks are partitioned across multiple cores using a best-fit [13] strategy. In each experiment, the total taskset utilization was varied from to with step size . For a given number of tasks and total system utilization, the utilization of individual tasks were generated from an unbiased set of utilization values using the Randfixedsum algorithm [23]. Total utilization of the security tasks were set to be no more than 30% of the real-time tasks. For each utilization value, we randomly generated tasksets. In other words, for each core configuration a total of tasksets were tested. We only considered tasksets that satisfied the necessary condition in Eq. (1), as any taskset that fails the condition is trivially unschedulable.

Fig. 2: The improvement in acceptance ratio for and core system. The improvement is given by where is the acceptance ratio of scheme .

1. Experiment with Core Assignment Schemes: We compared HYDRA with SingleCore in terms of acceptance ratio. The acceptance ratio is given by the number of schedulable tasksets (e.g., that satisfy all real-time constraints) over the generated ones. The x-axis in Fig. 2 represents the total system utilization (e.g., utilization of both real-time and security tasks). The y-axis represents improvement in acceptance ratio comparing HYDRA with SingleCore for different values of . For lower utilization values both schemes have similar performance (e.g., improvement is zero) since the system has enough slack to execute security tasks. However as we see from the figure, for higher utilization values HYDRA outperforms SingleCore – when all security tasks share a core, it causes more interference and reduces the overall schedulability (e.g., unable to find any solution that respects all the real-time constraints444Note that security tasks also have real-time constraints.). 2. Comparing with Optimal Multicore Assignment: The result of an empirical comparison of HYDRA with an optimal (exhaustive) solution is presented in Fig. 3 where we searched for all possible combinations for a small setup with cores and up to security tasks. To find the optimal solution, we test each of the possible assignments of security tasks to cores. For each assignment, we then determine the value of the period vector that maximizes the cumulative tightness by solving a convex optimization problem in polynomial time (see Appendix). The x-axis of Fig. 3 represents total system utilization and y-axis is the difference in cumulative tightness (e.g., ) for HYDRA and the optimal solutions. As shown in the figure, for low to medium utilization cases, HYDRA’s performance is similar to the optimal solution (e.g., the difference is zero). However for higher utilizations performance degrades. This is because HYDRA follows an iterative best-fit strategy to find the periods (and assignment). Hence for higher utilization values the lower priority tasks may not get periods close to the desired values (and the cumulative tightness degrades). As we see from the figure, the degradation (in cumulative tightness) is no more than and that may be acceptable given the exponential computational complexity of finding an optimal solution.

Fig. 3: Comparing HYDRA with optimal solution: we consider and with other parameters similar to that mentioned in Section IV-B.

V Discussion

While we take a step towards developing a model for integrating security mechanisms into multicore RTS, our initial attempt can be extended into several directions. HYDRA statically partition the tasks to the cores. However in practice security tasks can also move across multiple cores if there is available slack at runtime (for faster detection and better schedulability). While there exists methods for global scheduling policy [13] where tasks can migrate across cores, casting real-time scheduling problems into RTS security domain requires further research. In this work we consider security tasks are independent and preemptive. However some critical security task may require non-preemptive execution to perform desired checking. In addition, depending on the actual implementations of the security routines, the scheduling framework may need to follow certain precedence constraints. For example, in order to ensure that the security application itself has not been compromised, the security application’s own binary may need to be examined first before checking the system binary files. These aspects will be explored in our future work.

Vi Related Work

There has been some work [6, 7, 9, 8] on reconciling the addition of security mechanisms into RTS that considered periodic task scheduling where each task requires a security service whose overhead varies according to the quantifiable level of the service. The issues regarding information leakage through storage channels also addressed in prior research [11]. All of the aforementioned work, however, only consider single core system and require modification of system parameters. A similar line of work [10] to our exists where authors used the concept of hierarchical scheduling proposed to execute the security mechanisms with a lower priority than the real-time tasks for a single core system. Unlike prior work we focus on integrating security in multicore domain. Although not in the context of security in RTS, there exists other work [24, 25] in which the authors statically assign the periods for control tasks. While this previous work focused on single core systems and optimizing period of all the tasks, our goal is to ensure security without violating timing constraints of the real-time tasks in a multicore setup. In contrast to proposed scheduler-level solution, recent work [26, 12, 27] on hardware/software architectural frameworks aim to protect multicore RTS against security vulnerabilities. Compared to our scheme that works for any -core system, these preceding frameworks mainly focus on dual core architecture and require architectural modifications that may not be suitable for existing RTS.

Vii Conclusion

This paper presents an evaluation of a good heuristic mechanism (HYDRA) for assigning security tasks into a multicore RTS. Engineers can now evaluate the design choices of such assignments to improve the overall security (and hence, safety) of systems with real-time requirements. Since we provide comparisons of our solution with two extremes – an ‘optimal’ assignment strategy and isolating all security tasks to a single core – we are able to provide valuable hints to designers on how to build security into such systems.

References

  • [1] J. Westling, “Future of the Internet of things in mission critical applications,” 2016.
  • [2] N. Falliere, L. O. Murchu, and E. Chien, “W32. stuxnet dossier,” White paper, Symantec Corp., Security Response, vol. 5, p. 6, 2011.
  • [3] R. M. Lee, M. J. Assante, and T. Conway, “Analysis of the cyber attack on the ukrainian power grid,” SANS Industrial Control Systems, 2016.
  • [4] “Open source Tripwire,” https://github.com/Tripwire/tripwire-open-source.
  • [5] “The Bro network security monitor,” https://www.bro.org.
  • [6] T. Xie and X. Qin, “Improving security for periodic tasks in embedded systems through scheduling,” ACM TECS, vol. 6, no. 3, p. 20, 2007.
  • [7] M. Lin, L. Xu, L. T. Yang, X. Qin, N. Zheng, Z. Wu, and M. Qiu, “Static security optimization for real-time systems,” IEEE Trans. on Indust. Info., vol. 5, no. 1, pp. 22–37, 2009.
  • [8] X. Zhang, J. Zhan, W. Jiang, Y. Ma, and K. Jiang, “Design optimization of security-sensitive mixed-criticality real-time embedded systems,” in IEEE ReTiMiCS, 2013.
  • [9] K. Jiang, P. Eles, and Z. Peng, “Optimization of secure embedded systems with dynamic task sets,” in DATE, 2013, pp. 1765–1770.
  • [10] M. Hasan, S. Mohan, R. B. Bobba, and R. Pellizzoni, “Exploring opportunistic execution for integrating security into legacy hard real-time systems,” in IEEE RTSS, 2016, pp. 123–134.
  • [11] S. Mohan, M.-K. Yoon, R. Pellizzoni, and R. B. Bobba, “Integrating security constraints into fixed priority real-time schedulers,” RTS Journal, vol. 52, no. 5, pp. 644–674, 2016.
  • [12] M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha, “SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems,” in IEEE RTAS, 2013, pp. 21–32.
  • [13] R. I. Davis and A. Burns, “A survey of hard real-time scheduling for multiprocessor systems,” ACM Comput. Surv., vol. 43, no. 4, pp. 35:1–35:44, 2011.
  • [14] C. L. Liu and J. W. Layland, “Scheduling algorithms for multiprogramming in a hard-real-time environment,” JACM, vol. 20, no. 1, pp. 46–61, 1973.
  • [15] S. Baruah and N. Fisher, “The partitioned multiprocessor scheduling of sporadic task systems,” in IEEE RTSS.   IEEE, 2005.
  • [16] N. Audsley, A. Burns, M. Richardson, K. Tindell, and A. J. Wellings, “Applying new scheduling theory to static priority pre-emptive scheduling,” SE Journal, vol. 8, no. 5, pp. 284–292, 1993.
  • [17] M.-K. Yoon, J.-E. Kim, R. Bradford, and L. Sha, “Holistic design parameter optimization of multiple periodic resources in hierarchical scheduling,” in DATE, 2013, pp. 1313–1318.
  • [18] T. Atdelzater, E. M. Atkins, and K. G. Shin, “QoS negotiation in real-time systems and its application to automated flight control,” IEEE TC, vol. 49, no. 11, pp. 1170–1183, 2000.
  • [19] “Xenomai – real-time framework for Linux,” https://xenomai.org.
  • [20] E. Burnell and W. Hoburg, “GPkit software for geometric programming,” 2017. [Online]. Available: https://github.com/hoburg/gpkit
  • [21] L. Vandenberghe, “The CVXOPT linear and quadratic cone program solvers,” 2010. [Online]. Available: http://cvxopt.org/documentation/coneprog.pdf
  • [22] R. I. Davis, A. Burns, J. Marinho, V. Nelis, S. M. Petters, and M. Bertogna, “Global and partitioned multiprocessor fixed priority scheduling with deferred preemption,” ACM TECS, vol. 14, no. 3, pp. 47:1–47:28, 2015.
  • [23] P. Emberson, R. Stafford, and R. I. Davis, “Techniques for the synthesis of multiprocessor tasksets,” in WATERS, 2010, pp. 6–11.
  • [24] E. Bini and A. Cervin, “Delay-aware period assignment in control systems,” in IEEE RTSS, 2008, pp. 291–300.
  • [25] A. Davare, Q. Zhu, M. Di Natale, C. Pinello, S. Kanajan, and A. Sangiovanni-Vincentelli, “Period optimization for hard real-time distributed automotive systems,” in ACM DAC, 2007, pp. 278–283.
  • [26] D. Lo, M. Ismail, T. Chen, and G. E. Suh, “Slack-aware opportunistic monitoring for real-time systems,” in IEEE RTAS, 2014, pp. 203–214.
  • [27] F. Abdi, M. Hasan, S. Mohan, D. Agarwal, and M. Caccamo, “ReSecure: A restart-based security protocol for tightly actuated hard real-time systems,” in IEEE CERTS, 2016, pp. 47–54.
  • [28] S. Boyd, S.-J. Kim, L. Vandenberghe, and A. Hassibi, “A tutorial on geometric programming,” Opt. & Eng., vol. 8, no. 1, pp. 67–127, 2007.
  • [29] S. Boyd and L. Vandenberghe, Convex optimization, 2004.