System Calls Instrumentation for Intrusion Detection in Embedded Mixed-Criticality Systems

Authors Marine Kadar, Sergey Tverdyshev, Gerhard Fohler

Thumbnail PDF


  • Filesize: 436 kB
  • 13 pages

Document Identifiers

Author Details

Marine Kadar
  • SYSGO GmbH, Klein-Winternheim, Germany
Sergey Tverdyshev
  • SYSGO GmbH, Klein-Winternheim, Germany
Gerhard Fohler
  • Technische Universität Kaiserslautern, Germany


The authors would like to thank the anonymous reviewers of the paper at CERTS and internal reviewers at SYSGO for their valuable feedback.

Cite AsGet BibTex

Marine Kadar, Sergey Tverdyshev, and Gerhard Fohler. System Calls Instrumentation for Intrusion Detection in Embedded Mixed-Criticality Systems. In 4th International Workshop on Security and Dependability of Critical Embedded Real-Time Systems (CERTS 2019). Open Access Series in Informatics (OASIcs), Volume 73, pp. 2:1-2:13, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)


System call relative information such as occurrences, type, parameters, and return values are well established metrics to reveal intrusions in a system software. Many Host Intrusion Detection Systems (HIDS) from research and industry analyze these data for continuous system monitoring at runtime. Despite a significant false alarm rate, this type of defense offers high detection precision for both known and zero-day attacks. Recent research focuses on HIDS deployment for desktop computers. Yet, the integration of such run-time monitoring solution in mixed-criticality embedded systems has not been discussed. Because of the cohabitation of potentially vulnerable non-critical software with critical software, securing mixed-criticality systems is a non trivial but essential issue. Thus, we propose a methodology to evaluate the impact of deploying system call instrumentation in such context. We analyze the impact in a concrete use-case with PikeOS real-time hypervisor.

Subject Classification

ACM Subject Classification
  • Security and privacy → Embedded systems security
  • Security and privacy → Intrusion detection systems
  • Instrumentation
  • Mixed-criticality
  • Real-Time
  • System Calls
  • Host Intrusion Detection Systems


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Muhamed Fauzi Bin Abbas, Sai Praveen Kadiyala, Alok Prakash, Thambipillai Srikanthan, and Yan Lin Aung. Hardware Performance Counters Based Runtime Anomaly Detection Using SVM. In TRON Symposium (TRONSHOW), 2017. Google Scholar
  2. Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor. The MILS Architecture for High-Assurance Embedded Systems. In International Journal of Embedded Systems, 2005. Google Scholar
  3. ARM. CoreSight Technical Introduction, 2013. White Paper: ARM-EPM-039795. Google Scholar
  4. Gideon Creech and Jiankun Hu. Generation of a New IDS Test Dataset: Time to Retire the KDD Collection. In IEEE Wireless Communications and Networking Conference, 2013. Google Scholar
  5. M. T. Elgraini, N. Assem, and T. Rachidi. Host intrusion detection for long stealthy system call sequences. In Colloquium in Information Science and Technology, 2012. Google Scholar
  6. David Fiser and William Gamazo Sanchez. Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters., 2018. [Jun. 05, 2019].
  7. SYSGO GmbH. ElinOS Embedded Linux Webpage. [Jun. 05, 2019].
  8. SYSGO GmbH. PikeOS Hypervisor Webpage. [Jun. 05, 2019].
  9. W. Haider, J. Hu, , and M. Xie. Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems. In IEEE 10th Conference on Industrial Electronics and Applications (ICIEA), 2015. Google Scholar
  10. Mohamed Hassan. Heterogeneous MPSoCs for Mixed CriticalitySystems: Challenges and Opportunities. In IEEE Design and Test Magazine, 2017. Google Scholar
  11. Jiankun Hu. AFDA-LD dataset Webpage., 2013. [Jun. 05, 2019].
  12. Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre Attacks: Exploiting Speculative Execution. In 40th IEEE Symposium on Security and Privacy (S&P'19), 2019. Google Scholar
  13. Koucham, T. Rachidi, and N. Assem. Host intrusion detection using system call argument-based clustering combined with Bayesian classification. In SAI Intelligent Systems Conference (IntelliSys), 2015. Google Scholar
  14. M. Laureano, C. Maziero, and E. Jamhour. Intrusion detection in virtual machine environments. In 30th Euromicro Conference, 2004. Google Scholar
  15. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, A. Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18), 2018. Google Scholar
  16. F. Maggi, M. Matteucci, and S. Zanero. Detecting Intrusions through System Call Sequence and Argument Analysis. In IEEE Transactions on Dependable and Secure Computing, 2010. Google Scholar
  17. Lee Pike, Pat Hickey, Trevor Elliott, Eric Mertens, and Aaron Tomb. TrackOS: A Security-Aware Real-Time Operating System. In International Conference on Runtime Verification, 2017. Google Scholar
  18. The LLVM Foundation. The LLVM compiler infrastructure. [Jun. 05, 2019].
  19. University of California. KDD Cup 1999 Data Webpage., 1999.
  20. C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: alternative data models. In IEEE Symposium on Security and Privacy, 1999. Google Scholar
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail