Welcome and Setting the Scene (9:30 - 10:30)

Antonio Casimiro, Rodolfo Pellizzoni, Paulo Esteves-Veríssimo, Marcus Völp

Having brought together researchers from security, dependability, distributed systems and real-time systems in this first workshop on the Security and Dependability of Critical Embedded Real-Time Systems CERTS 2016, we, the organizing team, would like to share with you our thoughts and ideas about the present and future of this workshop, both scientifically and organisational. We will share and discuss with you our view how to prepare real-time and cyber-physical systems to survive faults and attacks and how we envision safety can be guaranteed while under attack, both by casual hackers and facing advanced and persistent threads by highly educated and well equipped adversaries. On the organisatorial side, we would like to discuss with you future workshop locations as well as publishing strategies for this and future events.

Session 1: Leaning how to survive (11:00 - 12:00)

embSFI: An Approach for Software Fault Isolation in Embedded Systems

Andreas Ruhland, Christian Prehofer and Oliver Horst

Software Fault Isolation (SFI) is a technique to sandbox software components based on transformation and checks on the assembly code level. In this way, software components can only access memory within specific fault domains. This paper presents embSFI, which applies selected SFI techniques to embedded systems in order to increase dependability and security, complementing or replacing a memory management unit. Our approach is designed to use SFI techniques which can be validated efficiently, even on embedded devices. Furthermore, we show that the overhead in performance is low, however depending on the scenario.

CAML: Machine Learning-based Predictable, System-Level Anomaly Detection

Jiguo Song, Gerald Fry, Curt Wu and Gabriel Parmer

Security challenges are increasing in distributed cyber-physical systems (CPSs), which integrate computation and physical processes. System security is complicated by both the temporal and safety constraints of CPSs. In this paper, we investigate the potential for using system-level anomaly detection in a component-based RTOS to detect system compromises and aberrant behavior. We investigate a machine learning-based anomaly detection framework, CAML, which monitors for and identifies cyber attacks in system-level services within bounded time. We leverage past work in system fault recovery to predictably recover the system to an uncompromised state. We also evaluate the effectiveness of CAML in an avionics simulator-based CPS environment with injected cyber attacks. Our results and analysis indicate that CAML has promise to effectively enhance CPS robustness by securing the underlying RTOS against system-level cyber attacks with only small performance degradation.

Enforcing Safety and Security Through Non-Intrusive Runtime Verification

Inês Gouveia and José Rufino

The recent extensive development in Cyber-Physical Systems (CPSs) has lead to the emergence of new concerns regarding timeliness, safety and security properties. For decades, numerous vulnerabilities have put systems and applications at risk and CPSs are no exception. Noteworthy recurring issues are, for example, Buffer Overflows (BOs). We intend to deal with some types of BOs, other accidental faults and intended attacks by means of Non-Intrusive Runtime Verification (NIRV), to be accomplished through the design of a black-box observer and monitoring entity. Tackling security hazards can be enforced at different levels or granularities depending on how detailed our knowledge of the inner workings of the system and applications running on it is. We introduce solutions to detect and handle explicit attacks and accidental faults, focusing on completely null understanding of the analyzed environment’s specificities, but also discussing scenarios where program mechanics and engineering are completely known.

Open Issues in Security and Dependability of Critical Embedded Real-Time Systems (13:30 - 14:00)

Session 2: Secure and dependable vehicles (14:00 - 15:00)

MERgE: Technology Advancement for Cohesion of Concerns in System Engineering

Charles Robinson, Jérôme Pequery and Sam Michiels

MERgE is a project that has been funded by the ITEA, under their “Engineering Support” roadmap, to advance technology for multi-concern interactions in system engineering. The applicability and benefits of the work has focused particularly on Safety and Security. These system properties are usually treated and certified separately, however increasing complexity requires urgently the ability to track such global qualities through the product lifecycle and consider their relationships. Driving factors here include legacy management, cost reduction, increasingly open systems and the need for resilience. This is a project paper, providing an overview and industrial return of the technology
developed to better address these challenges. The work has been applied to Radio Communication, Automotive, Space and Industrial
Control domains. The collaborative work has considered coengineering, multi-viewpoint technology, expert systems, variant
architectures, process enactment & recovery and operational system assessment all developed on a platform with domain
tailoring capabilities. 

Towards Comprehensive Threat Modeling for Vehicles 

Mohammad Hamad, Marcus Nolte and Vassilis Prevelakis

Over the past few years, significant developments were introduced within the vehicular domain. The modern vehicle becomes a network of dozens of embedded systems which collaborate together. While these improvements have increased functionality of vehicle systems, they have introduced new potential risks. Threat modeling has gained a central role to identifying the threats that affect different subsystems inside the vehicle. In most cases, threat modeling was implemented either for one subsystem or based on a specific perspective such as the external threat surfaces only. In this work, we try to revise the existing threat modeling efforts in the vehicular domain. We reassemble them and extract their main characteristics to build a comprehensive threat model. This general model could be used to identify the different threats against the vehicular domain. Furthermore, reusable attack trees could be derived from this general model.

Towards a Fail-Operational Intrusion Detection System for In-Vehicle Networks 

Clinton Young, Joseph Zambreno and Gedare Bloom

The landscape of automotive in-vehicle networks is changing driven by the vast options for infotainment features and progress toward fully-autonomous vehicles. However, the security of automotive networks is lagging behind feature-driven technologies, and new vulnerabilities are constantly being discovered. In this paper, we introduce a road map towards a security solution for in-vehicle networks that can detect anomalous and failed states of the network and adaptively respond in real-time to maintain a fail-operational system.

Session 3: Be secure, but not too late (15:30 - 16:50)

ScheduLeak: An Algorithm for Reconstructing Task Schedules in Fixed-Priority Hard Real-Time Systems

Chien-Ying Chen, Amiremad Ghassami, Sibin Mohan, Negar Kiyavash, Rakesh B. Bobba and Rodolfo Pellizzoni

In real-time embedded systems, failures due to the lack of security can cause serious damage to the system or even injury to humans. Until recently security was an afterthought in the design of such systems. Even less understood are attack mechanisms that can successfully target real-time systems. In this paper we present a novel attack model and algorithm to extract the exact schedules of real-time systems that are built using fixed priority scheduling algorithms. 

ReSecure: A Restart-Based Security Protocol for Tightly Actuated Hard Real-Time Systems

Fardin Abdi, Monowar Hasan, Sibin Mohan, Disha Agarwal and Marco Caccamo

In this paper we present ReSecure, a framework that uses the concept of system restart to secure hard real-time systems (RTS). ReSecure is used to improve the security of RTS without violating safety or temporal constraints. We also show how designers of systems can customize (or even optimize) system parameters to achieve the best trade-offs between security and control system performance. We demonstrate our concepts using a prototype on an ARM-based embedded platform as well as a 3 degree of freedom (3 DOF) helicopter system.

Timing Analysis of Secure Communication between Resource Managers in DREAMS

Gautam Gala, Thomas Koller, Daniel Gracia Pérez, Gerhard Fohler and Christoph Ruland

The European FP7 project DREAMS provides services for system-wide adaptability of mixed-criticality applications consuming several resources by means of a global resource manager (GRM) in combination with several local resource managers (LRMs). The GRM has an abstract system-wide view and makes global decisions, while the LRMs control individual resources in isolation. The LRMs regularly communicate with the GRM in order to deal with unpredictable environment situations, resource fluctuations and the occurrence of faults. Since resource management communication deals with critical system information, it is an promising target for an attacker.
This poses an increased risk of malicious attacks on the system. Therefore, security mechanisms have been implemented to ensure an adequate protection of the system’s resource management. A Security and a communication library have been developed as a proof of concept. This paper analyses the overhead taken by resource management communication for secure information exchange. Furthermore, the analysis includes different security algorithms, i.e., two cipher algorithms and two mode of operation algorithms.

A Server Model to Integrate Security Tasks into Fixed-Priority Real-Time Systems

Monowar Hasan, Sibin Mohan, Rakesh Bobba and Rodolfo Pellizzoni

Modern embedded real-time systems (RTS) are increasingly facing security threats than the past. In this paper, we develop a unified framework by using the concept of server and propose a metric to integrate security tasks into RTS that will allow system designers to improve the security posture without affecting temporal constraints of the existing real-time tasks. We demonstrate our framework using a proof-of-concept implementation on an ARM-based embedded platform and realtime Linux OS.