Attack Detection Through Monitoring of Timing Deviations in Embedded Real-Time Systems

Authors Nicolas Bellec, Simon Rokicki, Isabelle Puaut

Thumbnail PDF


  • Filesize: 0.6 MB
  • 22 pages

Document Identifiers

Author Details

Nicolas Bellec
  • Univ Rennes, Inria, CNRS, IRISA, France
Simon Rokicki
  • Univ Rennes, Inria, CNRS, IRISA, France
Isabelle Puaut
  • Univ Rennes, Inria, CNRS, IRISA, France


We would like to thanks Steven Derrien for the discussions that lead to this research and Stefanos Skalistis for his insight. We also warmly thank AbsInt for providing the aiT WCET estimator and modifying it for meeting our needs for region selection.

Cite AsGet BibTex

Nicolas Bellec, Simon Rokicki, and Isabelle Puaut. Attack Detection Through Monitoring of Timing Deviations in Embedded Real-Time Systems. In 32nd Euromicro Conference on Real-Time Systems (ECRTS 2020). Leibniz International Proceedings in Informatics (LIPIcs), Volume 165, pp. 8:1-8:22, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)


Real-time embedded systems (RTES) are required to interact more and more with their environment, thereby increasing their attack surface. Recent security breaches on car brakes and other critical components have already proven the feasibility of attacks on RTES. Such attacks may change the control-flow of the programs, which may lead to violations of the system’s timing constraints. In this paper, we present a technique to detect attacks in RTES based on timing information. Our technique, designed for single-core processors, is based on a monitor implemented in hardware to preserve the predictability of instrumented programs. The monitor uses timing information (Worst-Case Execution Time - WCET) of code regions to detect attacks. The proposed technique guarantees that attacks that delay the run-time of any region beyond its WCET are detected. Since the number of regions in programs impacts the memory resources consumed by the hardware monitor, our method includes a region selection algorithm that limits the amount of memory consumed by the monitor. An implementation of the hardware monitor and its simulation demonstrates the practicality of our approach. In particular, an experimental study evaluates the attack detection latency.

Subject Classification

ACM Subject Classification
  • Computer systems organization → Embedded hardware
  • Security and privacy → Embedded systems security
  • Real-time systems
  • security
  • attack detection
  • control flow hijacking
  • WCET estimation
  • hardware monitoring


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. F. A. T. Abad, J. V. D. Woude, Y. Lu, S. Bak, M. Caccamo, L. Sha, R. Mancuso, and S. Mohan. On-chip control flow integrity check for real time embedded systems. In 2013 IEEE 1st International Conference on Cyber-Physical Systems, Networks, and Applications (CPSNA), pages 26-31, August 2013. URL:
  2. AbsInt GmbH. ait worst-case execution time estimation tool. Last accessed: 2020/01/22. URL:
  3. Chien-Ying Chen, Sibin Mohan, Rodolfo Pellizzoni, Rakesh B. Bobba, and Negar Kiyavash. A Novel Side-Channel in Real-Time Schedulers. In 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 90-102, April 2019. ISSN: 1545-3421. URL:
  4. Ronny Chevalier, Maugan Villatel, David Plaquin, and Guillaume Hiet. Co-processor-based behavior monitoring: Application to the detection of attacks against the system management mode. In Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA, December 4-8, 2017, pages 399-411, 2017. URL:
  5. Cobham Gaisler. Compiler toolchain for the leon processor. Last accessed: 2020/01/22. URL:
  6. Christoph Cullmann and Florian Martin. Data-Flow Based Detection of Loop Bounds. In Christine Rochange, editor, 7th International Workshop on Worst-Case Execution Time Analysis (WCET'07), volume 6 of OpenAccess Series in Informatics (OASIcs), Dagstuhl, Germany, 2007. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. URL:
  7. N. Falliere, L. O. Murchu, and E. Chien. W32. stuxnet dossier. White paper, Symantec Corp., Security Response, 5:6, 2011. Google Scholar
  8. Joachim Fellmuth, Thomas Göthel, and Sabine Glesner. Instruction caches in static WCET analysis of artificially diversified software. In 30th Euromicro Conference on Real-Time Systems, ECRTS 2018, July 3-6, 2018, Barcelona, Spain, pages 21:1-21:23, 2018. URL:
  9. Jan Gustafsson, Adam Betts, Andreas Ermedahl, and Björn Lisper. The mälardalen wcet benchmarks - past, present and future. In Proceedings of the 10th International Workshop on Worst-Case Execution Time Analysis, July 2010. URL:
  10. Richard Johnson, David Pearson, and Keshav Pingali. The program structure tree: Computing control regions in linear time. SIGPLAN Not., 29(6):171-185, June 1994. URL:
  11. Kristin Krüger, Marcus Völp, and Gerhard Fohler. Vulnerability analysis and mitigation of directed timing inference based attacks on time-triggered systems. In 30th Euromicro Conference on Real-Time Systems, ECRTS 2018, July 3-6, 2018, Barcelona, Spain, pages 22:1-22:17, 2018. URL:
  12. Tingting Lu and Junfeng Wang. Data-flow bending: On the effectiveness of data-flow integrity. Computers & Security, 84:365-375, July 2019. URL:
  13. A. Mahmood and E.J. McCluskey. Concurrent error detection using watchdog processors - a survey. IEEE Transactions on Computers, 37(2):160-174, February 1988. URL:
  14. Charlie Miller and Chris Valasek. Remote exploitation of an unaltered passenger vehicle. Black Hat USA, 2015. Google Scholar
  15. Sen Nie, Ling Liu, and Yuefeng Du. Free-fall: hacking tesla from wireless to can bus. Briefing, Black Hat USA, pages 1-16, 2017. Google Scholar
  16. C. Pilato, K. Wu, S. Garg, R. Karri, and F. Regazzoni. Tainthls: High-level synthesis for dynamic information flow tracking. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, pages 1-1, 2018. URL:
  17. Louis-Noël Pouchet and Tomofumi Yuki. PolyBench/C. URL:
  18. Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 298-307, New York, NY, USA, 2004. ACM. URL:
  19. Peter Silberman and Richard Johnson. A comparison of buffer overflow prevention implementations and weaknesses. IDEFENSE, August, 2004. Google Scholar
  20. C. Song, H. Moon, M. Alam, I. Yun, B. Lee, T. Kim, W. Lee, and Y. Paek. Hdfi: Hardware-assisted data-flow isolation. In 2016 IEEE Symposium on Security and Privacy (SP), pages 1-17, May 2016. URL:
  21. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. Sok: Eternal war in memory. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013, pages 48-62, 2013. URL:
  22. N. Timmers, A. Spruyt, and M. Witteman. Controlling PC on ARM using fault injection. In 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pages 25-35, August 2016. URL:
  23. Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, and Bryan C. Ward. Control-flow integrity for real-time embedded systems. In 31st Euromicro Conference on Real-Time Systems, ECRTS 2019, July 9-12, 2019, Stuttgart, Germany., pages 2:1-2:24, 2019. URL:
  24. Reinhard Wilhelm, Jakob Engblom, Andreas Ermedahl, Niklas Holsti, Stephan Thesing, David B. Whalley, Guillem Bernat, Christian Ferdinand, Reinhold Heckmann, Tulika Mitra, Frank Mueller, Isabelle Puaut, Peter P. Puschner, Jan Staschulat, and Per Stenström. The worst-case execution-time problem - overview of methods and survey of tools. ACM Trans. Embedded Comput. Syst., 7(3):36:1-36:53, 2008. URL:
  25. Julian Wolf, Bernhard Fechner, Sascha Uhrig, and Theo Ungerer. Fine-grained timing and control flow error checking for hard real-time task execution. In 7th IEEE International Symposium on Industrial Embedded Systems (SIES'12), pages 257-266, June 2012. ISSN: 2150-3117. URL:
  26. Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Mihai Christodorescu, and Lui Sha. Learning execution contexts from system call distribution for anomaly detection in smart embedded system. In Proceedings of the Second International Conference on Internet-of-Things Design and Implementation, IoTDI 2017, Pittsburgh, PA, USA, April 18-21, 2017, pages 191-196, 2017. URL:
  27. Christopher Zimmer, Balasubramanya Bhat, Frank Mueller, and Sibin Mohan. Time-based intrusion detection in cyber-physical systems. In ACM/IEEE 1st International Conference on Cyber-Physical Systems, ICCPS '10, Stockholm, Sweden, April 12-15, 2010, pages 109-118, 2010. URL: