Paper: Time-Based Intrusion Dectection in Cyber-Physical Systems
Authors: Christopher Zimmer, Balasubramanya Bhat, Frank Mueller
North Carolina State University
University of Illinois at Urbana Champaign
Problem: Cyber Physical Systems are common in critical infrastructures. In such systems, there are possibilities of time based intrusion attacks. Time based intrusion attacks happen when an unauthorized instruction is executed by the attacker with real time constraints that can compromise the entire system. Also, if a requirement misses the deadline, it can cause the entire system to perform incorrectly. This paper provides a detection mechanism for time based intrusion attacks.
Solution Approach: The detection is done based on the values obtained from performing the worse case execution time analysis. It is done by comparing the actual timing metrics and the worst case analysis results. The authors use Worse Case Execution Time tool chain which determine the WCET value of the application. These tools provides timing data for multiple levels and enable the analysis of the data on a more focused range.
The compiler generates an assembly file of the application and is sent to the control flow analyser. The static cache analysis is also performed and the result of both are given to the timing analyzer. The timing analyser derives the BCET and WCET.
Novelty: The author enhances the capability of the tool chain to supply the timing values for a series of small range within the same simulation. This helps in providing tighter bounds and eventually helps in understanding whether any security breach has occurred or not.
Apart from the tool chain, the design of the work also includes an application level instrumentation known as Timed Return Path Security (TRPS) that utilizes the communication through system clock in order to perform sanity checks within the code. This is a mechanism used to detect code injection attacks (buffer overflow attacks).
TRPS: It creates multiples sanity checks at critical points. Critical points can be the points where the program counter is transferred to an undesignated area through a pointer. The sanity checks obtains the clock information just above and after the return address. The difference between the two timestamps are calculated and the delta value is compared against an already predetermined Worst Case Execution bound for return paths.
If the delta value is greater than the worst case execution bound, then there is a possibility of system being compromised. However, we cannot be sure that the entire system gets compromised. Hence, TRPS helps in detecting attacks that doesn’t result in a deadline miss.
Analysis: The TRPS cycle overheads for WCET benchmarks (SRT, LMS, ADPCM and FFT) are analyzed. The sensitivity results of TRPS for various benchmarks and their respective functions are calculated. WCET in cycles and the number of slack cycles that is undetected for the return sequence is reported by timing analysis. This slack is the difference between WCET and actual execution time. The actual execution time is observed from Simple Scalar simulation. The WCET bound is extremely tight and hence, the window of vulnerability is restricted to a sensitivity of 9-39 cycles. This limits the amount of code that may be injected code without being detected.