Contego: An Adaptive Framework for Integrating Security Tasks in Real-Time Systems

Embedded real-time systems (RTS) are pervasive. Many modern RTS are exposed to unknown security flaws, and threats to RTS are growing in both number and sophistication. However, until recently, cyber-security considerations were an afterthought in the design of such systems. Any security mechanisms integrated into RTS must (a) co-exist with the real- time tasks in the system and (b) operate without impacting the timing and safety constraints of the control logic. We introduce Contego, an approach to integrating security tasks into RTS without affecting temporal requirements. Contego is specifically designed for legacy systems, viz., the real-time control systems in which major alterations of the system parameters for constituent tasks is not always feasible. Contego combines the concept of opportunistic execution with hierarchical scheduling to maintain compatibility with legacy systems while still providing flexibility by allowing security tasks to operate in different modes. We also define a metric to measure the effectiveness of such integration. We evaluate Contego using synthetic workloads as well as with an implementation on a realistic embedded platform (an open- source ARM CPU running real-time Linux).

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

11/13/2017

A Design-Space Exploration for Allocating Security Tasks in Multicore Real-Time Systems

The increased capabilities of modern real-time systems (RTS) expose them...
11/27/2019

Period Adaptation for Continuous Security Monitoring in Multicore Real-Time Systems

We propose a design-time framework (named HYDRA-C) for integrating secur...
02/23/2021

EscapeWildFire: Assisting People to Escape Wildfires in Real-Time

Over the past couple of decades, the number of wildfires and area of lan...
06/04/2018

REORDER: Securing Dynamic-Priority Real-Time Systems Using Schedule Obfuscation

Modern real-time systems (RTS) are increasingly the focus of security th...
04/09/2021

SchedGuard: Protecting against Schedule Leaks Using Linux Containers

Real-time systems have recently been shown to be vulnerable to timing in...
06/04/2018

Minimizing Event-Handling Latencies in Secure Virtual Machines

Virtualization, after having found widespread adoption in the server and...
12/14/2012

Adaptive Scheduling in Real-Time Systems Through Period Adjustment

Real time system technology traditionally developed for safety critical ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Embedded real-time systems (RTS) are used to monitor and control physical systems and processes in many domains, e.g., manned and unmanned vehicles including aircraft, spacecraft, unmanned aerial vehicles (UAVs), submarines and self-driving cars, critical infrastructures like the electric grid and process control systems in industrial plants, to name just a few. They rely on a variety of inputs for correct operation and have to meet stringent safety and timing requirements. Failures in RTS can have catastrophic consequences for the environment, the system, and/or human safety [1, 2]. Traditionally, RTS were designed using proprietary protocols, platforms and software and were not connected to the rest of the world, i.e., they were air gapped. As a result cyber-security was not a design priority in such systems. However, the drive towards remote monitoring and control facilitated by the growth of the Internet, the rise in the use of commercial-off-the-shelf (COTS) components, standardized communication protocols and the high value of these systems to adversaries have been challenging the status quo. While safety and fault-tolerance have long been important design considerations in such systems, traditional fault-tolerance techniques that were designed to counter and survive random or accidental faults are not sufficient to deal with cyber-attacks orchestrated by an intelligent and capable adversary. A number of high-profile attacks on real systems, e.g., Stuxnet [3] and attack demonstrations by researchers on automobiles [4, 2] and medical devices [5] have shown that the threat is real. Given the increasing cyber-security risks, it is essential to have a layered defense and integrate resilience against such attacks into the design of controllers and actuators (i.e., embedded RTS). It is also critical to retrofit existing controllers and actuators with protection, detection, survival and recovery mechanisms. However, any security mechanisms have to co-exist with real-time tasks in the system and have to operate without impacting the timing and safety constraints of the control logic. This creates an apparent tension between security requirements (e.g., having enough cycles for effective monitoring and detection) and the timing and safety requirements. For example, how often and how long should a monitoring and detection task run to be effective but not interfere with real-time control or other safety-critical tasks? While this tension could potentially be addressed for newer systems at design time, it is especially challenging in the retrofitting of legacy systems for which the control tasks are already in place and perhaps cannot be modified. Another challenge is to ensure that an adversary cannot easily evade such mechanisms. Further, the deterministic nature of task schedules in RTS may provide attackers with known windows of opportunity in which they can run undetected [6, 7]. In order to integrate security mechanisms into RTS, performance criteria such as frequency of monitoring and responsiveness must be considered. For example, security tasks111We use the terms security tasks, intrusion detection tasks and monitoring tasks interchangeably throughout the paper. may need to be executed quite frequently to provide good protection. If the interval between consecutive monitoring events is too large, then an attacker may remain undetected and cause harm to the system between two invocations of the security task. In contrast, if the security tasks are executed very frequently, it may impact the schedulability (i.e., timely execution) of the real-time tasks [8]. In some circumstances a security task may need to complete with less interference (e.g., better responsiveness) from higher-priority real-time tasks. As an example, consider the scenario in which a security breach is suspected and a security task may be required to perform more fine-grained checking instead of waiting for its next execution slot. At the same time, the scheduling policy needs to ensure that the system does not violate real-time constraints for critical, high-priority control tasks. Our focus in this work is on retrofitting security mechanisms into legacy RTS, for which modification of existing real-time tasks’ parameters (such as run-times, period, task execution order, etc.) is not always feasible. In contrast to existing mechanisms [9, 10], the proposed method does not require any architectural modifications and hence is particularity suitable for systems designed using COTS components. The framework developed in this paper is based on our earlier work [11] in which we proposed to incorporate monitoring and detection mechanisms by implementing them as separate sporadic tasks and executing them opportunistically, that is, with the lowest priority so that real-time tasks are not affected. However, if the security tasks always execute with lowest priority, they suffer more interference (i.e., preemption from high-priority real-time tasks) and the consequent longer detection time (due to poor response time) will make the security mechanisms less effective. In order to provide better responsiveness and increase the effectiveness of monitoring and detection mechanisms, we now propose a multi-mode framework called Contego 222A preliminary version [12] of this work was presented at a workshop without published proceedings.. For the most part, Contego executes in a PASSIVE mode with opportunistic execution of intrusion detection tasks as before [11]. However, Contego will switch to an ACTIVE mode of operation to perform additional checks as needed (e.g., fine-grained analysis, used as an example in Section VI-B). This ACTIVE mode potentially executes with higher priority, while ensuring the schedulability of real-time tasks. Thus Contego subsumes the approach in our earlier work [11] and provides faster detection. The contributions of this paper can be summarized as follows:

  • We introduce Contego, an extensible framework to integrate security tasks into legacy RTS (Section II).

  • Contego allows the security tasks to execute with minimal perturbation of the scheduling order of the real-time tasks while guaranteeing their timing constraints (Sections IVV). The proposed method can adapt to changes due to malicious activities by switching its mode of operation.

  • We propose a metric to measure the security posture of the system in terms of frequency of execution (Section III).

  • We evaluate the schedulability and security of the proposed approach using a range of synthetic task sets and a prototype implementation on an ARM-based development board with real-time Linux (Section VI).

Ii Security and System Model

Ii-a Attack Model

RTS face threats in various forms, depending on the system and the goals of an adversary. For example, adversaries may insert, eavesdrop on or modify messages exchanged by system components, may manipulate the processing of sensor inputs and actuator commands and/or could try to modify the control flow of the system [10]. Further, rather than try to crash the system aggressively, an intruder in reconnaissance mode may want to monitor the system behavior and gather information for later use. For instance, an intruder may utilize side-channels to monitor the system behavior and infer system information (e.g., hardware/software architecture, user tasks and thermal profiles, etc.) that may eventually help maximize the impact of an attack [6]. While the class of attacks can be broadened, for illustrative examples let us consider the following adversarial capabilities:

  1. Integrity violation: An adversary can get a foothold in the system [6, 7]. For example, an adversary may insert a malicious task that respects the real-time guarantees of the system to avoid immediate detection, and/or compromise one or more existing real-time tasks. Such a task can be used to manipulate sensor inputs and actuator commands for instance and/or modify system behavior in undesirable ways.

  2. Denial of Service (DoS): The attacker may take control of the real-time task(s) and perform system-level resource (e.g., CPU, disk, memory, etc.) exhaustion. In particular, when critical tasks are scheduled to run an advanced attacker may capture I/O or network ports and perform network-level attacks to tamper with the confidentiality and integrity (viz., safety) of the system.

Threats to communications are usually dealt with by integrating cryptographic protection mechanisms. From an RTS perspective this increases the execution time of existing real-time tasks [13, 14]. Contego is different from earlier work in which integration of security impacted the schedulability [15, 16, 17], required modification of the existing schedulers [13, 14], or necessitated architectural modifications [9, 10]. In this work, we focus on incorporating security mechanisms into legacy systems in which added security tasks are not allowed to violate the temporal requirements (in either the PASSIVE or ACTIVE modes) and must have minimal impact on the schedule of existing real-time tasks. Let us consider an RTS (say an avionics electronic control unit) developed using a multi-vendor model [17], viz., its components are manufactured and integrated by different vendors. For example, tasks in the system component manufactured by vendor

are very sensitive and considered classified or mission-critical (

e.g., images captured by the camera on the surveillance UAV). It may be undesirable for any vendor to gain unintended information about sensitive contents, even if, say, vendor is trusted with control tasks for controlling the RTS. Similarly, the control laws from vendor may contain a proprietary algorithm and vendor may not want other vendors to gain knowledge about the algorithm. Protected communications and network monitoring/detection mechanisms are necessary but insufficient to deal with such threats. Therefore, additional security tasks may need to be added into the system to deal with such threats [8]. The security mechanisms could be protection, detection or response mechanisms, depending on the system requirements. For example, a sensor measurement correlation task may be added to detect sensor manipulation, a change detection task may be added to detect intrusions or additional state-cleansing tasks [16, 17, 15] can be added to deal with stealthy adversaries trying to glean sensitive information through side channels. It is worth mentioning that the addition of such security mechanisms may necessitate changes to the schedule of real-time tasks [13, 14, 16, 17, 15]. In contrast, Contego aims to integrate such security tasks without impacting the timeliness constraints (i.e., schedulability) required for safe operation (in both modes) and retaining the original schedule of real-time tasks most of the time (e.g., in PASSIVE mode when security tasks are executing opportunistically with lowest priority). We highlight that rather than designing specific intrusion detection tasks that target specific attack behaviors, the generic framework proposed in this work allows one to integrate a given security mechanism (referred to as security tasks) into the system without perturbing the system parameters (e.g., period of the real-time tasks, execution order, etc.).

Ii-B Overview of Contego

Fig. 1: Contego: Flow of operations depicting the PASSIVE and ACTIVE modes for the security tasks.

As illustrated in Fig. 1, Contego improves the security posture of the system (that contains a set of real-time tasks) by integrating additional security tasks and allowing them to execute in two different modes (viz., PASSIVE and ACTIVE). If the system is deemed to be clean (i.e., not compromised), security routines can execute opportunistically333Which is also the default mode of operation. (e.g., when other real-time tasks are not running). However if any anomaly or unusual behavior is suspected, the security policy may switch to ACTIVE mode (e.g., more fine-grained checking or response) and execute with higher priority for a limited amount of time (since our goal is to ensure security with minimum perturbation of the scheduling order of the real-time tasks). The security routines may go back to normal (e.g., PASSIVE) mode if:

  • No anomalous activity is found within a predefined time duration, say ; or

  • The intrusion is detected and malicious entities are removed (or an alarm triggered if human intervention is required).

Although we allow the security tasks to execute with higher priority than some of the real-time tasks in ACTIVE mode, the proposed framework ensures that the timeliness constraints (e.g., deadlines) for all of the real-time tasks are always satisfied in both modes. By using this strategy, Contego not only enables compatibility with legacy systems (e.g., in normal situation real-time scheduling order is not perturbed), but also provides flexibility to promptly deal with anomalous behaviors (i.e., the security tasks are promoted to higher priority so that they can experience less preemption and achieve better response times).

Ii-C System Model

Ii-C1 Real-Time Tasks

In this paper we consider the widely used fixed-priority sporadic task model [18]. Let us consider a uniprocessor system consisting of fixed-priority sporadic real-time tasks . Each real-time task is characterized by , where is the WCET, is the minimum inter-arrival time (or period) between successive releases and is the relative deadline. We assume that priorities are distinct and assigned according to the rate monotonic (RM) [19] order. The processor utilization of is defined as . Let and denote the sets of real-time tasks that have higher and lower priority than , respectively. We assume that the real-time task-set is schedulable by a fixed-priority preemptive scheduling algorithm. Therefore, the worst-case response time is less than or equal to the deadline and the following inequality is satisfied for all tasks : , where is obtained by the following recurrence relation [20]:

(1)

In Eq. (1), is the worst-case interference to due to preemption by the tasks with higher priority than (e.g., ). The recurrence will have a solution if for some .

Ii-C2 Security Tasks

With a view of integrating security into the system, let us add additional fixed-priority security tasks that will be executed in PASSIVE and ACTIVE modes. We model PASSIVE and ACTIVE mode security tasks as independent sporadic tasks. The PASSIVE and ACTIVE mode tasks are denoted by the sets and , respectively. We assume that security tasks in both modes follow RM priority order. Each security task is characterized by the tuple , where is the WCET, is the most desired period between successive releases (hence is the desired execution frequency of a security routine) and is the maximum allowable period beyond which security checking by may not be effective. The parameter is a designer-provided weighting factor that may reflect the criticality of the security task444As an example, the default configuration of Tripwire [21], an intrusion detection system (IDS) for Linux that we use as case study in Section VI-B, has different criticality levels (viz., weights), i.e., High (for scanning files that are significant points of vulnerability), Medium (for non-critical files that are of significant security impact) and so forth. . Critical security tasks would have larger . The security tasks have implicit deadlines, e.g., that implies security tasks should complete before their next monitoring instance. We do not make any specific assumptions about the security tasks in different modes. For instance, both PASSIVE and ACTIVE mode task-sets may contain completely different sets of tasks (e.g., ) or may contain (partially) identical tasks with different parameters (e.g., period and/or criticality requirements). In PASSIVE mode, security tasks are executed with lower priority than the real-time tasks. Hence the security tasks do not have any impact on real-time tasks and cannot perturb the real-time scheduling order. In ACTIVE mode, we allow the security tasks to execute with a priority higher than that of certain low priority real-time tasks. This provides us with a trade-off mechanism between security (e.g., responsiveness) and system constraints (e.g., scheduling order of real-time tasks). Since the task priorities are distinct, there are priority-levels for real-time tasks (indexed from to where level is the highest priority). Among the priority-levels, we assume that ACTIVE mode security tasks can execute with a priority-level up to . Although any period within the range is acceptable for PASSIVE (e.g., ) and ACTIVE (e.g., ) mode security tasks, the actual period is not known a priori. Furthermore, for ACTIVE mode security tasks (e.g., ), we need to find out the suitable priority level . Therefore our goal is to find the suitable period (for both PASSIVE and ACTIVE mode security tasks) as well as the priority-level (for ACTIVE mode security tasks) that achieve the best trade-off between schedulability and defense against security breaches without violating the real-time constraints.

Iii Period Adaptation

As already mentioned, one fundamental problem in integrating security tasks is to determine which security tasks will be running when. This brings up the challenge of determining the right periods (viz., the minimum inter-execution times) for the security tasks. For instance, some critical security routines may be required to execute more frequently than others. However, if the period is too short (e.g., the security task repeats too often) then it will use too much of the processor time and eventually lower the overall system utilization. As a result, the security mechanism itself might prove to be a hindrance to the system and reduce the overall functionality or, worse, safety. In contrast, if the period is too long, the security task may not always detect violations, since attacks could be launched between two instances of the security task. One may wonder why we cannot assign the desired period (e.g., ) in both PASSIVE and ACTIVE modes and set the ACTIVE mode priority level as so that the security tasks can always execute with the desired frequency (i.e., ) and experience less interference (e.g., preemption) from real-time tasks. However, since our goal is to integrate security mechanisms in legacy systems with minimal555In ACTIVE mode Contego does not introduce any timing violations for the real-time tasks, but their execution might be delayed due to interference from high-priority security tasks (e.g., the tasks with priority-level ). or no perturbation, setting in either or both mode(s) may significantly perturb the real-time scheduling order. If the schedulability of the system is not analyzed after the perturbation, some (or all) of the real-time tasks may miss their deadlines and thus the main safety requirements of the system will be threatened. The same argument is also true for ACTIVE mode if we set (or arbitrarily from the range ) and do not perform schedulability analysis carefully.

Tightness of the Monitoring

As mentioned earlier, the actual period as well as the priority-levels of the security tasks are unknown and we need to adapt the periods within acceptable ranges. We measure the security of the system by means of achievable periodic monitoring. Let be the period of the security task that needs to be determined. Our goal is to minimize the gap between the achievable period and the desired period and therefore we define the following metric:

(2)

that denotes the tightness of the frequency of periodic monitoring for the security task . Thus and denote the cumulative tightness of the achievable periodic monitoring for PASSIVE and ACTIVE mode, respectively. This monitoring frequency metric, provides for instance, one way to trade-off security with schedulability. Recall that if the interval between consecutive monitoring events is too large, the adversary may remain undetected and harm the system between two invocations of the security task. Again, a very frequent execution of security tasks may impact the schedulability of the real-time tasks. This metric will allow us to execute the security routines with a frequency closer to the desired one while respecting the temporal constraints of the other real-time tasks.

Iii-a Problem Overview

One may wonder why we cannot schedule the security tasks in the same way that the existing real-time tasks are scheduled. For instance, a simple approach to integrating security tasks in PASSIVE mode without perturbing real-time scheduling order is to execute security tasks at a lower priority than all real-time tasks. Hence, the security routines will be executing only during slack times when no other higher-priority real-time tasks are running. Likewise, in ACTIVE mode, security tasks can be executed at a lower priority than more critical, high-priority real-time tasks. Hence, the security tasks will only be executing when other real-time tasks with priority-levels higher than are not running. When both real-time and security tasks follow RM priority order, we can formulate a nonlinear optimization problem for PASSIVE mode with the following constraints that maximizes the cumulative tightness of the frequency of periodic monitoring:

Subject to:
(3a)
(3b)
(3c)

where is the optimization variable for PASSIVE mode that needs to be determined. The constraint in Eq. (3a) ensures that the utilization of the security tasks are within the remaining RM utilization bound [19]. The RM priority order for real-time and security tasks is ensured by the constraints in Eq. (3b), while Eq. (3c) ensures the restrictions on periodic monitoring. Recall that in ACTIVE mode, we allow the security tasks to execute when the real-time tasks with priority-levels higher than are not running. Hence, to ensure the RM priority order in ACTIVE mode, we need to modify the constraints in Eq. (3b) as follows:

(4)

where represents the set of real-time tasks that are higher priority than level . In addition, the constraints in Eq. (3a) and Eq. (3c) also need to be updated to consider ACTIVE mode task-sets (e.g., ) and the number of active mode security tasks (). Thus for ACTIVE mode we can formulate an optimization problem similar to that of with the objective function: , where is the ACTIVE mode optimization variable. One of the limitations of the above approach is that the overall system utilization is limited by the RM bound which has the theoretical upper bound of processor utilization only about [19], where is the total number of tasks under consideration. Further, the security tasks’ periods need to satisfy the constraints in Eq. (3b) and Eq. (4) (for PASSIVE and ACTIVE modes, respectively) to follow RM priority order. In addition, instead of focusing only on optimizing the periods of the security tasks, Contego aims to provide a unified framework that can achieve other security aspects (viz., responsiveness). Thus we follow an alternative approach similar to one we proposed in earlier work666The approach we proposed in our earlier work [11] is analogous to the PASSIVE mode of Contego. [11]. Specifically, we had proposed to use a server [22] to execute security tasks. Our security server is motivated by the needs of hierarchical scheduling [23]. Under hierarchical scheduling, the system is composed of a set of components (e.g., real-time tasks and a security server, in our context) and each of which comprises multiple tasks or subcomponents (e.g., security tasks). The server abstraction not only allows us to provide better isolation between real-time and security tasks, but also enables us to integrate additional security properties (such as responsiveness) as we discuss in the following.

Iv The Security Server

The server [22] is an abstraction that provides execution time to the security tasks according to a predefined scheduling algorithm. Our proposed security server is characterized by the capacity and replenishment period and works as follows. The server is executed with lowest-priority in PASSIVE mode. However, in ACTIVE mode, the server can switch to any allowable priority-level777Calculation of the server priority-level is described in Section V. within the range . If any security task is activated at time , then the server is activated with capacity and the next replenishment time is set as . When the server is scheduled, it executes the security tasks according to its own scheduling policy. In this work we assume that the server schedules the security tasks using fixed-priority RM scheduling. When a security task executes, the current available capacity is decremented accordingly. The server can be preempted by the scheduler to service real-time tasks. When the server is preempted, the currently available capacity is not decremented. If the available capacity becomes zero and some security task has not yet finished, then the server is suspended until its next replenishment time (). At time , the server is recharged to its full capacity , the next replenishment time is set as , and the server is executed again. When the last security task has finished executing and there is no other pending task in the server, the server will be suspended. Also, the server will become inactive if there are no security tasks ready to execute.

Iv-a Reformulation of the Period Adaptation Problem using Servers

When security tasks execute within the server, we need to modify the constraints in the period adaption problem considering the server parameters and . In the following we briefly discuss how to customize the period adaptation problem with the inclusion of the server. Let us use to denote the utilization bound for the set of tasks executing within the server. When the smallest period of the task is greater than or equal to , it has been shown [24] that the upper bound of the utilization factor for the security tasks is given by , where is number of tasks in the set . Thus with the inclusion of the server in PASSIVE mode, we can modify the constraints in Eqs. (3a) and (3b) as follows:

(5a)
(5b)

Therefore, selection of the periods for security tasks in PASSIVE mode is a nonlinear constrained optimization problem that can be formulated as follows:

where and are the server capacity and replenishment period in PASSIVE mode, respectively. The formulation of the PASSIVE mode period adaptation problem presented above is similar to that we proposed in earlier work [11]. Similarly, in ACTIVE mode, the period adaptation problem can be reformulated as follows:

(7a)
(7b)
(7c)

where and are the server capacity and replenishment period in ACTIVE mode, respectively.

Iv-B Selection of the Server Parameters

The period adaptation problem illustrated in Section IV-A is derived based on a given set of server parameters, e.g., . However, a fundamental problem is to find a suitable pair of server capacity and replenishment period that respects the real-time constraints of the tasks in the system. Our approach to selecting the server parameters in PASSIVE and ACTIVE mode is described below.

Iv-B1 Parameter Selection in Passive Mode

Recall that in PASSIVE mode, the server will execute with the lowest priority to have compatibility with existing real-time tasks. Since the security tasks execute within the server, we need to ensure the following two constraints:

  • The server is schedulable: that is the server’s capacity and interference from higher priority real-time tasks are less than the replenishment period; and

  • The security tasks are schedulable: the minimum supply by the server to the security tasks is greater than the worst-case workload generated by the security tasks.

Note that since the server is running with lowest priority, the real-time constraints (e.g., ) and the task execution order are not affected in the PASSIVE mode. Based on the above two constraints, we illustrate an approach for determining the server parameters by formulating it as a constraint optimization problem. The security server is referred to as schedulable if the worst-case response time of the server does not exceed its replenishment period [22]. Thus, following an approach similar to ones in earlier work [11, 25], the server schedulability constraint can be represented as follows:

(8)

where is the worst-case interference experienced by the server when preempted by the higher priority real-time tasks. In the above equation, the set of real-time tasks with higher priority than the server (i.e., ) is fixed. Let us use to denote the set of PASSIVE mode security tasks that are higher priority than . To ensure schedulability of the security tasks, we can derive the minimum supply of the server delivered to the security tasks by using the periodic resource model from the literature [23, 25, 11]. In particular, the constraints on the server supply to ensure schedulability of the security tasks [11] can be expressed as:

(9)

where is the worst-case workload generated by the security task and during the time interval of . This workload is a constant for a given input. Since we need to ensure maximal processor utilization for the security tasks without violating the real-time constraints of the system, we define the following objective function: . With this objective function and the constraints in Eqs. (8)-(9), the PASSIVE mode server parameter selection problem can be formulated as follows:

where server parameters and are the optimization variables.

Iv-B2 Parameter Selection in Active Mode

In ACTIVE mode, the security server is no longer the lowest priority task. Since the server can execute with priority , there could be up to low priority real-time tasks than that of the server. Thus we need to ensure the schedulability of the real-time tasks that are executing with a priority lower than the server. Hence, in addition to the constraints described in Section IV-B1 (i.e., Eqs. (8)-(9)), we need to consider the following:

  • The real-time tasks with lower priority than the server are schedulable: that is, the interferences from the server and other higher priority real-time tasks do not violate the deadlines for these low-priority tasks.

We therefore define the following constraints to ensure the schedulability of the low-priority real-time tasks:

(11)

where is the interference experienced by from other real-time tasks and is the worst-case interference caused to by the server in ACTIVE mode. As illustrated in Section V, we iterate through the allowable priority ranges (e.g., ) to find the server priority in ACTIVE mode. Note that for a given priority-level, the set of tasks is predefined. Thus the only variables for the constraints in Eq. (11) are the server capacity and replenishment period . Let us use to denote the set of ACTIVE mode security tasks that are higher priority than . Just as in we can now formulate the ACTIVE mode parameter selection problem as follows:

Subject to: (11) and
(12a)
(12b)

where the set of real-time tasks with higher priority than the server (i.e., ) is a constant for a given priority-level and is the worst-case workload generated by the security task and . Note that the schedulability of the higher priority real-time tasks (e.g., ) is already ensured by definition.

Remark 1.

The formulation of the period adaptation and server parameter selection problems are nonlinear constraint optimization problems and are nontrivial to solve in their current form. However, these problems can be transformed into a geometric programming (GP) [26] problem. In addition, it is also possible to reformulate the non-convex GP representation into equivalent convex form that can be solved using known algorithms such as interior point [27, Ch. 11] method. For details of this reformulation, we refer the readers to Appendix.

Iv-C Discussion on Mode Switching

As mentioned earlier, by default, Contego operates in PASSIVE mode. However, when a malicious activity is suspected, a PASSIVE-to-ACTIVE mode change request will be issued. Similarly, an ACTIVE-to-PASSIVE mode change request will be placed if the system seems clean after fine-grained checking, or a malicious entity is found and removed. In steady-state (e.g., when security tasks are executing in PASSIVE or ACTIVE mode), the schedulability of the real-time tasks is already guaranteed by the analysis presented in Section IV-B. When Contego switches from PASSIVE mode to ACTIVE mode, the schedulability of real-time tasks will not be affected. The reason this that all the real-time tasks are higher priority than the security tasks in PASSIVE mode and hence do not suffer any additional interference from security tasks during mode change. Therefore, the schedulability of real-time tasks during PASSIVE-to-ACTIVE mode switching is already covered by steady-state analysis (Section IV-B1). During ACTIVE-to-PASSIVE mode switching, observe that schedulability of the real-time tasks that have a priority higher than the server (i.e., ) is not affected. When the mode switch request is issued, the ACTIVE mode server (and the security tasks) stop execution and the control is then switched to the lowest priority PASSIVE mode server. Note that the constraints in Eq. (11) that ensures the schedulability of the low-priority real-time tasks already captures the worst-case interference introduced by the server. Hence the server will not impose any more interference (even if the mode switch is performed in the middle of the execution of a busy interval) on the low-priority real-time tasks than what we have calculated in the steady-state analysis (Section IV-B2). Therefore if both the PASSIVE and ACTIVE modes task-sets are schedulable, the system will also be schedulable with mode changes.

V Algorithm Development

We develop a simple scheme to obtain the security task’s period (for both PASSIVE and ACTIVE mode) and priority-level (for ACTIVE mode). The overall algorithm, Algorithm 1, works as follows.

0:  Set of real-time tasks, , PASSIVE and ACTIVE mode security tasks and , allowable priority ranges
0:  The tuple , e.g., ACTIVE mode server priority-level, ACTIVE and PASSIVE mode periods of the security tasks and ACTIVE and PASSIVE mode server parameters if the task-set is schedulable; otherwise
1:  Obtain PASSIVE and ACTIVE mode parameters using the functions PassiveModeParamSelection(, ) and ActiveModeParamSelection(, , )
2:  if  then
3:      /* return the parameters */
4:      return
5:  else
6:      /* not possible to integrate security tasks in the system */
7:      return
8:  end if
9:  function PassiveModeParamSelection(, )
10:      Initialize PASSIVE mode period
11:      Solve to obtain server parameters
12:      if  then
13:          Solve to obtain security periods
14:          if  then
15:              /* return the parameters */
16:              return , , where , and are the solutions obtained by and
17:          end if
18:      else
19:          /* unable to integrate PASSIVE mode security tasks */
20:          return
21:      end if
22:  end function
23:  function ActiveModeParamSelection(, , )
24:       false
25:      Initialize ACTIVE mode security task’s period
26:      for each  priority level  do
27:          Solve to obtain server parameters
28:          if  then
29:              Solve to obtain security periods
30:              if  then
31:                 /* store the parameters for priority level where , and are the solutions obtained by and */
32:                 
33:                  true
34:              end if
35:          end if
36:      end for
37:      /* obtain the parameters that provide best metric */
38:      if  then
39:          Find the priority-level

from the solution vector

that gives the maximum cumulative tightness
40:          Set , ,
41:          /* return the parameters */
42:          return , , ,
43:      else
44:          /* unable to integrate ACTIVE mode security tasks */
45:          return
46:      end if
47:  end function
Algorithm 1 Feasibility Checking and Parameter Selection

To find the PASSIVE mode parameters, we initialize the security task’s period with the desired period and solve the server parameter selection problem (Lines 10–11). If there exists a solution (e.g., the constraints are satisfied), we then obtain the periods of the security tasks by solving (Line 13). In the event that neither of these optimization problems returns a solution, we report the task-set as unschedulable (Line 20), since it is not possible to execute security tasks opportunistically without violating real-time constraints. To select ACTIVE mode parameters, the algorithm iterates through each of the acceptable priority-levels and tries to obtain the periods that maximize tightness for periodic monitoring without violating the real-time constraints (Lines 26–36). If there exists a solution (e.g., constraints in and are mutually consistent), we store the solution in a candidate list. The algorithm then finds the best priority-level from the candidate solution sets that provides the maximum tightness (Line 39). In the event that no candidate solutions are found for any of the allowable priority ranges, the algorithm reports the task-set as unschedulable. If both the PASSIVE and ACTIVE mode tasks are schedulable, then Algorithm 1 returns the corresponding periods and the ACTIVE mode priority-level (Line 4). Otherwise, the system is considered as unschedulable (Line 7) since it is not possible to integrate security tasks with desired requirements. This unschedulability result hints that the designers of the system should update system parameters (e.g., the number of security tasks, desired and maximum allowable periods of the security tasks, periods of the real-time tasks, if permissible, etc.) in order to integrate security mechanisms.

Vi Evaluation

We evaluate Contego with randomly generated synthetic workloads (Section VI-A) as well as a proof-of-concept implementation on an ARM-based embedded development board and real-time Linux (Section VI-B).

Vi-a Experiment with Synthetic Task-sets

Vi-A1 Simulation Setup

In order to generate task-sets with an even distribution of tasks, we grouped the real-time and security task-sets by base-utilization from , where . Each utilization group contained task-sets. In other words, a total of task-sets were tested for each of the experiments. The utilization of the real-time and security tasks were generated by the UUniFast [28] algorithm and we used GGPLAB [29] to solve the optimization problems. We used the parameters similar to those used in earlier research [16, 11]. In particular, each task-set instance contained real-time and security tasks in each of the modes. Each real-time task had a period and we assumed . The desired periods for the security tasks were selected from and the maximum allowable period was assumed to be . We considered and the total utilization of the security tasks was assumed to be no more than of the real-time tasks.

Vi-A2 Results

Impact on Cumulative Tightness

In Fig. 2 one can see the difference in the tightnesses of the periodic monitoring obtained by PASSIVE and ACTIVE mode (i.e., ). For fair comparison we used the same task-sets for both modes. The x-axis of Fig. 2 represents the total system utilization (e.g., utilization of both real-time and security tasks). The positive values in the y-axis of Fig. 2 imply that the ACTIVE mode tasks obtain better tightness that the PASSIVE mode tasks.

Fig. 2: PASSIVE mode vs. ACTIVE mode: difference in cumulative tightness of achievable periodic monitoring, . Non-zero difference indicates that the ACTIVE mode tasks achieve better tightness than PASSIVE mode tasks. Task-sets from different base-utilization groups are represented by different colors. Each of the data points represents schedulable task-sets.

The figure shows that ACTIVE mode tasks can achieve better cumulative tightness, and that the cumulative tightness is comparatively better in low to medium utilization. The main reason is that in ACTIVE mode security tasks are allowed to execute with higher priority, that causes less interference and eventually increases the feasible region in the optimization problems (and hence provides better tightness). For higher utilizations the difference is close to zero. This is because, as utilization increases there is less slack in the system, making it difficult to schedule security tasks frequently and resulting in similar levels of tightness for both modes.

Effectiveness of Security

The parameter is given by the total number of security tasks and provides insights on cumulative measures of security. However, in this experiment (refer to Fig. 3) we wanted to measure the effectiveness of the security of the system by observing whether each of the security tasks in any mode can achieve an execution frequency closer to the desired one. Hence we used the following metric: where is the solution obtained from Algorithm 1, and are the desired and maximum period vector (refer to Section VI-A1), respectively, and denotes the Euclidean norm. The closer the value of to , the nearer each of the security task’s period is to the desired period.

Fig. 3: The effectiveness of security vs. total utilization of the system. The closer the y-axis values to , the nearer each security task’s period is to the desired period. Task-sets from different base-utilization groups are distinguished by different colors.

As the total utilization increases, the feasible set of the period adaptation problem that respects all constraints in the optimization problems becomes more restrictive. As a result, we see the degradation in effectiveness (in terms of ) for the task-sets with higher utilization. However, from our experiments we find that Contego can achieve periods that are within of the desired periods.

Impact on the Schedulability
Fig. 4: Schedulability of real-time and security tasks in both modes. The acceptance ratio is defined by the ratio of the number of accepted task sets over the total number of generated tasks. For each of the data points, 500 individual task-sets were tested.

We used the acceptance ratio metric to evaluate schedulability. The acceptance ratio (y-axis in Fig. 4) is defined as the number of accepted task-sets (e.g., the task-sets that satisfied all the constraints) over the total number of generated ones. As depicted in Fig. 4 the ACTIVE mode task-set achieves better schedulability compared to the PASSIVE ones. Recall that ACTIVE mode task-sets can be promoted up to priority level . As a result ACTIVE mode security tasks potentially experience less interference than the PASSIVE ones. This flexibility gives the optimization routines a larger feasibility region to satisfy all the constraints.

Vi-B Experiment with Security Applications in an Embedded Platform

To observe the performance of the proposed scheme in a practical setup, we implemented Contego on an embedded platform. Our experimental platform [30] was configured with 1 GHz ARM Cortex-A8 single-core processor and 512 MB RAM. We used Linux as the operating system – that allowed us to utilize the existing Linux-based IDSes (refer to Section VI-B2) for the evaluation. Since the vanilla Linux kernel is unsuitable for hard real-time scheduling, we enabled the real-time capabilities with the Xenomai [31] 2.6.3 real-time patch (kernel version 3.8.13-r72) on top of an embedded Debian Linux console image. We measured the WCET of the real-time and security tasks using ARM cycle counter registers (e.g., CCNT), giving us nanosecond-level precision. Since these registers are not enabled by default, we developed a Linux kernel module to access the registers from our application codes. Our prototype implementation was developed in C and uses a fixed-priority scheduler powered by the Xenomai real-time patch. Sporadic real-time and security tasks in the system were defined by Xenomai function and were suspended after the completion of corresponding instances using the function.

Vi-B1 Real-time Tasks

For a real-time application, we considered a UAV control system (refer to Table I). We implemented it using an open-source UAV model [32]. The original application codes were based on the STM32F4 micro-controller (ARM Cortex M4) and developed for FreeRTOS [33]. Because of differences in library support and execution semantics, we updated the source codes accordingly and ported them to Linux.

Task Function Period (ms)
Guidance Select the reference trajectory (i.e., altitude and heading) 1000
Controller Execute closed-loop control functions (e.g., actuator commands) 5000
Reconnaissance Read radar/camera data, collect sensitive information and send data to the base control station 10000
TABLE I: Real-time task parameters for the UAV control system

Vi-B2 Security Tasks

To integrate security in the aforesaid control system, we included additional security tasks. For the security tasks, we considered two lightweight open-source intrusion detection mechanisms, (i) Tripwire [21], that detects integrity violations by storing clean system state during initialization and using it later to detect intrusions by comparing the current system state against the stored clean values, and (ii) Bro [34] that monitors anomalies in network traffic. As Table II shows, we consider several security tasks in both modes, e.g., protecting security task’s own binary files, protecting system binary and library files, monitoring network traffic. In each mode, we set the desired and maximum allowable periods of the security tasks such that utilization of the security tasks did not exceed of the total system utilization.

Task Function Mode
Check own binary of the security routine (Tripwire) Scan files (viz., compare their hash value) in the following locations: , , , , ACTIVE
Check critical executables (Tripwire) Scan file-system binary (, ) ACTIVE and PASSIVE
Check critical libraries (Tripwire) Scan file-system library () ACTIVE
Monitor network traffic (Bro) Scan predefined network interface () ACTIVE and PASSIVE
TABLE II: Security tasks used in the experiments

Vi-B3 Experience and Evaluation

Performance Impact in Different Modes
Fig. 5: The CPU load when the security tasks executed in PASSIVE (top) and ACTIVE (bottom) mode, respectively. The dotted line represents average load over the observation duration (500 s).

In the first set of experiments, we measured the average CPU load when the security tasks were executing in PASSIVE and ACTIVE modes. For that, we executed the security tasks independently for in PASSIVE and ACTIVE modes and observed the CPU load using interface (represents the y-axis of Fig. 5). As Fig. 5 shows, running security tasks in ACTIVE mode increased the average CPU load compared to running them in PASSIVE mode. This is because ACTIVE mode contains more security tasks (e.g., 4 compared to 2, refer to Table II) and they execute more frequently than in PASSIVE mode. Because of the nature of applications, most RTS prefer predictability over performance. The overhead of running security tasks in ACTIVE mode comes with increased security guarantees that will suffice for many RTS.

Impact on Detection Time

To study the detection performance we injected malicious code into the system that mimics anomalous behaviors. We assumed that an attacker can take over888One way to override a task could be to use an approach similar to one presented in the literature [6] that exploits the deterministic behavior of the real-time scheduling. one of the low-priority real-time tasks (referred to as the victim task) and is able to insert malicious code that can execute with a privilege similar to that of legitimate tasks. We launched the attack at both the network and host-level. We defined network-level DoS attacks as too many rejected usernames and passwords submitted from a single address and used a real FTP DoS trace [35] to demonstrate the attack. Malware (such as LRK, tOrn, Adore, etc.) in general-purpose Linux environments causes damage to the system by modifying or overwriting the system binary [36, Ch. 5]. Thus we follow a similar approach to demonstrate a host-level attack, viz., we injected ARM shellcode [37] to override the victim task’s code and launched the attack by modifying the contents in the file-system binary. We obtained the periods of the security tasks in both modes by solving the period adaptation problem (Algorithm 1) and set it as the period of security tasks (by using the Xenomai function). For each of the experiments, the work-flow was as follows. We started with a clean (e.g., uncompromised) system state, launched the DoS attack at any random time of the program execution and then injected the shellcode after a random interval, and finally logged the time required by security tasks to detect the attacks. Initially the security tasks ran in PASSIVE mode. When the network-level attack was suspected by the security task (e.g., Bro), a mode change request was placed and the control was switched to ACTIVE mode with the corresponding ACTIVE mode tasks (see Table II). As mentioned in Section II-B, our focus is not on the effectiveness of a particular IDS here but on the effectiveness of integration of the IDSes into RTS. Therefore we controlled the experimental environment so that the results were not affected by the false positive/negative rates of the IDS used in the evaluation. In particular, both of the launched attacks were detectable by the respective IDSes used in the evaluation. Detection times were measured using ARM cycle counter registers (CCNT). To ensure the accuracy of the detection time measurements, we disabled all the frequency scaling features in the kernel (by using the utility) and allowed the platform to execute with a constant frequency (e.g., 1 GHz, the maximum frequency of our experimental platform).

Fig. 6: The empirical distribution of time to detect the intrusions when mode change was allowed vs when security tasks were run only in PASSIVE mode. We used ARM cycle counter registers to measure the detection time. A total of individual experiment instances were examined to obtain the timing traces.

We compared the performance of Contego with that of an earlier approach [11] that has no provision for mode changes and in which the security tasks are run with the lowest priority (similar to the PASSIVE

mode of operation in Contego). Specifically, we measured the time to detect both the host and network-level intrusions, and plot the empirical cumulative distribution function (CDF) of those detection times in Fig. 

6. The x-axis in Fig. 6

represents the detection time (in cycle count) and the y-axis represents the probability that the attack would be detected by that time. The empirical CDF is defined as

, where is the total number of experimental observations, is the time taken to detect the attack in the -th experimental observation, and represents the -axis values (viz., the detection times in cycle count) in Fig. 6. The indicator function outputs if the condition is satisfied and otherwise. From Fig. 6 we can see that Contego provides better detection time (i.e., fewer cycle counts required to detect the intrusions). From our experiments we find that on average Contego detects attacks faster than the reference scheme does. The approach from the literature [11] allows the security tasks to run only when other real-time tasks are not running, leading to more interference (e.g., higher response times), and does not provide any mechanisms to adapt against abnormal behaviors (e.g., the DoS attack in the experiments). In contrast, Contego allows quick response to anomalies (by switching to ACTIVE mode when a DoS attack is suspected). Since ACTIVE security tasks can run with higher priority and less interference without impacting the timeliness constraints of real-time tasks, Contego had a superior detection rate in general for most of the experiments without impacting safety.

Vii Discussion

Although Contego provides an integrated approach to guarantee safety and security in RTS, this framework can be extended in several directions. In the following, we briefly analyze Contego against different threat models and discuss the limitations of the current framework with possible directions of improvement.

Vii-a Threat Analysis

The security mechanism will collapse if the adversary can compromise all the security tasks. To do so, the adversary would need to intrude into the system, remain undetected and monitor the schedule [6] (to override the security tasks) over a long period of time. Guaranteeing the integrity of the security tasks is an interesting research problem by itself and will be investigated in our future work. While compromising all the security tasks could be difficult in practice, it nevertheless would be worthwhile to harden the security posture of Contego further by randomizing task schedules while guaranteeing the safety of the real-time tasks by using approaches similar to one recently proposed in the literature [7]. Randomizing the schedule of real-time and security tasks reduces the determinism (and thus the predictability of security tasks’ execution) and further reduce the chance of information leakage. Randomizing task schedules in RTS, unlike traditional systems, is not straightforward since it leads to priority inversions [38] that, in turn, cause missed deadlines, and hence, put the safety of the system at risk. We intend to incorporate randomization protocols on top of Contego in future work. The underlying detection algorithms in security tasks could raise false positive errors that may cause the system to switch modes unnecessarily. Again, a clever adversary may remain undetected and provide a fake indication of malicious activity. This may cause Contego to frequently switch modes thus reducing performance and availability. Although Contego guarantees that the system will remain schedulable (and hence safe) even with mode changes (refer to Section IV-C), running of security tasks in ACTIVE mode could impose additional overheads (i.e., increased load as we have seen in Fig. 5) that designers of the system may want to avoid. The false positive/negative errors can be mitigated by carefully designing the detection algorithms based on application requirements. Further, we argue that forced mode changes would require an adversary to intrude in the system and remain undetected for a long time. In practice that could be difficult and unlikely in the presence of several intrusion detection tasks.

Vii-B Limitations and Improvement

In Contego each security task has a desired frequency of execution for better security coverage. Security tasks so far have been treated as independent and preemptive, but in practice, some security monitoring may need atomicity or non-preemptive execution. The server-based model proposed in this work can be extended to incorporate this feature. For example, when a security task needs to perform a special atomic operation, the priority of the server can be increased to a priority that is strictly higher than all (or some) of the real-time tasks. Further, if the security task running under server is not the highest-priority security task, the priority of that task itself will also be increased. If the server’s capacity is exhausted while it is executing an atomic operation, we can allow the server to overrun [39], i.e., the server continues to execute at the same priority until the security checking is completed. When the server overruns, the allocated capacity at the start of the next server replenishment period is reduced by the amount of the overrun. However, schedulability analysis must be performed considering maximum blocking times of the security tasks. Further, security tasks may have dependencies

wherein one task depends on the output from one or more other tasks. For example, an anomaly detection task might depend on the outputs of multiple scanning tasks, or, the scheduling framework might need to follow certain

precedence constraints for security tasks. In order to ensure the integrity of monitoring security, the security application’s own binary might need to be examined first before it checks the system binary files. In that case, the cumulative tightness of the achievable periodic monitoring proposed in Section III might no longer be a reasonable metric. Constraints to ensure that the dependent security tasks are executed often enough should be included and the optimization problem may need to be reformulated and evaluated with different metrics. While time-to-detect is a useful metric, it is hard to quantify in a comprehensive way as it depends on a number of factors such as the efficacy of monitoring tasks, the kind of intrusion etc. and is a lagging metric. Identifying and designing better security metrics is an important and challenging problem. In future work we will undertake it in the narrow context of integrating monitoring and detection tasks into RTS.

Viii Related Work

In our earlier work [11] we proposed to use a server to integrate security tasks and execute them opportunistically at a lower priority than real-time tasks. That approach was useful for legacy RTS where perturbing the schedule of real-time tasks was not an option – however, the downside was longer time for detection. In contrast, Contego can respond to anomalous activities in an adaptive manner and provide improved monitoring frequency and detection time when needed. A new scheduler [13] and enhancements to an existing dynamic priority scheduler [14] were proposed to meet real-time requirements while maximizing the level of security achieved. A state cleanup mechanism has been introduced [16], and further generalized [17, 15] such that the fixed-priority scheduling algorithm was modified to mitigate information leakage through shared resources. Researchers have proposed a schedule obfuscation method [7] aimed at randomizing the task schedule while providing the necessary real-time guarantees. Such randomization techniques can improve the security posture by minimizing the predictability of the deterministic RTS scheduler. Recent work [9, 10] on dual-core based hardware/software architectural frameworks has aimed to protect RTS against security threats. However, those approaches came at the cost of reduced schedulability or may require architectural/scheduler-level modifications. In comparison, Contego aims to integrate security without any significant modification of the system properties and does not violate the temporal constraints or schedulability of the real-time tasks. Although not in the context of security in RTS, there exists other work [40]

in which the authors statically assign the periods for multiple independent control tasks by considering control delay as a cost metric and estimating the delay through an approximate response time analysis. In contrast, our goal is to ensure security without violating the timing constraints of the real-time tasks. Hence, instead of minimizing response time, we attempt to assign the best possible periods and priority-levels so that we can minimize the perturbation between the achievable period and desired period for all the security tasks. An on-demand fault detection and recovery mechanism has been proposed 

[41] in which the system can operate in different modes. Specifically, when a fault is detected, a high-assurance controller is activated to replace the faulty high-performance controller. While fault-tolerance may also be a design consideration, Contego focuses primarily on integrating mechanisms that can foil cyber-attacks. There also exist work in the context of mixed-criticality systems (MCS) where application tasks of different criticality requirements (e.g., deadline and execution time) share same computation and/or communication resources (refer to literature [42] for a survey of MCS). MCS is different than the problem considered in this work due to the fact that security properties (i.e., adaptive switching depending on runtime behavior or frequent execution of monitoring events for faster detection) are often different than temporal requirements (e.g., satisfying deadline constraints for mixed-criticality tasks). However, the theory and concepts emerged from MCS can also be applied to the real-time security problems to further harden the security posture of future RTS.

Ix Conclusion

The sophistication of recent attacks on UAVs [43], automobiles [4, 2], medical devices [5] as well as an industrial control systems [3], indicates that RTS are becoming more vulnerable. In this paper we are making steps towards the development of a comprehensive framework to integrate security mechanisms and provide a glimpse of security design metrics for RTS. Designers of RTS are now able to improve their security posture, which will also improve overall safety – and that is essentially the main goal of such systems.

References

  • [1] M. Abrams and J. Weiss, “Malicious control system cyber security attack case study–Maroochy Water Services, Australia,” McLean, VA: The MITRE Corporation, 2008.
  • [2] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, T. Kohno et al., “Comprehensive experimental analyses of automotive attack surfaces,” in USENIX Sec. Symp., 2011.
  • [3] N. Falliere, L. O. Murchu, and E. Chien, “W32. Stuxnet dossier,” White paper, Symantec Corp., Security Response, vol. 5, p. 6, 2011.
  • [4] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham et al., “Experimental security analysis of a modern automobile,” in IEEE S&P, 2010, pp. 447–462.
  • [5] S. S. Clark and K. Fu, “Recent results in computer security for medical devices,” in MobiHealth, 2011, pp. 111–118.
  • [6] C.-Y. Chen, R. B. Bobba, and S. Mohan, “Schedule-based side-channel attack in fixed-priority real-time systems,” University of Illinois, http://hdl.handle.net/2142/88344, Tech. Rep., 2015, [Online].
  • [7] M.-K. Yoon, S. Mohan, C.-Y. Chen, and L. Sha, “TaskShuffler: A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems,” in IEEE RTAS, 2016, pp. 1–12.
  • [8] S. Mohan, “Worst-case execution time analysis of security policies for deeply embedded real-time systems,” ACM SIGBED Review, vol. 5, no. 1, p. 8, 2008.
  • [9] D. Lo, M. Ismail, T. Chen, and G. E. Suh, “Slack-aware opportunistic monitoring for real-time systems,” in IEEE RTAS, 2014, pp. 203–214.
  • [10] M.-K. Yoon, S. Mohan, J. Choi, J.-E. Kim, and L. Sha, “SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems,” in IEEE RTAS, 2013, pp. 21–32.
  • [11] M. Hasan, S. Mohan, R. B. Bobba, and R. Pellizzoni, “Exploring opportunistic execution for integrating security into legacy hard real-time systems,” in IEEE RTSS, 2016, pp. 123–134.
  • [12] ——, “A server model to integrate security tasks into fixed-priority real-time systems,” in IEEE CERTS, 2016, pp. 61–68.
  • [13] T. Xie and X. Qin, “Improving security for periodic tasks in embedded systems through scheduling,” ACM TECS, vol. 6, no. 3, p. 20, 2007.
  • [14] M. Lin, L. Xu, L. T. Yang, X. Qin, N. Zheng, Z. Wu, and M. Qiu, “Static security optimization for real-time systems,” IEEE Trans. on Indust. Info., vol. 5, no. 1, pp. 22–37, 2009.
  • [15] S. Mohan, M.-K. Yoon, R. Pellizzoni, and R. B. Bobba, “Integrating security constraints into fixed priority real-time schedulers,” RTS Journal, vol. 52, no. 5, pp. 644–674, 2016.
  • [16] ——, “Real-time systems security through scheduler constraints,” in IEEE ECRTS, 2014, pp. 129–140.
  • [17] R. Pellizzoni, N. Paryab, M.-K. Yoon, S. Bak, S. Mohan, and R. B. Bobba, “A generalized model for preventing information leakage in hard real-time systems,” in IEEE RTAS, 2015, pp. 271–282.
  • [18] A. K. Mok, “Fundamental design problems of distributed systems for the hard-real-time environment,” Massachusetts Institute of Technology, Tech. Rep., 1983.
  • [19] C. L. Liu and J. W. Layland, “Scheduling algorithms for multiprogramming in a hard-real-time environment,” JACM, vol. 20, no. 1, pp. 46–61, 1973.
  • [20] N. Audsley, A. Burns, M. Richardson, K. Tindell, and A. J. Wellings, “Applying new scheduling theory to static priority pre-emptive scheduling,” SE Journal, vol. 8, no. 5, pp. 284–292, 1993.
  • [21] “Open source Tripwire,” https://github.com/Tripwire/tripwire-open-source.
  • [22] R. Davis and A. Burns, “An investigation into server parameter selection for hierarchical fixed priority pre-emptive systems,” in IEEE RTNS, 2008.
  • [23] I. Shin and I. Lee, “Periodic resource model for compositional real-time guarantees,” in IEEE RTSS, 2003, pp. 2–13.
  • [24] S. Saewong, R. R. Rajkumar, J. P. Lehoczky, and M. H. Klein, “Analysis of hierarchical fixed-priority scheduling,” in IEEE ECRTS, 2002, pp. 173–181.
  • [25] M.-K. Yoon, J.-E. Kim, R. Bradford, and L. Sha, “Holistic design parameter optimization of multiple periodic resources in hierarchical scheduling,” in DATE, 2013, pp. 1313–1318.
  • [26] S. Boyd, S.-J. Kim, L. Vandenberghe, and A. Hassibi, “A tutorial on geometric programming,” Opt. & Eng., vol. 8, no. 1, pp. 67–127, 2007.
  • [27] S. Boyd and L. Vandenberghe, Convex optimization, 2004.
  • [28] E. Bini and G. C. Buttazzo, “Measuring the performance of schedulability tests,” RTS Journal, vol. 30, no. 1-2, pp. 129–154, 2005.
  • [29] A. Mutapcic, K. Koh, S. Kim, L. Vandenberghe, and S. Boyd, “GGPLAB: a simple Matlab toolbox for geometric programming,” 2006. [Online]. Available: https://stanford.edu/~boyd/ggplab/
  • [30] “BeagleBone Black,” https://beagleboard.org/black.
  • [31] “Xenomai – real-time framework for Linux,” https://xenomai.org.
  • [32] “UAV control codes,” https://github.com/Khan-drone/flight-control.
  • [33] “FreeRTOS,” http://www.freertos.org.
  • [34] “The Bro network security monitor,” https://www.bro.org.
  • [35] “FTP brute-force attack trace,” https://github.com/bro/bro/blob/master/testing/btest/Traces/ftp/bruteforce.pcap.
  • [36] Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, 2nd ed.   EC-Council, 2017.
  • [37] “Shellcode on ARM architecture,” http://shell-storm.org/shellcode.
  • [38] L. Sha, R. Rajkumar, and J. P. Lehoczky, “Priority inheritance protocols: An approach to real-time synchronization,” IEEE Trans. on Comp., vol. 39, no. 9, pp. 1175–1185, 1990.
  • [39] M. K. Gardner and J. W.-S. Liu, “Performance of algorithms for scheduling real-time systems with overrun and overload,” in IEEE ECRTS, 1999, pp. 287–296.
  • [40] E. Bini and A. Cervin, “Delay-aware period assignment in control systems,” in IEEE RTSS, 2008, pp. 291–300.
  • [41] X. Liu, H. Ding, K. Lee, Q. Wang, and L. Sha, “ORTEGA: An efficient and flexible software fault tolerance architecture for real-time control systems,” in IEEE ECRTS, 2008, pp. 125–134.
  • [42] A. Burns and R. Davis, “Mixed criticality systems-a review,” University of York, https://www-users.cs.york.ac.uk/~burns/review.pdf, Tech. Rep., 2013, [Online].
  • [43] D. P. Shepard, J. A. Bhatti, T. E. Humphreys, and A. A. Fansler, “Evaluation of smart grid and civilian UAV vulnerability to GPS spoofing attacks,” in Proc. of the ION GNSS Meeting, vol. 3, 2012.
  • [44] M. Chiang, Geometric programming for communication systems, 2005.

Appendix A Solution to the Optimization Problems

The ACTIVE and PASSIVE modes parameter selection problems given in Section IV are constrained nonlinear optimization problems and not very straightforward to solve. Therefore we reformulate the optimization problems as a geometric program (GP) [26]. A nonlinear optimization problem can be solved by GP if the problem is formulated as follows: [26]

 Subject to:

where denotes the vector of optimization variables. The functions are posynomial and are monomial functions, respectively. A monomial function is expressed as where and . A posynomial function (i.e., the sum of the monomials) can be represented as where and . We can maximize a non-zero posynomial objective function by minimizing its inverse. In addition, we can express the constraint as . Based on the above description, we can rewrite the period adaptation problem in either mode as:

Subject to:

where for any symbol represents the corresponding variable in the representative mode (e.g., PASSIVE or ACTIVE). The above GP formulation is not a convex optimization problem since the posynomials are not convex functions [26]. However, by using logarithmic transformations (e.g., representing and hence , and replacing inequality constraints of the form with ), we can convert the above formulation into a convex optimization problem. This convex optimization reformulation can be solved using standard algorithms, such as interior-point method in polynomial time [27, Ch. 11]. The server parameter selection problem can also cast into GP as follows. The objective function (e.g., the ratio between server capacity and period) can be represented as , which is clearly a posynomial. The server schedulability constraints (e.g., Eq. (8) and Eq. (12a)) can be rewritten as

(15)

where . Likewise, the real-time task schedulability constraints for the ACTIVE mode (e.g., Eq. (11)) can be represented as

(16)

In addition, by using the geometric mean approximation

[44, Ch. 2] of posynomials we can rewrite the schedulability constraints for the security tasks (e.g., Eqs. (9) and (12b)) as follows [11]:

(17)

where and is a given initial point. After the logarithmic transformation (e.g., , and replacing the inequality constraints with ), the objective function and the constraints become a standard convex optimization problem that is solvable in polynomial time.