RT-DFI: Optimizing Data-Flow Integrity for Real-Time Systems

Authors Nicolas Bellec , Guillaume Hiet , Simon Rokicki , Frederic Tronel , Isabelle Puaut

Thumbnail PDF


  • Filesize: 0.93 MB
  • 24 pages

Document Identifiers

Author Details

Nicolas Bellec
  • Univ Rennes, Inria, CNRS, IRISA, France
Guillaume Hiet
  • CentraleSupélec, Inria, Univ Rennes, CNRS, IRISA, France
Simon Rokicki
  • Univ Rennes, Inria, CNRS, IRISA, France
Frederic Tronel
  • CentraleSupélec, Inria, Univ Rennes, CNRS, IRISA, France
Isabelle Puaut
  • Univ Rennes, Inria, CNRS, IRISA, France


We want to warmly thank AbsInt for providing the aiT WCET estimator.

Cite AsGet BibTex

Nicolas Bellec, Guillaume Hiet, Simon Rokicki, Frederic Tronel, and Isabelle Puaut. RT-DFI: Optimizing Data-Flow Integrity for Real-Time Systems. In 34th Euromicro Conference on Real-Time Systems (ECRTS 2022). Leibniz International Proceedings in Informatics (LIPIcs), Volume 231, pp. 18:1-18:24, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)


The emergence of Real-Time Systems with increased connections to their environment has led to a greater demand in security for these systems. Memory corruption attacks, which modify the memory to trigger unexpected executions, are a significant threat against applications written in low-level languages. Data-Flow Integrity (DFI) is a protection that verifies that only a trusted source has written any loaded data. The overhead of such a security mechanism remains a major issue that limits its adoption. This article presents RT-DFI, a new approach that optimizes Data-Flow Integrity to reduce its overhead on the Worst-Case Execution Time. We model the number and order of the checks and use an Integer Linear Programming solver to optimize the protection on the Worst-Case Execution Path. Our approach protects the program against many memory-corruption attacks, including Return-Oriented Programming and Data-Only attacks. Moreover, our experimental results show that our optimization reduces the overhead by 7% on average compared to a state-of-the-art implementation.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Real-time systems software
  • Security and privacy → Software and application security
  • Real-time system
  • Software security
  • Data-flow integrity
  • Worst-case execution time


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Fardin Abdi Taghi Abad, Joel van der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui Sha, Renato Mancuso, and Sibin Mohan. On-chip control flow integrity check for real time embedded systems. In 1st IEEE International Conference on Cyber-Physical Systems, Networks, and Applications, CPSNA 2013, Taipei, Taiwan, August 19-20, 2013, pages 26-31. IEEE Computer Society, 2013. URL: https://doi.org/10.1109/CPSNA.2013.6614242.
  2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow Integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS '05, pages 340-353, New York, NY, USA, 2005. ACM. event-place: Alexandria, VA, USA. URL: https://doi.org/10.1145/1102120.1102165.
  3. anonymous. Morris worm, November 2021. Page Version ID: 1053313243. URL: https://en.wikipedia.org/w/index.php?title=Morris_worm&oldid=1053313243.
  4. Nicolas Bellec, Simon Rokicki, and Isabelle Puaut. Attack detection through monitoring of timing deviations in embedded real-time systems. In Marcus Völp, editor, 32nd Euromicro Conference on Real-Time Systems, ECRTS 2020, July 7-10, 2020, Virtual Conference, volume 165 of LIPIcs, pages 8:1-8:22. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2020. URL: https://doi.org/10.4230/LIPIcs.ECRTS.2020.8.
  5. Christian Bliek1ú, Pierre Bonami, and Andrea Lodi. Solving mixed-integer quadratic programming problems with ibm-cplex: a progress report. In Proceedings of the twenty-sixth RAMP symposium, pages 16-17, 2014. Google Scholar
  6. Cyril Bresch, David Hély, Stéphanie Chollet, and Ioannis Parissis. TrustFlow: A Trusted Memory Support for Data Flow Integrity. In 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pages 308-313, July 2019. ISSN: 2159-3469. URL: https://doi.org/10.1109/ISVLSI.2019.00063.
  7. Nathan Burow, Ryan Burrow, Roger Khazan, Howard E. Shrobe, and Bryan C. Ward. Moving target defense considerations in real-time safety- and mission-critical systems. In Hamed Okhravi and Cliff Wang, editors, Proceedings of the 7th ACM Workshop on Moving Target Defense, MTD@CCS 2020, Virtual Event, USA, November 9, 2020, pages 81-89. ACM, 2020. URL: https://doi.org/10.1145/3411496.3421224.
  8. Nicholas Carlini, Antonio Barresi, Mathias Payer, David A. Wagner, and Thomas R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Jaeyeon Jung and Thorsten Holz, editors, 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015, pages 161-176. USENIX Association, 2015. URL: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carlini.
  9. Nicholas Carlini and David Wagner. Rop is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium (USENIX Security 14), pages 385-399, 2014. Google Scholar
  10. Miguel Castro, Manuel Costa, and Tim Harris. Securing Software by Enforcing Data-flow Integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI '06, pages 147-160, Berkeley, CA, USA, 2006. USENIX Association. event-place: Seattle, Washington. URL: http://dl.acm.org/citation.cfm?id=1298455.1298470.
  11. Chien-Ying Chen, Sibin Mohan, Rodolfo Pellizzoni, Rakesh B. Bobba, and Negar Kiyavash. A novel side-channel in real-time schedulers. In Björn B. Brandenburg, editor, 25th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2019, Montreal, QC, Canada, April 16-18, 2019, pages 90-102. IEEE, 2019. URL: https://doi.org/10.1109/RTAS.2019.00016.
  12. Jiyang Chen, Tomasz Kloda, Ayoosh Bansal, Rohan Tabish, Chien-Ying Chen, Bo Liu, Sibin Mohan, Marco Caccamo, and Lui Sha. Schedguard: Protecting against schedule leaks using linux containers. In 27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021, Nashville, TN, USA, May 18-21, 2021, pages 14-26. IEEE, 2021. URL: https://doi.org/10.1109/RTAS52030.2021.00010.
  13. Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer. Non-control-data attacks are realistic threats. In USENIX Security Symposium, volume 5, 2005. Google Scholar
  14. George Dantzig, Ray Fulkerson, and Selmer Johnson. Solution of a large-scale traveling-salesman problem. Journal of the operations research society of America, 2(4):393-410, 1954. Google Scholar
  15. Irene Díez-Franco and Igor Santos. Data Is Flowing in the Wind: A Review of Data-Flow Integrity Methods to Overcome Non-Control-Data Attacks. In Manuel Graña, José Manuel López-Guede, Oier Etxaniz, Álvaro Herrero, Héctor Quintián, and Emilio Corchado, editors, International Joint Conference SOCO’16-CISIS’16-ICEUTE’16, Advances in Intelligent Systems and Computing, pages 536-544, Cham, 2017. Springer International Publishing. URL: https://doi.org/10.1007/978-3-319-47364-2_52.
  16. Isaac Evans, Fan Long, Ulziibayar Otgonbaatar, Howard Shrobe, Martin Rinard, Hamed Okhravi, and Stelios Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, pages 901-913, New York, NY, USA, 2015. ACM. event-place: Denver, Colorado, USA. URL: https://doi.org/10.1145/2810103.2813646.
  17. Heiko Falk, Sebastian Altmeyer, Peter Hellinckx, Björn Lisper, Wolfgang Puffitsch, Christine Rochange, Martin Schoeberl, Rasmus Bo Sørensen, Peter Wägemann, and Simon Wegener. TACLeBench: A benchmark collection to support worst-case execution time research. In Martin Schoeberl, editor, 16th International Workshop on Worst-Case Execution Time Analysis (WCET 2016), volume 55 of OpenAccess Series in Informatics (OASIcs), pages 2:1-2:10, Dagstuhl, Germany, 2016. Schloss Dagstuhl-Leibniz-Zentrum für Informatik. Google Scholar
  18. N. Falliere, L. O. Murchu, and E. Chien. W32. stuxnet dossier. Whitepaper, Symantec Corp., Security Response, 5:6, 2011. Google Scholar
  19. Joachim Fellmuth, Paula Herber, Tobias F. Pfeffer, and Sabine Glesner. Securing real-time cyber-physical systems using wcet-aware artificial diversity. In 15th IEEE Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress, DASC/PiCom/DataCom/CyberSciTech 2017, Orlando, FL, USA, November 6-10, 2017, pages 454-461. IEEE Computer Society, 2017. URL: https://doi.org/10.1109/DASC-PICom-DataCom-CyberSciTec.2017.88.
  20. Lang Feng, Jiayi Huang, Jeff Huang, and Jiang Hu. Toward Taming the Overhead Monster for Data-Flow Integrity. arXiv:2102.10031 [cs], February 2021. arXiv: 2102.10031. URL: http://arxiv.org/abs/2102.10031.
  21. Christian Ferdinand and Reinhold Heckmann. ait: Worst-case execution time prediction by static program analysis. In Building the Information Society, pages 377-383. Springer, 2004. Google Scholar
  22. Igor Griva, Stephen G Nash, and Ariela Sofer. Linear and nonlinear optimization, volume 108. Siam, 2009. Google Scholar
  23. Monowar Hasan, Sibin Mohan, Rodolfo Pellizzoni, and Rakesh B. Bobba. A design-space exploration for allocating security tasks in multicore real-time systems. CoRR, abs/1711.04808, 2017. URL: http://arxiv.org/abs/1711.04808.
  24. Marine Kadar, Gerhard Fohler, Don Kuzhiyelil, and Philipp Gorski. Safety-aware integration of hardware-assisted program tracing in mixed-criticality systems for security monitoring. In 27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021, Nashville, TN, USA, May 18-21, 2021, pages 292-305. IEEE, 2021. URL: https://doi.org/10.1109/RTAS52030.2021.00031.
  25. Kristin Krüger, Gerhard Fohler, Marcus Völp, and Paulo Jorge Esteves Veríssimo. Improving security for time-triggered real-time systems with task replication. In 24th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, RTCSA 2018, Hakodate, Japan, August 28-31, 2018, pages 232-233. IEEE Computer Society, 2018. URL: https://doi.org/10.1109/RTCSA.2018.00036.
  26. Kristin Krüger, Marcus Völp, and Gerhard Fohler. Vulnerability analysis and mitigation of directed timing inference based attacks on time-triggered systems. In Sebastian Altmeyer, editor, 30th Euromicro Conference on Real-Time Systems, ECRTS 2018, July 3-6, 2018, Barcelona, Spain, volume 106 of LIPIcs, pages 22:1-22:17. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018. URL: https://doi.org/10.4230/LIPIcs.ECRTS.2018.22.
  27. Jaeheon Kwak and Jinkyu Lee. Covert timing channel design for uniprocessor real-time systems. In Jong Hyuk Park, Hong Shen, Yunsick Sung, and Hui Tian, editors, Parallel and Distributed Computing, Applications and Technologies, 19th International Conference, PDCAT 2018, Jeju Island, South Korea, August 20-22, 2018, Revised Selected Papers, volume 931 of Communications in Computer and Information Science, pages 159-168. Springer, 2018. URL: https://doi.org/10.1007/978-981-13-5907-1_17.
  28. Chris Lattner and Vikram Adve. Llvm: A compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004., pages 75-86. IEEE, 2004. Google Scholar
  29. Tong Liu, Gang Shi, Liwei Chen, Fei Zhang, Yaxuan Yang, and Jihu Zhang. TMDFI: Tagged Memory Assisted for Fine-Grained Data-Flow Integrity Towards Embedded Systems Against Software Exploitation. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pages 545-550, August 2018. ISSN: 2324-9013. URL: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00083.
  30. Tingting Lu and Junfeng Wang. Data-flow bending: On the effectiveness of data-flow integrity. Computers & Security, 84:365-375, July 2019. URL: https://doi.org/10.1016/j.cose.2019.04.002.
  31. Charlie Miller and Chris Valasek. Remote exploitation of an unaltered passenger vehicle. Black Hat USA, 2015. Google Scholar
  32. Tanmaya Mishra, Thidapat Chantem, and Ryan M. Gerdes. Survey of control-flow integrity techniques for embedded and real-time embedded systems. CoRR, abs/2111.11390, 2021. URL: http://arxiv.org/abs/2111.11390.
  33. Mitra Nasri, Thidapat Chantem, Gedare Bloom, and Ryan M. Gerdes. On the pitfalls and vulnerabilities of schedule randomization against schedule-based attacks. In Björn B. Brandenburg, editor, 25th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2019, Montreal, QC, Canada, April 16-18, 2019, pages 103-116. IEEE, 2019. URL: https://doi.org/10.1109/RTAS.2019.00017.
  34. Philipp Dominik Schubert, Ben Hermann, and Eric Bodden. Phasar: An inter-procedural static analysis framework for C/C++. In TACAS (2), pages 393-410, 2019. Google Scholar
  35. Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security, CCS '04, pages 298-307, New York, NY, USA, October 2004. Association for Computing Machinery. URL: https://doi.org/10.1145/1030083.1030124.
  36. Chengyu Song, Hyungon Moon, Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, Wenke Lee, and Yunheung Paek. HDFI: Hardware-Assisted Data-Flow Isolation. In 2016 IEEE Symposium on Security and Privacy (SP), pages 1-17, May 2016. ISSN: 2375-1207. URL: https://doi.org/10.1109/SP.2016.9.
  37. Victor van der Veen, Dennis Andriesse, Manolis Stamatogiannakis, Xi Chen, Herbert Bos, and Cristiano Giuffrdia. The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS '17, pages 1675-1689, New York, NY, USA, 2017. ACM. event-place: Dallas, Texas, USA. URL: https://doi.org/10.1145/3133956.3134026.
  38. Marcus Völp, Claude-Joachim Hamann, and Hermann Härtig. Avoiding timing channels in fixed-priority schedulers. In Masayuki Abe and Virgil D. Gligor, editors, Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, Tokyo, Japan, March 18-20, 2008, pages 44-55. ACM, 2008. URL: https://doi.org/10.1145/1368310.1368320.
  39. Nils Vreman, Richard Pates, Kristin Krüger, Gerhard Fohler, and Martina Maggio. Minimizing side-channel attack vulnerability via schedule randomization. In 58th IEEE Conference on Decision and Control, CDC 2019, Nice, France, December 11-13, 2019, pages 2928-2933. IEEE, 2019. URL: https://doi.org/10.1109/CDC40024.2019.9030144.
  40. Robert J. Walls, Nicholas F. Brown, Thomas Le Baron, Craig A. Shue, Hamed Okhravi, and Bryan C. Ward. Control-Flow Integrity for Real-Time Embedded Systems. In Sophie Quinton, editor, 31st Euromicro Conference on Real-Time Systems (ECRTS 2019), volume 133 of Leibniz International Proceedings in Informatics (LIPIcs), pages 2:1-2:24, Dagstuhl, Germany, 2019. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. URL: https://doi.org/10.4230/LIPIcs.ECRTS.2019.2.
  41. Julian Wolf, Bernhard Fechner, Sascha Uhrig, and Theo Ungerer. Fine-grained timing and control flow error checking for hard real-time task execution. In 7th IEEE International Symposium on Industrial Embedded Systems, SIES 2012, Karlsruhe, Germany, June 20-22, 2012, pages 257-266. IEEE, 2012. URL: https://doi.org/10.1109/SIES.2012.6356592.
  42. Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, and Lui Sha. Taskshuffler: A schedule randomization protocol for obfuscation against timing inference attacks in real-time systems. In 2016 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), Vienna, Austria, April 11-14, 2016, pages 111-122. IEEE Computer Society, 2016. URL: https://doi.org/10.1109/RTAS.2016.7461362.
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail