SchedGuard: Protecting against schedule leaks using Linux containers

Jiyang Chen; Tomasz Kloda; Ayoosh Bansal; Rohan Tabish; Chien Ying Chen; Bo Liu; Sibin Mohan; Marco Caccamo; Lui Sha

doi:10.1109/RTAS52030.2021.00010

SchedGuard: Protecting against schedule leaks using Linux containers

Jiyang Chen, Tomasz Kloda, Ayoosh Bansal, Rohan Tabish, Chien Ying Chen, Bo Liu, Sibin Mohan, Marco Caccamo, Lui Sha

Chair of Cyber-Physical Systems in Production Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Scopus citations

Abstract

Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents 'SchedGuard': a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.

Original language	English
Title of host publication	Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	14-26
Number of pages	13
ISBN (Electronic)	9781665403863
DOIs	https://doi.org/10.1109/RTAS52030.2021.00010
State	Published - May 2021
Event	27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021 - Virtual, Online Duration: 18 May 2021 → 21 May 2021

Publication series

Name	Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS
Volume	2021-May
ISSN (Print)	1545-3421

Conference

Conference	27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021
City	Virtual, Online
Period	18/05/21 → 21/05/21

Keywords

CPS
Linux Containers
Real-Time
Response time analysis
Security

Access to Document

10.1109/RTAS52030.2021.00010

Cite this

Chen, J., Kloda, T., Bansal, A., Tabish, R., Chen, C. Y., Liu, B., Mohan, S., Caccamo, M., & Sha, L. (2021). SchedGuard: Protecting against schedule leaks using Linux containers. In Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021 (pp. 14-26). Article 9470452 (Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS; Vol. 2021-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/RTAS52030.2021.00010

Chen, Jiyang ; Kloda, Tomasz ; Bansal, Ayoosh et al. / SchedGuard : Protecting against schedule leaks using Linux containers. Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021. Institute of Electrical and Electronics Engineers Inc., 2021. pp. 14-26 (Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS).

@inproceedings{adeb45bd19304564ab75a8a9b7102e94,

title = "SchedGuard: Protecting against schedule leaks using Linux containers",

abstract = "Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents 'SchedGuard': a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.",

keywords = "CPS, Linux Containers, Real-Time, Response time analysis, Security",

author = "Jiyang Chen and Tomasz Kloda and Ayoosh Bansal and Rohan Tabish and Chen, {Chien Ying} and Bo Liu and Sibin Mohan and Marco Caccamo and Lui Sha",

note = "Publisher Copyright: {\textcopyright} 2021 IEEE.; 27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021 ; Conference date: 18-05-2021 Through 21-05-2021",

year = "2021",

month = may,

doi = "10.1109/RTAS52030.2021.00010",

language = "English",

series = "Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "14--26",

booktitle = "Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021",

}

Chen, J, Kloda, T, Bansal, A, Tabish, R, Chen, CY, Liu, B, Mohan, S, Caccamo, M & Sha, L 2021, SchedGuard: Protecting against schedule leaks using Linux containers. in Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021., 9470452, Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS, vol. 2021-May, Institute of Electrical and Electronics Engineers Inc., pp. 14-26, 27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021, Virtual, Online, 18/05/21. https://doi.org/10.1109/RTAS52030.2021.00010

SchedGuard: Protecting against schedule leaks using Linux containers. / Chen, Jiyang; Kloda, Tomasz; Bansal, Ayoosh et al.
Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021. Institute of Electrical and Electronics Engineers Inc., 2021. p. 14-26 9470452 (Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS; Vol. 2021-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SchedGuard

T2 - 27th IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS 2021

AU - Chen, Jiyang

AU - Kloda, Tomasz

AU - Bansal, Ayoosh

AU - Tabish, Rohan

AU - Chen, Chien Ying

AU - Liu, Bo

AU - Mohan, Sibin

AU - Caccamo, Marco

AU - Sha, Lui

PY - 2021/5

Y1 - 2021/5

N2 - Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents 'SchedGuard': a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.

AB - Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents 'SchedGuard': a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.

KW - CPS

KW - Linux Containers

KW - Real-Time

KW - Response time analysis

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85113729007&partnerID=8YFLogxK

U2 - 10.1109/RTAS52030.2021.00010

DO - 10.1109/RTAS52030.2021.00010

M3 - Conference contribution

AN - SCOPUS:85113729007

T3 - Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS

SP - 14

EP - 26

BT - Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 18 May 2021 through 21 May 2021

ER -

Chen J, Kloda T, Bansal A, Tabish R, Chen CY, Liu B et al. SchedGuard: Protecting against schedule leaks using Linux containers. In Proceedings - 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium, RTAS 2021. Institute of Electrical and Electronics Engineers Inc. 2021. p. 14-26. 9470452. (Proceedings of the IEEE Real-Time and Embedded Technology and Applications Symposium, RTAS). doi: 10.1109/RTAS52030.2021.00010

SchedGuard: Protecting against schedule leaks using Linux containers

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this