n ,kicking ng & s & scream eaming ng Sibin Mohan Dagstuhl 2016 Dept. of Computer Science Information Trust Institute sibin@illinois.edu @sibinmohan
Physically isolated Attacks on Industrial Control Systems [Stuxnet!] Specialized protocols & hardware Hijacking of automotive systems Not connected to the internet [?] Vulnerabilities in implantable Limited capabilities (and other) medical devices Finite (often severely constrained) resources Vulnerable avionics systems Power grids & other utilities ... 3 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Limited Resources - Computational power, energy, cost Timing Requirement - Safety, reliability, deadlines System Upgrade - Verifiability Note: similar constraints for attack as well as defense mechanisms 4 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
How to attack real-time systems… …and stay undetected How to defend against such attacks… …and still meet real-time constraints 5 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
6 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Able to intrude into the system undetected Motivation: steal information about system operation/modes Vendor-based system design to Base Station Vendor 1 Vendor 2 Network Encryption Sensor Task Manager UAV Encoder Mission Control Laws (HIL) (JPEG/MPEG) Planner Actuator Task I/O Integrator from Camera 7 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Constraints on the attacker Attacker cannot use up too many resources Will lead to other tasks missing deadlines early detection 8 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Attacker can only execute during slack/idle times But then, attacker can only see the busy periods between idle slots actual schedule Idle Idle with multiple tasks t what an intruder can see [busy periods] t Useful to reconstruct the exact schedule from the busy periods Periodic nature of [many] real-time systems Fixed-priority scheduling algorithms 9 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
SCHEDULEAK Attacker has access to some task parameters e.g. periods, execution times Does not know when the system started execution Intuition: period(j) j i t period(i) Results can be ambiguous, due to Jitter, offsets, task parameters, etc. 10 Detailed analysis, algorithms, etc. in the paper November 1, 2016
Reconstruct the complete schedule from busy periods Idle Idle t t Question: how do we measure success ? Failure: unable to precisely estimate execution start time for each task What if we are able to narrow it down to a “window”? Failure? 11 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
For each task in the task set, Estimate the deviation from the “expected” result Geometric mean of all such deviations Precision ratio, 12 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Implemented the attack (and analysis) on hardware platform Xilinx Zedboard Zynq-7000 Simulation engine Application scenario: vendor-based UAV model FreeRTOS Operating System to Base Station Vendor 1 Vendor 2 Network Encryption Sensor Task Manager UAV Encoder Mission Control Laws (HIL) (JPEG/MPEG) Planner Actuator Task I/O Integrator from Camera 13 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Hardware platform Simulation engine Note: analysis can be done offline if needed 14 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Plots of precision ratio vs CPU Utilization Mean precision ratio: 0.9982 – 0.999 Mean precision ratio: 1 15 Note: precision ratio is very high even in the presence of offsets!
Assuming a distribution of execution times Worst-case mean precision ratio: 0.90901
Ability to reconstruct schedules for real-time systems Very precise Can be used to launch other attacks… 17 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
18 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Challenge: how do we protect against such attacks And still maintain the safety of real-time systems? Intuition: transform security requirements to real-time constraints Three ways to achieve this: Obfuscation of the schedule to prevent attacks such as 1. ScheduLeak Shared state cleanup to prevent attempts like coarse-grained 2. cache timing attacks Use predictable behavior to detect intrusions 3. 19 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Real-time systems are predictable-by-design If attackers are able to reconstruct part* of the behavior They can precisely predict future behavior 20 November 1, 2016 * For one hyperperiod
Solution: obfuscate the schedule At each scheduling event pick a random task to run Not the highest priority task Attackers can no longer predict behavior Every hyperperiod is different! Problems!!! Tasks can miss their deadlines! Priority inversions can result in serious situations Safety of the system at risk 21 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Allow priority inversions, but in a bounded fashion Only when higher priority task(s) can still meet deadlines Only for bounded amounts of time release deadline (and another release) H Inv … Inv Inv Pre Inv M … L Pre Pre Key step: keep finding worst-case maximum inversion times 22 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
V worst-case maximum inversion time p e V task 0 5 1 4 task 1 8 2 3 At every scheduling decision point, task 2 20 3 4 Pick a random job from ready queue 1. (if not highest priority task) Decrement V as execution proceeds 2. Continue until job completes or V is depleted 3. Any job in the ready queue is guaranteed to be schedulable V values are replenished at each job’s release 23
ScheduLeak can still deconstruct results from such randomization Idle times provide a separation that retains predictability Improvements for increased randomization Treat idle time as an additional task with lowest priority 1. Allow early yield for tasks (i.e. not waiting till completion) 2. Apply randomized scheduling algorithm again TaskShuffler Engine 24 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
No randomization Randomization Only Randomization +Idle Scheduling Randomization +Idle Scheduling +Early Yield
Calculated schedule entropy for simulated task sets Randomization: 1. Medium Util. most effective 2. Low Util. too much idle time 3. High Util. very few inversions High entropy for most common situations better protection 26
Need protection against mechanisms like cache timing attacks H H H L L L L can potentially snoop on H’s cache state Solution: cleanup of shared resources e.g.: a synthetic ‘cache flush task’ that executes at scheduling points Execute synthetic cache flush task ( CFT ) between every two tasks 27 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Since many systems already follow a vendor-based design Vendor-oriented Security Model avoid leaking information from ‘ protected task ’ of one vendor to any task of another vendor Binary “ noleak ” relation between any two tasks Given any two tasks, τ i and τ j : noleak( τ i , τ j ) Action True prevent information leakage from τ i to τ j False no constraints imposed No symmetry or transitivity properties on “no leak” relation Generalizes traditional Multi-Level Security (MLS) models E.g.: Bell-LaPadula 28 November 1, 2016
An inordinate number of CFTs Can result in reduced Schedulability Tasks missing their deadlines Need to be used with care We analyze the system Precise measure of the ‘cost of security’ reduction in utilization Minimize number of CFTs Effects of preemption on number of CFTs Even assign preemptivity to each task optimally! making a task non-preemptive is better for task itself & all lower priority tasks 29 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Results: Drop in 1. schedulability especially for higher utilization Much better than 2. trivial bound Can still schedule 3. many tasks Provides information to designers to account for such changes. Reduced utilization but improved security against timing attacks! Costs known ahead of time 30
Behavior-based intrusion detection in real-time systems Use predictable nature of such systems to detect anomalies Extra Abnormal Instructio External Potential ns I/O Control Symptoms of Flow Malware Change Abnormal Memory Accesses Use redundancy in execution platform (multicore) for monitoring Guarantee system safety in face of successful attacks 31 Sibin Mohan | Bringing Real-Time Systems into a Secure World November 1, 2016
Recommend
More recommend