SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui.

Slides:



Advertisements
Similar presentations
The System-Level Simplex Architecture Stanley Bak Olugbemiga Adekunle Deepti Kumar Chivukula Mu Sun Marco Caccamo Lui Sha.
Advertisements

Using Instruction Block Signatures to Counter Code Injection Attacks Milena Milenković, Aleksandar Milenković, Emil Jovanov The University of Alabama in.
Combining Statistical and Symbolic Simulation Mark Oskin Fred Chong and Matthew Farrens Dept. of Computer Science University of California at Davis.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Multiple Processor Systems
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IDS/IPS Definition and Classification
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Computational Astrophysics: Methodology 1.Identify astrophysical problem 2.Write down corresponding equations 3.Identify numerical algorithm 4.Find a computer.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
Real-Time Kernels and Operating Systems. Operating System: Software that coordinates multiple tasks in processor, including peripheral interfacing Types.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Eye-RIS. Vision System sense – process - control autonomous mode Program stora.
On-Chip Control Flow Integrity Check for Real Time Embedded Systems Fardin Abdi Taghi Abad, Joel Van Der Woude, Yi Lu, Stanley Bak, Marco Caccamo, Lui.
Embedded Systems Design ICT Embedded System What is an embedded System??? Any IDEA???
CSCE 548 Secure Software Development Risk-Based Security Testing.
Research & Development Roadmap 1. Outline A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control.
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
IIT Indore © Neminah Hubballi
Advanced Operating Systems CIS 720 Lecture 1. Instructor Dr. Gurdip Singh – 234 Nichols Hall –
A Fast On-Chip Profiler Memory Roman Lysecky, Susan Cotterell, Frank Vahid* Department of Computer Science and Engineering University of California, Riverside.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
1 Feedback Based Real-Time Fault Tolerance Issues and Possible Solutions Xue Liu, Hui Ding, Kihwal Lee, Marco Caccamo, Lui Sha.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Energy-Efficient Soft Real-Time CPU Scheduling for Mobile Multimedia Systems Wanghong Yuan, Klara Nahrstedt Department of Computer Science University of.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
A Review by Raghu Rangan WPI CS525 September 19, 2012 An Early Warning System Based on Reputation for Energy Control Systems.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Stochastic DAG Scheduling using Monte Carlo Approach Heterogeneous Computing Workshop (at IPDPS) 2012 Extended version: Elsevier JPDC (accepted July 2013,
Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.
System-level power analysis and estimation September 20, 2006 Chong-Min Kyung.
Security Architecture and Design Chapter 4 Part 1 Pages 297 to 319.
Chapter 13 – I/O Systems (Pgs ). Devices  Two conflicting properties A. Growing uniformity in interfaces (both h/w and s/w): e.g., USB, TWAIN.
Wireless and Mobile Security
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 © A. Kwasinski, 2015 Cyber Physical Power Systems Fall 2015 Security.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.
Evaluating the Fault Tolerance Capabilities of Embedded Systems via BDM M. Rebaudengo, M. Sonza Reorda Politecnico di Torino Dipartimento di Automatica.
Best detection scheme achieves 100% hit detection with
KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association SYSTEM ARCHITECTURE GROUP DEPARTMENT OF COMPUTER.
1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.
Big Picture Lab 4 Operating Systems C Andras Moritz
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
PINTOS: An Execution Phase Based Optimization and Simulation Tool) PINTOS: An Execution Phase Based Optimization and Simulation Tool) Wei Hsu, Jinpyo Kim,
Introduction to Operating Systems Concepts
Hardware-rooted Trust for Secure Key Management & Transient Trust
CSCE 548 Secure Software Development Risk-Based Security Testing
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Hierarchical Architecture
Bastion secure processor architecture
Shielding applications from an untrusted cloud with Haven
rePLay: A Hardware Framework for Dynamic Optimization
Presentation transcript:

SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui Sha Dept. of Computer Science, UIUC Information Trust Institute, UIUC Lawrence Berkeley National Lab Apr 9 th, 2013

Rethinking Real-Time Embedded System Security SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 2 Increased Capability More Networked Open, Standard Platform More Vulnerable to Security Attacks

SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 3 SecureCore Architecture Intrusion Detection, not prevention Most critical component: control application System recovery upon detection Behavior monitoring Predictable timing behaviors of real-time apps Profile using statistical learning Multicore-based core-to-core monitoring On-chip HW for processor state inspection Hypervisor-based protection/isolation SecureCore Architecture

Rest of the Talk System and Application Model Timing-based Intrusion Detection (Overview) SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) Implementation and Evaluation Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 4

Multicore-based Real-Time Control System System and Application Model SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 5 Physical plant Time Controller Sensor data Actuation cmd Threat Model: Malicious code execution Embedded in the control code Activated after system initialization Irrelevant how it gained entry SecureCore MonitoredCore SecureCore Architecture

Timing-Based Intrusion Detection Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 6 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Malicious Code Observed Legitimate

Timing-Based Intrusion Detection Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 7 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Execution time variations Control flow path Input values System effects (e.g., shared resource)

Timing-Based Intrusion Detection Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 8 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Execution time variations Control flow path Input values System effects (e.g., shared resource) Profile probabilistic execution time model Estimate Prob(e*) Capture even legitimate variations Statistical learning-based profiling/detection

Outline System and Application Models Timing-based Intrusion Detection (Overview) SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) Implementation and Evaluation Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 9

SecureCore Architecture SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 10 Plant Complex Controller Complex Controller Safety Ctrl. Safety Ctrl. Decision Module Decision Module Sensor Data Actuation Command Simplex Architecture [Sha, 2001] For reliable & loss-less control Monitored CoreSecure Core OS Hypervisor Memory space separation Trust base I/O Proxy Manages I/O to/from the plant Prevent I/O data obfuscation I/O Proxy I/O Proxy Inter-Core Communication Inter-Core Communication Timing Trace Module Timing Trace Module Scratch Pad Memory Scratch Pad Memory Secure Monitor Secure Monitor Timing Trace Module (TTM) Read processor states when a trace instruction is executed Scratch Pad Memory (SPM) Stores a sequence of trace information Only visible to the secure core Secure Monitor Verify the legitimacy of an execution Use timing profile

Timing-Based Intrusion Detection Block-level monitoring – Narrowing estimation domain Less variation, better accuracy – Block boundary: check point Detect unexpected flow deviations SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 11 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6

How to Get Timing Profiles SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 12 Raw TracesTrace TreeProfiles Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Statistical Learning

Timing Trace Module SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 13 Trace Instructions SPM Layout -PID registration for preventing traces from being forged -BA: Base Address ( = PC of INST_REG_PID) -Read Timestamp and Program Counter from the processor registers -Addr i = BA – PC i (i.e., relative address from BA)

Raw Traces SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 14 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 INST_TRACE Addr 1 Addr 2 Addr 3 Addr 4 Addr 6 Addr 5 Addr 7 (Addr 1, t 5 ) (Addr 2, t 6 ) (Addr 4, t 7 ) (Addr 6, t 8 ) (Addr 7, t 9 ) (Addr 1, t 10 ) (Addr 2, t 11 ) (Addr 4, t 12 ) (Addr 5, t 13 ) (Addr 7, t 14 ) … (Addr 1, t 1 ) (Addr 3, t 3 ) (Addr 7, t 4 ) (Addr 2, t 2 )

Trace Tree SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 15 (Addr 1, t 5 ) (Addr 2, t 6 ) (Addr 4, t 7 ) (Addr 6, t 8 ) (Addr 7, t 9 ) (Addr 1, t 10 ) (Addr 2, t 11 ) (Addr 4, t 12 ) (Addr 5, t 13 ) (Addr 7, t 14 ) … (Addr 1, t 1 ) (Addr 3, t 3 ) (Addr 7, t 4 ) (Addr 2, t 2 ) Addr 1 Addr 3 Addr 2 Addr 7 Block 1 Block 2 Block 6 Addr 4 Addr 5 Addr 7 Block 6 Block 4 Addr 2 Addr 6 Addr 7 Addr 4 Block 6 Block 3 Block 5 t2-t1t2-t1 t 3 - t 2 t 4 - t 3 t6-t5t6-t5 t 11 -t 10 t7-t6t7-t6 t 12 -t 11 t 13 -t 12 t9-t8t9-t8 t8-t7t8-t7 t 14 -t 13 … … … … … … … Same execution block, but on different paths. Each has its own timing profile Same execution block, but on different paths. Each has its own timing profile From a trace tree, we can get Execution time samples (each node) Legitimate execution flows From a trace tree, we can get Execution time samples (each node) Legitimate execution flows

Timing Profile What is a good estimation of execution times? – Min & max, mean, … Not representative Cannot capture variations well – Probabilistic timing model Estimate the likelihoods of execution times! – Probability distribution Parametric vs. Non-parametric distribution – Unknown shape SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 16

(Figure is from CSCE 666 Pattern Analysis by Ricardo Gutierrez-Osuna at TAMU) Example Execution Time Profile Using Kernel Density Estimation (KDE) Non-parametric Probability Density Function Estimation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Given samples of execution times 2.Draw scaled distribution at each sample point 3.Sum them up -Kernel & bandwidth affect shape and smoothness -Gaussian kernel Estimated pdf Kernel function Bandwidth (Smoothing constant)

Intrusion Detection Using Timing Profiles SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 18 PDF of the Execution Time of an example block Highly likely Multiple peaks: different inputs or system effects How much deviation should we consider malicious? Threshold test Malicious Legitimate

Summary of Timing-Based Intrusion Detection SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 19 Complex Controller Complex Controller Secure Monitor Secure Monitor Monitored CoreSecure Core Timing Trace Module Timing Trace Module Scratch Pad Memory Scratch Pad Memory Addr 1 Addr 3 Addr 2 Addr 7 Block 1 Block 2 Block 6 Addr 4 Addr 5 Addr 7 Block 6 Block 4 Addr 2 Addr 6 Addr 7 Addr 4 Block 6 Block 3 Block 5 [Profile] Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 [Run-time Execution] (Addr 1, t i ) (Addr 2, t i+1 ) (Addr 4, t i+2 ) (Addr 6, t i+3 ) (Addr 7, t i+4 ) Trace Traverse and check

Outline System and Application Models Timing-based Intrusion Detection (Overview) SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) Implementation and Evaluation Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 20

Implementation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 21 CC SC DM SM Monitored Core Secure Core IOP LWE Linux TTM SPM Hypervisor Inverted Pendulum (IP) Dynamics Simics (P4080) Host PC Serial (tty) Pseudo Terminal (pts) Byte channel Freescale P4080 on Simics Only two cores (Core 0 and 1) Cache (L1 and L2) and bus models for system effects ISA modification for trace instruction Inverted Pendulum Control Controller and dynamics (cart position, rod’s angle) Generated from Simulink IP model

Application Model IP Control + FFT (EEMBC) SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 22 FFT Init FFT Init FFT Phase #1 FFT Phase #1 FFT Phase #2 FFT Phase #2 FFT Phase #3 FFT Phase #3 IP Control PathID = 1, 2 PathID = 0 1 run if PathID = 0, 1 2 runs if PathID = meter Malicious code Injected at the end of FFT Phase #3 Simple loop (some array copy) 440, 720, 1000 cycles for 1,3,5 loops (FFT Phase#3: ~260,000 cycles) Activated when the cart passes +0.7 m Execute randomly thereafter Loop execution Sends old actuation cmd Timing Profile ~10,000 runs (no malicious code activation) ‘ksdensity’ (Matlab) for Gaussian KDE Total exec time: 850,000 ~ 1,200,000 cycles (~1ms) Control period: 10 ms

Early Detection SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 23 No attack No protection Attack activated No attack No protection Simplex only Attack activated No attack No protection Simplex only Our method Attack activated

Intrusion Detection Accuracy SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 24 Criteria: False prediction rates – False positive: predict “malicious” when not – False negative: fail to detect a real attack PredictedReal 1/1024 (0.10%) 7/1015 (0.69%) 1 loop3 loops5 loops 827/1022 (81%)574/1046 (55%)130/1098 (12%) 578/1050 (55%)117/1011 (12%) 0/1024 (0%) False positive rates False negative rates Detect well More false alarms Miss oftenFewer false alarms

Limitations and Future Work Limitations – Low detection accuracy for short malicious code → More deterministic execution – Still high false positive → Long-term monitoring Other future work – Monitoring multiple applications on multiple cores – Monitoring of other behavioral aspects (e.g., Memory, I/O) – Multi-dimensional monitoring SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 25

Thank you SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.