Integrating Hardware-Assisted Anomaly Detection in Safety-Critical Systems
In this talk, we present a generic method based on separation kernel to integrate security mechanisms in Mixed-Criticality System (MCS). In particular, we present the integration of hardware-assisted control flow (CF) based security monitoring. We will share our experience working with ARM CoreSight tracing for implementing Control Flow Integrity checking and runtime CF based anomaly detection. We will introduce metrics to evaluate the trade-off between performance impact and security monitoring coverage and discuss our experiment results. We validate our approach on an industrial MCS platform with ARM CoreSight support, using a set of programs from TACLeBench benchmark.
2 Dec - 16:30 pm - Session "Safety II"
In Mixed-Criticality Systems (MCS), low-critical applications (e.g. network connectivity, user-interface ) have a larger attack surface compared to high-critical applications. Even though MCS isolate criticality domains of execution by design, a threat affecting a low-critical service can alter the system behaviour: e.g by degrading the system availability or user-experience. Such attacks on low-critical tasks can even introduce an entry point for propagating the attack further to high-critical tasks. So detecting such threats at runtime is becoming a growing necessity for MCS security. Among the different threat classes, code-reuse attacks such as Return Oriented Programming (ROP) are prominent ones in embedded systems. Control Flow Integrity (CFI) monitoring is a proven security technique for detecting code-reuse attacks. CFI identifies deviations from the baseline Control Flow Graph (CFG) as malicious control-flow transitions.
For monitoring a program’s control-flow, CFI approaches require instruction-level knowledge of the program including forward-edge and backward-edge CFG branches. For this, CFI implementations rely on source code or binary instrumentation in order to check the validity of control-flow transitions during run-time. In the context of safety-critical systems, especially in multi-supplier product development, these constraints prohibit a straightforward deployment of CFI. For safety-critical system requiring certification, the system developer has to ensure freedom from interference and independence between components to prevent fault propagation and to enable easy verification. For the deployment of CFI in safety-critical system, this means the resource usage (e.g. memory, CPU time) of CFI checking shall be deterministically upper-bounded at runtime. For the industrial deployment of CFI, it shall also use commonly available hardware assistance features, such as CFI solutions based on Intel Processor Trace (PT) and ARM CoreSight. In this talk, we will present a separation kernel-based approach to integrate CFI monitoring in a safety-critical system with real-time constraints. Our solution leverages ARM Coresight to transparently monitor control flow (CF) transfers and using the CF traces, we realize both forward-edge and backward-edge CFI in software. Our approach reliably protects the control flow of the monitored application, however it comes with a high performance overhead. The overhead depends on the monitored program execution path (the more executed CF transitions, the higher the overhead).
Therefore in the second part of the talk, we will extend the framework to deal with the performance overhead introduced by the first solution. The goal is to address the trade-off between CF monitoring coverage and performance overhead. First, we present a monitoring framework to control the performance overhead for CF tracing by adapting the CF monitoring coverage at runtime. Our framework leverages a predictable periodic-server based approach together with separation kernel framework for safety-aware integration of hardware-assisted CF monitoring into MCS. Then, we use this framework to deploy an anomaly detection service to monitor the full scope of the task’s execution, identifying anomalies from the observation of inter-arriving times of CF monitoring instances. We validate our monitoring framework on an industrial MCS platform using a set of applications from TACLeBench benchmark.
We conclude our talk discussing alternative approaches to use hardware assisted processor tracing for runtime threat detection: i.e. dealing with the high performance overhead, combining our framework with complementary security solutions like reaction upon threat detection and multi-stage detection using artificial intelligence.