skip to main content

Title: Network Scheduling for Secure Cyber-Physical Systems
Existing design techniques for providing security guarantees against network-based attacks in cyber-physical systems (CPS) are based on continuous use of standard cryptographic tools to ensure data integrity. This creates an apparent conflict with common resource limitations in these systems, given that, for instance, lengthy message authentication codes (MAC) introduce significant overheads. We present a framework to ensure both timing guarantees for real-time network messages and Quality-of-Control (QoC) in the presence of network-based attacks. We exploit physical properties of controlled systems to relax constant integrity enforcement requirements, and show how the problem of feasibility testing of intermittently authenticated real-time messages can be cast as a mixed integer linear programming problem. Besides scheduling a set of real-time messages with predefined authentication rates obtained from QoC requirements, we show how to optimally increase the overall system QoC while ensuring that all real-time messages are schedulable. Finally, we introduce an efficient runtime bandwidth allocation method, based on opportunistic scheduling, in order to improve QoC. We evaluate our framework on a standard benchmark designed for CAN bus, and show how an infeasible message set with strong security guarantees can be scheduled if dynamics of controlled systems are taken into account along with real-time requirements.
Authors:
; ;
Award ID(s):
1652544 1505701
Publication Date:
NSF-PAR ID:
10056951
Journal Name:
2017 IEEE Real-Time Systems Symposium (RTSS)
Page Range or eLocation-ID:
45 to 55
Sponsoring Org:
National Science Foundation
More Like this
  1. Defense mechanisms against network-level attacks are commonly based on the use of cryptographic techniques, such as lengthy message authentication codes (MAC) that provide data integrity guarantees. However, such mechanisms require significant resources (both computational and network bandwidth), which prevents their continuous use in resource-constrained cyber-physical systems (CPS). Recently, it was shown how physical properties of controlled systems can be exploited to relax these stringent requirements for systems where sensor measurements and actuator commands are transmitted over a potentially compromised network; specifically, that merely intermittent use of data authentication (i.e., at occasional time points during system execution), can still provide strongmore »Quality-of-Control (QoC) guarantees even in the presence of false-data injection attacks, such as Man-in-the-Middle (MitM) attacks. Consequently, in this work, we focus on integrating security into existing resource-constrained CPS, in order to protect against MitM attacks on a system where a set of control tasks communicates over a real-time network with system sensors and actuators. We introduce a design-time methodology that incorporates requirements for QoC in the presence of attacks into end-to-end timing constraints for real-time control transactions, which include data acquisition and authentication, real-time network messages, and control tasks. This allows us to formulate a mixed integer linear programming-based method for direct synthesis of schedulable tasks and message parameters (i.e., deadlines and offsets) that do not violate timing requirements for the already deployed controllers, while adding a sufficient level of protection against network-based attacks; specifically, the synthesis method also provides suitable intermittent authentication policies that ensure the desired QoC levels under attack. To additionally reduce the security-related bandwidth overhead, we propose the use of cumulative message authentication at time instances when the integrity of messages from subsets of sensors should be ensured. Furthermore, we introduce a method for the opportunistic use of the remaining resources to further improve the overall QoC guarantees while ensuring system (i.e., task and message) schedulability. Finally, we demonstrate applicability and scalability of our methodology on synthetic automotive systems as well as a real-world automotive case-study.« less
  2. We consider the problem of network-based attacks, such as Man-in-the-Middle attacks, on standard state estimators. To ensure graceful control degradation in the presence of attacks, existing results impose very strict integrity requirements on the number of noncompromised sensors. We study the effects of sporadic data integrity enforcement, such as message authentication, on control performance under stealthy attacks. We show that even with sporadic data integrity guarantees, the attacker cannot introduce an unbounded state estimation error while remaining stealthy. We present a design-time framework to derive safe integrity enforcement policies, and illustrate its use; we show that with even 20% ofmore »authenticated messages we can ensure satisfiable state estimation errors under attacks.« less
  3. Growth of the Internet-of-things has led to complex system-on-chips (SoCs) being used in the edge devices in IoT applications. The increased complexity is demanding designers to consider several critical factors, such as dynamic requirement changes, long application life, mass production, and tight time-to-market deadlines. These requirements lead to more complex security concerns. SoC manufacturers outsource some of the intellectual property cores integrated on the SoC to untrusted third-party vendors. The untrusted intellectual properties can contain malicious implants, which can launch attacks using the resources provided by the on-chip interconnection network, commonly known as the network-on-chip (NoC). Existing efforts on securingmore »NoC have considered lightweight encryption, authentication, and other attack detection mechanisms such as denial-of-service and buffer overflows. Unfortunately, these approaches focus on designing statically optimized security solutions. As a result, they are not suitable for many IoT systems with long application life and dynamic requirement changes. There is a critical need to design reconfigurable security architectures that can be dynamically tuned based on changing requirements. In this article, we propose a tier-based reconfigurable security architecture that can adapt to different use-case scenarios. We explore how to design an efficient reconfigurable architecture that can support three popular NoC security mechanisms (encryption, authentication, and denial-of-service attack detection and localization) and implement suitable dynamic reconfiguration techniques. We evaluate our proposed framework by running standard benchmarks enabling different tiers of security and provide a comprehensive analysis of how different levels of security can affect application performance, energy efficiency, and area overhead.« less
  4. Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference. We introduce _nonmalleable information flow_, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is _transparent endorsement_, amore »mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler.« less
  5. The resource-constrained nature of the Internet of Things (IoT) edges, poses a challenge in designing a secure and high-performance communication for this family of devices. Although side-channel resistant ciphers (either block or stream) could guarantee the security of the communication, the energy intensive nature of these ciphers makes them undesirable for lightweight IoT solutions. In this paper, we introduce ExTru, an encrypted communication protocol based on stream ciphers that adds a configurable switching & toggling network (CSTN) to not only boost the performance of the communication in these devices, it also consumes far less energy than the conventional side-channel resistantmore »ciphers. Although the overall structure of the proposed scheme is leaky against physical attacks, we introduce a dynamic encryption mechanism that removes this vulnerability. We demonstrate how each communicated message in the proposed scheme reduces the level of trust. Accordingly, since a specific number of messages, N, could break the communication and extract the key, by using the dynamic encryption mechanism, ExTru can re-initiate the level of trust periodically after T messages where T <; N, to protect the communication against side-channel and scan-based attacks (e.g. SAT attack). Furthermore, we demonstrate that by properly configuring the value of T, ExTru not only increases the strength of security from per “device” to per “message”, it also significantly improves energy saving as well as throughput vs. an architecture that only uses a conventional side-channel resistant block/stream cipher.« less