System call relative information such as occurrences, type, parameters, and return values are well established metrics to reveal intrusions in a system software. Many Host Intrusion Detection Systems (HIDS) from research and industry analyze these data for continuous system monitoring at runtime. Despite a significant false alarm rate, this type of defense offers high detection precision for both known and zero-day attacks. Recent research focuses on HIDS deployment for desktop computers. Yet, the integration of such run-time monitoring solution in mixed-criticality embedded systems has not been discussed. Because of the cohabitation of potentially vulnerable non-critical software with critical software, securing mixed-criticality systems is a non trivial but essential issue. Thus, we propose a methodology to evaluate the impact of deploying system call instrumentation in such context. We analyze the impact in a concrete use-case with PikeOS real-time hypervisor.
@InProceedings{kadar_et_al:OASIcs.CERTS.2019.2, author = {Kadar, Marine and Tverdyshev, Sergey and Fohler, Gerhard}, title = {{System Calls Instrumentation for Intrusion Detection in Embedded Mixed-Criticality Systems}}, booktitle = {4th International Workshop on Security and Dependability of Critical Embedded Real-Time Systems (CERTS 2019)}, pages = {2:1--2:13}, series = {Open Access Series in Informatics (OASIcs)}, ISBN = {978-3-95977-119-1}, ISSN = {2190-6807}, year = {2019}, volume = {73}, editor = {Asplund, Mikael and Paulitsch, Michael}, publisher = {Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik}, address = {Dagstuhl, Germany}, URL = {https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.CERTS.2019.2}, URN = {urn:nbn:de:0030-drops-108933}, doi = {10.4230/OASIcs.CERTS.2019.2}, annote = {Keywords: Instrumentation, Mixed-criticality, Real-Time, System Calls, Host Intrusion Detection Systems} }
Feedback for Dagstuhl Publishing