,kicking ng & s & scream eaming ng Sibin Mohan Dagstuhl - - PowerPoint PPT Presentation

Sibin Mohan

,kicking ng & s & scream eaming ng

n

• Dept. of Computer Science

Information Trust Institute sibin@illinois.edu @sibinmohan

Dagstuhl 2016

Physically isolated Specialized protocols & hardware Not connected to the internet Limited capabilities Finite (often severely constrained) resources Attacks on Industrial Control Systems [Stuxnet!] Hijacking of automotive systems Vulnerabilities in implantable (and other) medical devices Vulnerable avionics systems Power grids & other utilities ...

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

3

[?]

Limited Resources

• Computational power, energy, cost

Timing Requirement

• Safety, reliability, deadlines

System Upgrade

• Verifiability

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

4

Note: similar constraints for attack as well as defense mechanisms

• How to attack real-time systems…

…and stay undetected

• How to defend against such attacks…

…and still meet real-time constraints

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

5

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

6

• Able to intrude into the system undetected
• Motivation: steal information about system operation/modes
• Vendor-based system design

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

7

UAV (HIL)

Network Manager Mission Planner Integrator to Base Station Sensor Task Control Laws Actuator Task Vendor 2 Encoder (JPEG/MPEG) I/O Vendor 1 from Camera Encryption

• Constraints on the attacker
• Attacker cannot use up too many resources
• Will lead to other tasks missing deadlines  early detection

8

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

• Attacker can only execute during slack/idle times
• But then, attacker can only see the busy periods between idle slots
• Useful to reconstruct the exact schedule from the busy periods
• Periodic nature of [many] real-time systems
• Fixed-priority scheduling algorithms

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

9

actual schedule with multiple tasks Idle Idle what an intruder can see [busy periods] t t

SCHEDULEAK

• Attacker has access to some task parameters
• e.g. periods, execution times
• Does not know when the system started execution
• Intuition:
• Results can be ambiguous, due to
• Jitter, offsets, task parameters, etc.

10

period(i) t i j period(j) Detailed analysis, algorithms, etc. in the paper

November 1, 2016

• Reconstruct the complete schedule from busy periods
• Question: how do we measure success?
• Failure: unable to precisely estimate execution start time
• for each task
• What if we are able to narrow it down to a “window”?

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

11

t Idle Idle t Failure?

• For each task in the task set,
• Estimate the deviation from the “expected” result
• Geometric mean of all such deviations

Precision ratio,

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

12

Implemented the attack (and analysis) on

• hardware platform  Xilinx Zedboard Zynq-7000
• Simulation engine

Application scenario: vendor-based UAV model FreeRTOS Operating System

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

13

UAV (HIL)

Network Manager Mission Planner Integrator to Base Station Sensor Task Control Laws Actuator Task Vendor 2 Encoder (JPEG/MPEG) I/O Vendor 1 from Camera Encryption

Simulation engine

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

14

Hardware platform

Note: analysis can be done offline if needed

15

Plots of precision ratio vs CPU Utilization

Note: precision ratio is very high even in the presence of offsets! Mean precision ratio: 1 Mean precision ratio: 0.9982 – 0.999

Assuming a distribution

• f execution times

Worst-case mean precision ratio: 0.90901

• Ability to reconstruct schedules for real-time systems
• Very precise
• Can be used to launch other attacks…

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

17

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

18

Challenge: how do we protect against such attacks

• And still maintain the safety of real-time systems?

Intuition: transform security requirements to real-time constraints Three ways to achieve this:

1.

Obfuscation of the schedule to prevent attacks such as ScheduLeak

2.

Shared state cleanup to prevent attempts like coarse-grained cache timing attacks

3.

Use predictable behavior to detect intrusions

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

19

• Real-time systems are predictable-by-design
• If attackers are able to reconstruct part* of the behavior
• They can precisely predict future behavior

20

* For one hyperperiod

November 1, 2016

Solution: obfuscate the schedule

• At each scheduling event  pick a random task to run
• Not the highest priority task
• Attackers can no longer predict behavior
• Every hyperperiod is different!

Problems!!!

• Tasks can miss their deadlines!
• Priority inversions can result in serious situations
• Safety of the system at risk

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

21

• Allow priority inversions, but in a bounded fashion
• Only when higher priority task(s) can still meet deadlines
• Only for bounded amounts of time
• Key step: keep finding worst-case maximum inversion times

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

22

M H L

deadline (and another release) release

Inv Inv Inv Pre Pre Pre Inv

… …

At every scheduling decision point,

1.

Pick a random job from ready queue

2.

(if not highest priority task) Decrement V as execution proceeds

3.

Continue until job completes or V is depleted

Any job in the ready queue is guaranteed to be schedulable V values are replenished at each job’s release

23

V  worst-case maximum inversion time p e V task 0 5 1 4 task 1 8 2 3 task 2 20 3 4

• ScheduLeak can still deconstruct results from such randomization
• Idle times provide a separation that retains predictability

Improvements for increased randomization

1.

Treat idle time as an additional task with lowest priority

2.

Allow early yield for tasks (i.e. not waiting till completion) Apply randomized scheduling algorithm again TaskShuffler Engine

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

24

No randomization Randomization Only Randomization +Idle Scheduling +Early Yield Randomization +Idle Scheduling

• Calculated schedule entropy for simulated task sets

26

Randomization:

• 1. Medium Util.

 most effective

• 2. Low Util.

 too much idle time

• 3. High Util.

 very few inversions High entropy for most common situations  better protection

• Need protection against mechanisms like cache timing attacks

L can potentially snoop on H’s cache state Solution: cleanup of shared resources e.g.: a synthetic ‘cache flush task’ that executes at scheduling points Execute synthetic cache flush task (CFT) between every two tasks

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

27

H H H L L L

Since many systems already follow a vendor-based design Vendor-oriented Security Model

• avoid leaking information from ‘protected task’ of one vendor to

any task of another vendor

• Binary “noleak” relation between any two tasks
• Given any two tasks, τi and τj:
• No symmetry or transitivity properties on “no leak” relation

Generalizes traditional Multi-Level Security (MLS) models

• E.g.: Bell-LaPadula

28

noleak(τi, τj) Action True prevent information leakage from τi to τj False no constraints imposed

November 1, 2016

An inordinate number of CFTs

• Can result in reduced Schedulability
• Tasks missing their deadlines
• Need to be used with care

We analyze the system

• Precise measure of the ‘cost of security’  reduction in utilization
• Minimize number of CFTs
• Effects of preemption on number of CFTs
• Even assign preemptivity to each task  optimally!
• making a task non-preemptive is better for task itself & all lower priority tasks

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

29

Results:

1.

Drop in schedulability especially for higher utilization

2.

Much better than trivial bound

3.

Can still schedule many tasks Provides information to designers to account for such changes.

30

Reduced utilization but improved security against timing attacks! Costs known ahead of time

• Behavior-based intrusion detection in real-time systems
• Use predictable nature of such systems to detect anomalies
• Use redundancy in execution platform (multicore) for monitoring
• Guarantee system safety in face of successful attacks

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

31

Abnormal Memory Accesses Control Flow Change Extra Instructio ns Abnormal External I/O

Potential Symptoms of Malware

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

32 On-chip Monitoring HW Monitored Core

SecureCore Secure Monitor Hypervisor OS OS

On-chip Monitoring HW Unit

• Observes the state of monitored cores, I/O activities, physical states, etc.
• Invisible to all but SecureCore, non-intrusive

Secure Monitor

• Software process that performs

monitoring and detection using observed behavior

Hypervisor-based SecureCore Protection

• Resource virtualization: memory space separation, I/O device consolidation
• Additional HW-based protection (e.g., ARM TrustZone)

. . .

Able to keep system safe even if attacker has root access on main core

• Methods to improve security of real-time systems
• Reduces efficacy of side-channel attacks
• Understanding constraints and costs of security in real-time systems

33

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

• Designers can now better gauge the required resources for
• improved security and
• reduced drop in performance

 Metrics (?)

• Predictability  double-edged sword
• Can aid attackers
• Can also aid defensive methods
• Isolation on the other hand
• reduces attack surfaces
• Also helps improve predictability?

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

34

35

• Chien-Ying Chen, Amiremad Ghassami, Sibin Mohan, Negar Kiyavash, Rakesh B. Bobba and Rodolfo

Pellizzoni: ScheduLeak: An Algorithm for Reconstructing Task Schedules in Fixed-Priority Hard Real-Time Systems. CERTS 2016. [To Appear]

• Man-Ki Yoon, Sibin Mohan, Chien-Ying Chen, Lui Sha: TaskShuffler: A Schedule Randomization

Protocol for Obfuscation against Timing Inference Attacks in Real-Time Systems. RTAS 2016.

• Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui Sha: SecureCore: A multicore-based

intrusion detection architecture for real-time embedded systems. IEEE Real-Time and Embedded Technology and Applications Symposium 2013.

• Man-Ki Yoon, Lui Sha, Sibin Mohan, Jaesik Choi: Memory heat map: anomaly detection in real-time

embedded systems using memory behavior. DAC 2015.

• Man-Ki Yoon, Mihai Christodorescu, Lui Sha, Sibin Mohan: The DragonBeam Framework: Hardware-

Protected Security Modules for In-Place Intrusion Detection. SYSTOR 2016.

• Sibin Mohan, Man-Ki Yoon, Rodolfo Pellizzoni, Rakesh Bobba: Real-Time Systems Security through

Scheduler Constraints. ECRTS 2014.

• Rodolfo Pellizzoni, Neda Paryab, Man-Ki Yoon, Stanley Bak, Sibin Mohan, Rakesh Bobba: A generalized

model for preventing information leakage in hard real-time systems. RTAS 2015.

• Sibin Mohan, Man-Ki Yoon, Rodolfo Pellizzoni, Rakesh B. Bobba: Integrating security constraints into

fixed priority real-time schedulers. Real-Time Systems 52(5).

• Monowar Hasan, Sibin Mohan, Rakesh B. Bobba, Rodolfo Pellizzoni: Exploring Opportunistic

Execution for Integrating Security into Legacy Hard Real-Time Systems. RTSS 2016 [To Appear]

36

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

37

• No dynamically loaded code/function pointers/etc.
• Periodic programs (“tasks”) that execute independent of each other
• Bounded loops
• Relatively simple operating systems
• No virtual memory  often use flat memory models
• Limited processing power/memory/network bandwidth/etc.
• Attacker cannot use up too many resources
• Will lead to other tasks missing deadlines  early detection

38

ScheduLeak is able to complete execution on platform Completely estimate the schedule of the UAV model (15 tasks) Does not result in missed deadlines for any other task Average precision ratio: 0.9977 Hardware measurement jitters cause reduction (from 1.0)

39

Note: analysis can be done offline if needed

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

• Timing attacks

“the attacker attempts to steal the information from the system by analyzing the time variation of a function”

• Well known in security and system literature
• Steal cryptographic keys, snooping in cloud computing, etc.
• We apply it to real-time systems

40

Application Attacker

• 1. Attacker fills the cache
• 2. Let application use cache
• 3. Attacker measures cache-

miss and cache-hit ratio to gauge the cache usage

November 1, 2016

• Can leak coarse-grained information that is critical
• Consider UAV application that has a camera with two modes:
• High resolution mode when observing targets of interest
• Low resolution mode otherwise
• Two modes  different amounts of cache usage!
• Coupled with GPS information  locations of targets of interest!

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

41

• Implementation on

hardware board:

• Xilinx Zedboard Zynq-7000
• OS: Bare Metal & FreeRTOS
• CPU Frequency: 666MHz
• L2 Cache Size: 512KB
• L2 Cache Line Size: 32 Bytes

Sibin Mohan | Bringing Real-Time Systems into a Secure World

42

Low-res mode High-res mode Expected Behavior Measured Behavior Low-res mode High-res mode

November 1, 2016

• Assuming that a given task set is schedulable

[OFFLINE] Calculate worst-case maximum inversion time, V

• For each task

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

43

p e task 0 5 1 task 1 8 2 task 2 20 3

p e V task 0 5 1 4 task 1 8 2 3 task 2 20 3 4

HP 1 1 1 3 3 3 3 1 1 2 2 2 3 3 3 3 3 1 1 2 1 3 3 3 1 3 2 1 1 2 3 3 3 HP 2 1 1 2 2 3 3 3 1 2 1 3 3 3 1 1 3 2 2 2 1 3 3 3 1 3 1 1 3 3 3 3 3 HP 3 2 2 2 1 1 3 3 3 1 1 3 3 3 1 1 3 3 3 3 3 1 1 2 2 2 3 3 3 3 1 1 3 HP 4 1 1 2 2 3 3 2 3 3 1 1 3 3 1 1 3 3 3 3 3 2 2 1 1 2 3 3 3 1 1 3 3 HP 5 1 1 2 2 2 3 1 1 3 3 3 3 3 3 3 1 1 3 3 3 3 2 1 1 2 2 1 1 3 3 3 3 HP 6 3 3 3 1 1 3 2 1 1 2 2 3 1 1 3 3 3 3 3 3 2 2 2 1 1 3 3 3 3 1 1 3 HP 7 2 2 2 1 1 3 1 1 3 3 3 3 3 3 3 1 1 2 2 2 3 3 3 1 1 1 1 3 3 3 3 3 HP 8 3 3 3 1 1 3 2 2 2 1 1 3 3 3 3 1 1 3 3 3 2 2 2 1 1 3 3 3 1 1 3 3 HP 9 1 1 2 2 2 3 3 1 3 3 3 1 3 3 3 3 1 1 2 2 1 1 3 3 3 3 2 1 1 3 3 3 HP 10 3 3 3 1 1 3 2 2 1 1 2 3 3 3 3 1 1 3 3 3 2 2 1 1 2 3 3 3 1 1 3 3 HP 11 3 3 3 1 1 2 2 3 2 3 1 1 3 3 3 3 1 1 3 3 1 1 2 2 2 3 3 3 1 1 3 3 HP 12 1 1 2 2 3 3 3 3 2 3 1 1 3 3 3 1 1 3 3 1 2 2 2 1 3 3 3 3 3 1 1 3 HP 13 2 2 2 1 1 3 3 3 3 1 1 3 3 1 1 3 2 2 2 3 1 1 3 3 3 3 3 3 1 1 3 3 HP 14 3 3 3 1 1 2 2 1 1 2 3 3 3 1 1 3 3 3 3 3 1 1 2 2 2 3 3 3 1 1 3 3 HP 15 1 1 3 3 3 3 1 1 2 2 2 3 3 1 1 3 3 3 3 3 2 2 2 1 1 3 1 1 3 3 3 3 HP 16 1 1 2 2 2 3 1 1 3 3 3 3 3 1 1 3 3 3 3 2 3 2 1 1 2 1 1 3 3 3 3 3 HP 17 3 3 3 1 1 3 2 2 1 1 2 3 3 3 3 1 1 3 3 1 1 3 3 2 2 2 1 1 3 3 3 3 HP 18 2 2 2 1 1 3 1 1 3 3 3 3 3 3 3 1 1 2 2 1 1 2 3 3 3 3 3 3 3 1 1 3 HP 19 2 2 2 1 1 3 3 3 3 1 1 3 3 3 3 1 1 3 3 3 2 2 2 1 1 3 1 1 3 3 3 3 HP 20 3 3 3 1 1 2 2 2 1 1 3 3 3 3 3 1 1 3 3 3 3 1 1 2 2 1 1 2 3 3 3 3 HP 21 1 1 3 3 2 2 3 3 1 1 2 3 3 3 3 3 1 1 2 3 1 1 2 2 3 3 3 3 1 1 3 3

• Measure of schedule randomness
• Calculated by Shannon entropy
• Hard to calculate because it is infeasible to enumerate all possible schedules

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

44

HP 1 1 1 3 3 3 3 1 1 2 2 2 3 3 3 3 3 1 1 2 1 3 3 3 1 3 2 1 1 2 3 3 3 HP 2 1 1 2 2 3 3 3 1 2 1 3 3 3 1 1 3 2 2 2 1 3 3 3 1 3 1 1 3 3 3 3 3 HP 3 2 2 2 1 1 3 3 3 1 1 3 3 3 1 1 3 3 3 3 3 1 1 2 2 2 3 3 3 3 1 1 3 HP 4 1 1 2 2 3 3 2 3 3 1 1 3 3 1 1 3 3 3 3 3 2 2 1 1 2 3 3 3 1 1 3 3 HP 5 1 1 2 2 2 3 1 1 3 3 3 3 3 3 3 1 1 3 3 3 3 2 1 1 2 2 1 1 3 3 3 3 HP 6 3 3 3 1 1 3 2 1 1 2 2 3 1 1 3 3 3 3 3 3 2 2 2 1 1 3 3 3 3 1 1 3 HP 7 2 2 2 1 1 3 1 1 3 3 3 3 3 3 3 1 1 2 2 2 3 3 3 1 1 1 1 3 3 3 3 3 HP 8 3 3 3 1 1 3 2 2 2 1 1 3 3 3 3 1 1 3 3 3 2 2 2 1 1 3 3 3 1 1 3 3 HP 9 1 1 2 2 2 3 3 1 3 3 3 1 3 3 3 3 1 1 2 2 1 1 3 3 3 3 2 1 1 3 3 3 HP 10 3 3 3 1 1 3 2 2 1 1 2 3 3 3 3 1 1 3 3 3 2 2 1 1 2 3 3 3 1 1 3 3 HP 11 3 3 3 1 1 2 2 3 2 3 1 1 3 3 3 3 1 1 3 3 1 1 2 2 2 3 3 3 1 1 3 3 HP 12 1 1 2 2 3 3 3 3 2 3 1 1 3 3 3 1 1 3 3 1 2 2 2 1 3 3 3 3 3 1 1 3 HP 13 2 2 2 1 1 3 3 3 3 1 1 3 3 1 1 3 2 2 2 3 1 1 3 3 3 3 3 3 1 1 3 3 HP 14 3 3 3 1 1 2 2 1 1 2 3 3 3 1 1 3 3 3 3 3 1 1 2 2 2 3 3 3 1 1 3 3 HP 15 1 1 3 3 3 3 1 1 2 2 2 3 3 1 1 3 3 3 3 3 2 2 2 1 1 3 1 1 3 3 3 3 HP 16 1 1 2 2 2 3 1 1 3 3 3 3 3 1 1 3 3 3 3 2 3 2 1 1 2 1 1 3 3 3 3 3 HP 17 3 3 3 1 1 3 2 2 1 1 2 3 3 3 3 1 1 3 3 1 1 3 3 2 2 2 1 1 3 3 3 3 HP 18 2 2 2 1 1 3 1 1 3 3 3 3 3 3 3 1 1 2 2 1 1 2 3 3 3 3 3 3 3 1 1 3 HP 19 2 2 2 1 1 3 3 3 3 1 1 3 3 3 3 1 1 3 3 3 2 2 2 1 1 3 1 1 3 3 3 3 HP 20 3 3 3 1 1 2 2 2 1 1 3 3 3 3 3 1 1 3 3 3 3 1 1 2 2 1 1 2 3 3 3 3 HP 21 1 1 3 3 2 2 3 3 1 1 2 3 3 3 3 3 1 1 2 3 1 1 2 2 3 3 3 3 1 1 3 3

• Assume independence between slots
• Slot entropy

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

45

HP 1 1 1 3 3 3 3 1 1 2 2 2 3 3 3 3 3 1 1 2 1 3 3 3 1 3 2 1 1 2 3 3 3 HP 2 1 1 2 2 3 3 3 1 2 1 3 3 3 1 1 3 2 2 2 1 3 3 3 1 3 1 1 3 3 3 3 3 HP 3 2 2 2 1 1 3 3 3 1 1 3 3 3 1 1 3 3 3 3 3 1 1 2 2 2 3 3 3 3 1 1 3 HP 4 1 1 2 2 3 3 2 3 3 1 1 3 3 1 1 3 3 3 3 3 2 2 1 1 2 3 3 3 1 1 3 3 HP 5 1 1 2 2 2 3 1 1 3 3 3 3 3 3 3 1 1 3 3 3 3 2 1 1 2 2 1 1 3 3 3 3 HP 6 3 3 3 1 1 3 2 1 1 2 2 3 1 1 3 3 3 3 3 3 2 2 2 1 1 3 3 3 3 1 1 3 HP 7 2 2 2 1 1 3 1 1 3 3 3 3 3 3 3 1 1 2 2 2 3 3 3 1 1 1 1 3 3 3 3 3 HP 8 3 3 3 1 1 3 2 2 2 1 1 3 3 3 3 1 1 3 3 3 2 2 2 1 1 3 3 3 1 1 3 3 HP 9 1 1 2 2 2 3 3 1 3 3 3 1 3 3 3 3 1 1 2 2 1 1 3 3 3 3 2 1 1 3 3 3 HP 10 3 3 3 1 1 3 2 2 1 1 2 3 3 3 3 1 1 3 3 3 2 2 1 1 2 3 3 3 1 1 3 3 HP 11 3 3 3 1 1 2 2 3 2 3 1 1 3 3 3 3 1 1 3 3 1 1 2 2 2 3 3 3 1 1 3 3 HP 12 1 1 2 2 3 3 3 3 2 3 1 1 3 3 3 1 1 3 3 1 2 2 2 1 3 3 3 3 3 1 1 3 HP 13 2 2 2 1 1 3 3 3 3 1 1 3 3 1 1 3 2 2 2 3 1 1 3 3 3 3 3 3 1 1 3 3 HP 14 3 3 3 1 1 2 2 1 1 2 3 3 3 1 1 3 3 3 3 3 1 1 2 2 2 3 3 3 1 1 3 3 HP 15 1 1 3 3 3 3 1 1 2 2 2 3 3 1 1 3 3 3 3 3 2 2 2 1 1 3 1 1 3 3 3 3 HP 16 1 1 2 2 2 3 1 1 3 3 3 3 3 1 1 3 3 3 3 2 3 2 1 1 2 1 1 3 3 3 3 3 HP 17 3 3 3 1 1 3 2 2 1 1 2 3 3 3 3 1 1 3 3 1 1 3 3 2 2 2 1 1 3 3 3 3 HP 18 2 2 2 1 1 3 1 1 3 3 3 3 3 3 3 1 1 2 2 1 1 2 3 3 3 3 3 3 3 1 1 3 HP 19 2 2 2 1 1 3 3 3 3 1 1 3 3 3 3 1 1 3 3 3 2 2 2 1 1 3 1 1 3 3 3 3 HP 20 3 3 3 1 1 2 2 2 1 1 3 3 3 3 3 1 1 3 3 3 3 1 1 2 2 1 1 2 3 3 3 3 HP 21 1 1 3 3 2 2 3 3 1 1 2 3 3 3 3 3 1 1 2 3 1 1 2 2 3 3 3 3 1 1 3 3

• Upper-bounded schedule entropy

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

46

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World

47

• Hardware platform & Synthetic task sets

Platform

• Combination of actual UAV & hardware-in-the-loop (HIL) simulator
• 3 degrees of freedom
• HIL uses vehicle’s dynamics to simulate changes in position & return’s

GPS-like position

• Execution platform  Xilinx FPGA using ARM Cortex A9 @ 667 MHz
• CFT  use hardware functionality to flush cache contents
• “no-leak” relation implemented in FreeRTOS kernel
• Modified context-switch functionality to check if CFT is required

Synthetic task sets

• 3000 task sets with varying utilization & no-leak relationships

48

November 1, 2016 Sibin Mohan | Bringing Real-Time Systems into a Secure World