Much effort has been put into improving the predictability of real-time systems, especially in safety-critical environments, which provides designers with a rich set of methods and tools to attest safety in situations with no or a limited number of accidental faults. However, with increasing connectivity of real-time systems and a wide availability of increasingly sophisticated exploits, security and, in particular, the consequences of predictability on security become concerns of equal importance. Time-triggered scheduling with offline constructed tables provides determinism and simplifies timing inference, however, at the same time, time-triggered scheduling creates vulnerabilities by allowing attackers to target their attacks to specific, deterministically scheduled and possibly safety-critical tasks. In this paper, we analyze the severity of these vulnerabilities by assuming successful compromise of a subset of the tasks running in a real-time system and by investigating the attack potential that attackers gain from them. Moreover, we discuss two ways to mitigate direct attacks: slot-level online randomization of schedules, and offline schedule-diversification. We evaluate these mitigation strategies with a real-world case study to show their practicability for mitigating not only accidentally malicious behavior, but also malicious behavior triggered by attackers on purpose.
@InProceedings{kruger_et_al:LIPIcs.ECRTS.2018.22, author = {Kr\"{u}ger, Kristin and V\"{o}lp, Marcus and Fohler, Gerhard}, title = {{Vulnerability Analysis and Mitigation of Directed Timing Inference Based Attacks on Time-Triggered Systems}}, booktitle = {30th Euromicro Conference on Real-Time Systems (ECRTS 2018)}, pages = {22:1--22:17}, series = {Leibniz International Proceedings in Informatics (LIPIcs)}, ISBN = {978-3-95977-075-0}, ISSN = {1868-8969}, year = {2018}, volume = {106}, editor = {Altmeyer, Sebastian}, publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik}, address = {Dagstuhl, Germany}, URL = {https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ECRTS.2018.22}, URN = {urn:nbn:de:0030-drops-89811}, doi = {10.4230/LIPIcs.ECRTS.2018.22}, annote = {Keywords: real-time systems, time-triggered systems, security, vulnerability} }
Feedback for Dagstuhl Publishing