research-article

SchedGuard++: Protecting against Schedule Leaks Using Linux Containers on Multi-Core Processors

Authors:

Chien-Ying Chen,

Lui ShaAuthors Info & Claims

ACM Transactions on Cyber-Physical Systems, Volume 7, Issue 1

Article No.: 6, Pages 1 - 25

https://doi.org/10.1145/3565974

Published: 20 February 2023 Publication History

Abstract

Timing correctness is crucial in a multi-criticality real-time system, such as an autonomous driving system. It has been recently shown that these systems can be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions like schedule randomization cannot protect against such attacks, often limited by the system’s real-time nature. This article presents “SchedGuard++”: a temporal protection framework for Linux-based real-time systems that protects against posterior schedule-based attacks by preventing untrusted tasks from executing during specific time intervals. SchedGuard++ supports multi-core platforms and is implemented using Linux containers and a customized Linux kernel real-time scheduler. We provide schedulability analysis assuming the Logical Execution Time (LET) paradigm, which enforces I/O predictability. The proposed response time analysis takes into account the interference from trusted and untrusted tasks and the impact of the protection mechanism. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform. Not only is “SchedGuard++” able to protect against the posterior schedule-based attacks, but it also ensures that the real-time tasks/containers meet their temporal requirements.

References

[1]

[n.d.]. Hackers Remotely Kill a Jeep on the Highway–With Me in It. https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway. Accessed: 2022-02-01.

[2]

S. K. Baruah. 1998. Feasibility analysis of recurring branching tasks. In Proceedings of the 10th EUROMICRO Workshop on Real-Time Systems (Cat. No.98EX168). 138–145.

[3]

Konstantinos Bletsas, Neil Audsley, Wen-Hung Huang, Jian-Jia Chen, and Geoffrey Nelissen. 2018. Errata for three papers (2004-05) on fixed-priority scheduling with self-suspensions. Leibniz Transactions on Embedded Systems 5, 1 (2018), 02–1–02:20.

[4]

Yulong Cao, Chaowei Xiao, Benjamin Cyr, Yimeng Zhou, Won Park, Sara Rampazzi, Qi Alfred Chen, Kevin Fu, and Z. Morley Mao. 2019. Adversarial sensor attack on LiDAR-based perception in autonomous driving. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2267–2281.

Digital Library

[5]

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the USENIX Security Symposium, Vol. 4. San Francisco, 447–462.

[6]

Chien-Ying Chen, Sibin Mohan, Rodolfo Pellizzoni, Rakesh B. Bobba, and Negar Kiyavash. 2019. A novel side-channel in real-time schedulers. In Proceedings of the 25th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2019), (Montreal, QC, Canada, April 16–18, 2019), Björn B. Brandenburg (Ed.). IEEE, 90–102.

[7]

Chien-Ying Chen, Monowar Hasan, AmirEmad Ghassami, Sibin Mohan, and Negar Kiyavash. 2018. REORDER: Securing dynamic-priority real-time systems using schedule obfuscation. arXiv preprint arXiv:1806.01393 (2018).

[8]

Jiyang Chen, Zhiwei Feng, Jen-Yang Wen, Bo Liu, and Lui Sha. 2019. A container-based dos attack-resilient control framework for real-time UAV systems. In Proceedings of the 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE’19). IEEE, 1222–1227.

[9]

Jiyang Chen, Tomasz Kloda, Ayoosh Bansal, Rohan Tabish, Chien-Ying Chen, Bo Liu, Sibin Mohan, Marco Caccamo, and Lui Sha. 2021. SchedGuard: Protecting against schedule leaks using Linux containers. In Proceedings of the 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS’21). 14–26.

[10]

Jian-Jia Chen, Geoffrey Nelissen, Wen-Hung Huang, Maolin Yang, Björn Brandenburg, Konstantinos Bletsas, Cong Liu, Pascal Richard, Frédéric Ridouard, Neil Audsley, Raj Rajkumar, Dionisio Niz, and Georg Brüggen. 2019. Many suspensions, many problems: A review of self-suspending tasks in real-time systems. Real-Time Systems 55, 1 (2019), 144–207.

Digital Library

[11]

Rolf Ernst and Marco Di Natale. 2016. Mixed criticality systems -A history of misconceptions? IEEE Design Test 33, 5 (2016), 65–74.

[12]

Rolf Ernst, Stefan Kuntz, Sophie Quinton, and Martin Simons. 2018. The logical execution time paradigm: New perspectives for multicore systems (Dagstuhl seminar 18092). Dagstuhl Reports 8, 2 (2018), 122–149.

[13]

Yulong Cao, Chaowei Xiao, Benjamin Cyr, Yimeng Zhou, Won Park, Sara Rampazzi, Qi Alfred Chen, Kevin Fu, and Z. Morley Mao. 2019. Adversarial sensor attack on lidar-based perception in autonomous driving. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2267–2281.

[14]

Kai-Björn Gemlau, Leonie Köhler, Rolf Ernst, and Sophie Quinton. 2021. System-level logical execution time: Augmenting the logical execution time paradigm for distributed real-time automotive software. ACM Trans. Cyber-Phys. Syst. 5, 2, Article 14 (Jan.2021), 27 pages.

Digital Library

[15]

Monowar Hasan and Sibin Mohan. 2019. Protecting actuators in safety-critical IoT systems from control spoofing attacks. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (IoT S&P’19) (London, United Kingdom). ACM, New York, 8–14.

Digital Library

[16]

Julien Hennig, Hermann von Hasseln, Hassan Mohammad, Stefan Resmerita, Stefan Lukesch, and Andreas Naderlinger. 2016. Poster abstract: Towards parallelizing legacy embedded control software using the LET programming paradigm. In Proceedings of the 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’16). 1–1.

[17]

Thomas A. Henzinger, Benjamin Horowitz, and Christoph Meyer Kirsch. 2001. Giotto: A time-triggered language for embedded programming. In Embedded Software, Thomas A. Henzinger and Christoph M. Kirsch (Eds.). Springer Berlin, Berlin, 166–184.

[18]

Wei-Ming Hu. 1992. Lattice scheduling and covert channels. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society, 52–52.

[19]

Wei-Ming Hu. 1992. Reducing timing channels with fuzzy time. Journal of Computer Security 1, 3-4 (1992), 233–254.

[20]

Wen-Hung Huang, Jian-Jia Chen, Husheng Zhou, and Cong Liu. 2015. PASS: Priority assignment of real-time tasks with dynamic suspending behavior under fixed-priority scheduling. In Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC’15). 1–6.

Digital Library

[21]

Hamidreza Jafarnejadsani, Hanmin Lee, Naira Hovakimyan, and Petros Voulgaris. 2017. Dual-rate L 1 adaptive controller for cyber-physical sampled-data systems. In Proceedings of the 2017 IEEE 56th Annual Conference on Decision and Control (CDC’17). IEEE, 6259–6264.

Digital Library

[22]

Jihan Kim, Gyunghoon Park, Hyungbo Shim, and Yongsoon Eun. 2016. Zero-stealthy attack for sampled-data control systems: The case of faster actuation than sensing. In Proceedings of the 2016 IEEE 55th Conference on Decision and Control (CDC’16). IEEE, 5956–5961.

Digital Library

[23]

Jihan Kim, Gyunghoon Park, Hyungbo Shim, and Yongsoon Eun. 2018. A zero-stealthy attack for sampled-data control systems via input redundancy. arXiv preprint arXiv:1801.03609 (2018).

[24]

Taesoo Kim, Marcus Peinado, and Gloria Mainar-Ruiz. 2012. \(\lbrace\) STEALTHMEM \(\rbrace\) : System-level protection against cache-based side channel attacks in the cloud. In Proceedings of the 21st \(\lbrace\) USENIX \(\rbrace\) Security Symposium ( \(\lbrace\) USENIX \(\rbrace\) Security 12). 189–204.

[25]

Tomasz Kloda, Bruno d’Ausbourg, and Luca Santinelli. 2016. EDF schedulability test for the E-TDL time-triggered framework. In Proceedings of the 2016 11th IEEE Symposium on Industrial Embedded Systems (SIES’16). 1–10.

[26]

Paul C. Kocher. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Proceedings of the Annual International Cryptology Conference. Springer, 104–113.

[27]

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Hovav Shacham, and Stefan Savage. 2020. Experimental security analysis of a modern automobile. In The Ethics of Information Technologies. Routledge, 119–134.

[28]

Joseph Y.-T. Leung and M. L. Merrill. 1980. A note on preemptive scheduling of periodic, real-time tasks. Inform. Process. Lett. 11, 3 (1980), 115–118.

[29]

Chung Laung Liu and James W. Layland. 1973. Scheduling algorithms for multiprogramming in a hard-real-time environment. Journal of the ACM (JACM) 20, 1 (1973), 46–61.

Digital Library

[30]

Martin Lukasiewycz, Philipp Mundhenk, and Sebastian Steinhorst. 2016. Security-aware obfuscated priority assignment for automotive can platforms. ACM Transactions on Design Automation of Electronic Systems (TODAES) 21, 2 (2016), 1–27.

[31]

Charlie Miller and Chris Valasek. 2014. A survey of remote automotive attack surfaces. Black Hat USA 2014 (2014), 94.

[32]

Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, S 91 (2015).

[33]

Yilin Mo and Bruno Sinopoli. 2009. Secure control against replay attacks. In Proceedings of the 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton). IEEE, 911–918.

[34]

Sibin Mohan, Stanley Bak, Emiliano Betti, Heechul Yun, Lui Sha, and Marco Caccamo. 2013. S3A: Secure system simplex architecture for enhanced security and robustness of cyber-physical systems. In Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems. 65–74.

Digital Library

[35]

Sibin Mohan, Man Ki Yoon, Rodolfo Pellizzoni, and Rakesh Bobba. 2014. Real-time systems security through scheduler constraints. In Proceedings of the 2014 26th EUROMICRO Conference on Real-Time Systems. IEEE, 129–140.

Digital Library

[36]

Mitra Nasri, Thidapat Chantem, Gedare Bloom, and Ryan M. Gerdes. 2019. On the pitfalls and vulnerabilities of schedule randomization against schedule-based attacks. In Proceedings of the 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’19). IEEE, 103–116.

[37]

Sen Nie, Ling Liu, and Yuefeng Du. 2017. Free-fall: Hacking tesla from wireless to can bus. Briefing, Black Hat USA 25 (2017), 1–16.

[38]

OSEK 2005. OSEK/VDX Operating System Specificatio. OSEK. https://www.irisa.fr/alf/downloads/puaut/TPNXT/images/os223.pdf.

[39]

Gyunghoon Park, Hyungbo Shim, Chanhwa Lee, Yongsoon Eun, and Karl H. Johansson. 2016. When adversary encounters uncertain cyber-physical systems: Robust zero-dynamics attack with disclosure resources. In Proceedings of the 2016 IEEE 55th Conference on Decision and Control (CDC’16). IEEE, 5085–5090.

Digital Library

[40]

Rodolfo Pellizzoni, Neda Paryab, Man-Ki Yoon, Stanley Bak, Sibin Mohan, and Rakesh B. Bobba. 2015. A generalized model for preventing information leakage in hard real-time systems. In Proceedings of the 21st IEEE Real-Time and Embedded Technology and Applications Symposium. IEEE, 271–282.

[41]

Jonathan Petit and Steven E. Shladover. 2014. Potential cyberattacks on automated vehicles. IEEE Transactions on Intelligent Transportation Systems 16, 2 (2014), 546–556.

[42]

Jonathan Petit, Bas Stottelaar, Michael Feiri, and Frank Kargl. 2015. Remote attacks on automated vehicles sensors: Experiments on camera and LiDAR. Black Hat Europe 11, 2015 (2015), 995.

[43]

Wolfgang Pree and Josef Templ. 2008. Modeling with the timing definition language (TDL). In Model-Driven Development of Reliable Automotive Services, Manfred Broy, Ingolf H. Krüger, and Michael Meisinger (Eds.). Springer Berlin, Berlin, 133–144.

Digital Library

[44]

Stefan Resmerita, Andreas Naderlinger, Manuel Huber, Kenneth Butts, and Wolfgang Pree. 2015. Applying real-time programming to legacy embedded control software. In Proceedings of the 2015 IEEE 18th International Symposium on Real-Time Distributed Computing. 1–8.

Digital Library

[45]

Florian Sagstetter, Martin Lukasiewycz, Sebastian Steinhorst, Marko Wolf, Alexandre Bouard, William R. Harris, Somesh Jha, Thomas Peyrin, Axel Poschmann, and Samarjit Chakraborty. 2013. Security challenges in automotive hardware/software architecture design. In Proceedings of the 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE’13). IEEE, 458–463.

[46]

Hocheol Shin, Dohyun Kim, Yujin Kwon, and Yongdae Kim. 2017. Illusion and dazzle: Adversarial optical channel exploits against LiDARs for automotive applications. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems. Springer, 445–467.

[47]

Stephen Soltesz, Herbert Pötzl, Marc E. Fiuczynski, Andy Bavier, and Larry Peterson. 2007. Container-based operating system virtualization: A scalable, high-performance alternative to hypervisors. In Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007. 275–287.

Digital Library

[48]

Sang Hyuk Son, Craig Chaney, and Norris P. Thomlinson. 1998. Partial security policies to support timeliness in secure real-time databases. In Proceedings of the 1998 IEEE Symposium on Security and Privacy (Cat. No. 98CB36186). IEEE, 136–147.

[49]

Ivan Studnia, Vincent Nicomette, Eric Alata, Yves Deswarte, Mohamed Kaâniche, and Youssef Laarouchi. 2013. Survey on security threats and protection mechanisms in embedded automotive networks. In Proceedings of the 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W’13). IEEE, 1–12.

[50]

G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. 2004. Secure program execution via dynamic information flow tracking. ACM SIGPLAN Notices 39, 11 (2004), 85–96.

Digital Library

[51]

André Teixeira, Daniel Pérez, Henrik Sandberg, and Karl Henrik Johansson. 2012. Attack models and scenarios for networked control systems. In Proceedings of the 1st International Conference on High Confidence Networked Systems. 55–64.

Digital Library

[52]

André Teixeira, Iman Shames, Henrik Sandberg, and Karl H. Johansson. 2012. Revealing stealthy attacks in control systems. In Proceedings of the 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton). IEEE, 1806–1813.

[53]

The AUTOSAR Consortium 2015. Specification of Operating System. The AUTOSAR Consortium. https://www.autosar.org/fileadmin/user_upload/standards/classic/4-2/AUTOSAR_SWS_OS.pdf.

[54]

The AUTOSAR Consortium 2018. AUTOSAR_RS_TimingExtensions, Specification of Timing Extensions. The AUTOSAR Consortium. https://www.autosar.org/fileadmin/Releases_TEMP/Classic_Platform_4.4.0/MethodologyAndTemplates.zip.

[55]

Steve Vestal. 2007. Preemptive scheduling of multi-criticality systems with varying degrees of execution time assurance. In Proceedings of the 28th IEEE International Real-Time Systems Symposium (RTSS’07). 239–243.

[56]

Marcus Völp, Claude-Joachim Hamann, and Hermann Härtig. 2008. Avoiding timing channels in fixed-priority schedulers. In Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security. 44–55.

Digital Library

[57]

Franz Walkembach. 2016. White paper: Model-Driven Development for Safety-Critical Software Components. Technical Report MSU-CSE-06-2. Wind River. https://events.windriver.com/wrcd01/wrcm/2016/08/WP-model-driven-development-for-safety-critical-software-components.pdf.

[58]

Jean-Paul Yaacoub and Ola Salman. 2020. Security analysis of drones systems: Attacks, limitations, and recommendations. Internet of Things (2020), 100218.

[59]

Chen Yan, Wenyuan Xu, and Jianhao Liu. 2016. Can you trust autonomous vehicles: Contactless attacks against sensors of self-driving vehicle. Def Con 24, 8 (2016), 109.

[60]

Man-Ki Yoon, Jung-Eun Kim, Richard Bradford, and Zhong Shao. 2019. TaskShuffler++: Real-time schedule randomization for reducing worst-case vulnerability to timing inference attacks. arXiv preprint arXiv:1911.07726 (2019).

[61]

Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, and Lui Sha. 2016. Taskshuffler: A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems. In Proceedings of the 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’16). IEEE, 1–12.

[62]

Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, and Lui Sha. 2013. SecureCore: A multicore-based intrusion detection architecture for real-time embedded systems. In Proceedings of the 2013 IEEE 19th Real-Time and Embedded Technology and Applications Symposium (RTAS’13). IEEE, 21–32.

[63]

Dirk Ziegenbein and Arne Hamann. 2015. Timing-aware control software design for automotive systems. In Proceedings of the 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC’15). 1–6.

Digital Library

[64]

Christopher Zimmer, Balasubramanya Bhat, Frank Mueller, and Sibin Mohan. 2010. Time-based intrusion detection in cyber-physical systems. In Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems. 109–118.

Digital Library

Cited By

Karin SAydin HZhu DDrager SAnderson M(2024)Impact of priority assignment on schedule-based attacks in real-time embedded systemsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103021145:COnline publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103021

Index Terms

SchedGuard++: Protecting against Schedule Leaks Using Linux Containers on Multi-Core Processors
1. Computer systems organization
  1. Embedded and cyber-physical systems
    1. Embedded systems
      1. Embedded software
    2. Robotics
      1. Robotic control
  2. Real-time systems
    1. Real-time operating systems

Recommendations

Protecting Enclaves from Intra-Core Side-Channel Attacks through Physical Isolation
CYSARM'20: Proceedings of the 2nd Workshop on Cyber-Security Arms Race

Systems that protect enclaves from privileged software must consider software-based side-channel attacks. Our system isolates enclaves on separate secure cores to stop attackers from running on the same core as the victim, which mitigates intra-core ...
Supporting logical execution time in multi-core POSIX systems
Abstract
Safety-critical automotive applications require predictable and deterministic execution to not miss the timing requirements. Logical Execution Time (LET) is a paradigm already established in the automotive industry to improve the predictability ...
Informer: Protecting Intel SGX from Cross-Core Side Channel Threats
Information and Communications Security
Abstract
As one of the major threats facing Intel SGX, side-channel attacks have been widely researched and disclosed as actual vulnerabilities in recent years, which can severely harm the integrity and confidentiality of programs protected by SGX. Most ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Cyber-Physical Systems

ACM Transactions on Cyber-Physical Systems Volume 7, Issue 1

January 2023

187 pages

ISSN:2378-962X

EISSN:2378-9638

DOI:10.1145/3582896

Editor:
Chenyang Lu
Washington University in St. Louis, USA

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 20 February 2023

Online AM: 25 October 2022

Accepted: 14 September 2022

Revised: 16 March 2022

Received: 24 July 2021

Published in TCPS Volume 7, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research (ONR)
National Science Foundation (NSF)
German Federal Ministry of Education and Research

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
436
Total Downloads

Downloads (Last 12 months)192
Downloads (Last 6 weeks)10

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Karin SAydin HZhu DDrager SAnderson M(2024)Impact of priority assignment on schedule-based attacks in real-time embedded systemsJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2023.103021145:COnline publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1016/j.sysarc.2023.103021

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents