Ming Zhang,Zonghua Gu,Hong Li,Nenggan Zheng

DOI: https://doi.org/10.1109/access.2018.2852805

IF: 3.9

2018-01-01

IEEE Access

Abstract:Safety-critical embedded systems in application domains, such as aerospace, automotive, and industrial automation, must satisfy dual requirements of fault-tolerance and real-time predictability. Control flow checking is an effective technique for improving embedded systems’ reliability by online monitoring and checking of software control flow to detect runtime deviations from the control flow graph. However, inserting instrumentation code in every basic block incurs significant execution time overhead, which may cause the program to violate its timing constraints. In this paper, we propose to selectively instrument a subset of code regions that are larger than basic blocks, called super-nodes, in order to make the program partially resilient to control flow errors while keeping the program worst-case execution time (WCET) below a given upper bound. WCET analysis is invoked to estimate the program WCET and to identify the corresponding worst-case execution path (WCEP). An ILP formulation is used to judiciously select a subset of super-nodes on the WCEP for instrumentation, so that the best fault detection coverage is achieved without violating the given WCET upper bound. The optimization is repeated for each identified WCEP until the program WCET satisfies the WCET upper bound. Experimental results demonstrate significant improvements of fault detection coverage compared with related work.

Wang Honghao,Wang Huiquan,Jin Zhonghe

DOI: https://doi.org/10.1016/j.cja.2015.04.010

2015-01-01

Abstract:Single event upset (SEU) effect, caused by highly energized particles in aerospace, threatens the reliability and security of small satellites composed of commercial-off-the-shelves (COTS). SEU-induced control flow errors (CFEs) may cause unpredictable behavior or crashes of COTS-based small satellites. This paper proposes a generic software-based control flow checking technique (CFC) and bipartite graph-based control flow checking (BGCFC). To simplify the types of illegal branches, it transforms the conventional control flow graph into the equivalent bipartite graph. It checks the legality of control flow at runtime by comparing a global signature with the expected value and introduces consecutive IDs and bitmaps to reduce the time and memory overhead. Theoretical analysis shows that BGCFC can detect all types of inter-node CFEs with constant time and memory overhead. Practical tests verify the result of theoretical analysis. Compared with previous techniques, BGCFC achieves the highest error detection rate, lower time and memory overhead; the composite result in evaluation factor shows that BGCFC is the most effective one among all these techniques. The results in both theory and practice verify the applicability of BGCFC for COTS-based small satellites.

Jihao Huang,Xuemin Chi,Zhitao Liu,Hongye Su

DOI: https://doi.org/10.1109/ccdc62350.2024.10588112

2024-01-01

Abstract:Recently, there has been increasing attention in robot research towards the whole-body collision avoidance. In this paper, we propose a safety-critical controller that utilizes time-varying control barrier functions (time varying CBFs) constructed by Robo-centric Euclidean Signed Distance Field (RC-ESDF) to achieve dynamic collision avoidance. The RC-ESDF is constructed in the robot body frame and solely relies on the robot's shape, eliminating the need for real-time updates to save computational resources. Additionally, we design two control Lyapunov functions (CLFs) to ensure that the robot can reach its destination. To enable real-time application, our safety-critical controller which incorporates CLFs and CBFs as constraints is formulated as a quadratic program (QP) optimization problem. We conducted numerical simulations on two different dynamics of an L-shaped robot to verify the effectiveness of our proposed approach.

Yang Mu,Wang Hao,Zheng Yangming,Jin Zhonghe

DOI: https://doi.org/10.1016/j.cja.2013.02.019

2013-01-01

Abstract:This paper proposes a generic high-performance and low-time-overhead software control flow checking solution, graph-tree-based control flow checking (GTCFC) for space-borne commercial-off-the-shelf (COTS) processors. A graph tree data structure with a topology similar to common trees is introduced to transform the control flow graphs of target programs. This together with design of IDs and signatures of its vertices and edges allows for an easy check of legality of actual branching during target program execution. As a result, the algorithm not only is capable of detecting all single and multiple branching errors with low latency and time overheads along with a linear-complexity space overhead, but also remains generic among arbitrary instruction sets and independent of any specific hardware. Tests of the algorithm using a COTS-processor-based on-board computer (OBC) of in-service ZDPS-1A pico-satellite products show that GTCFC can detect over 90% of the randomly injected and all-pattern-covering branching errors for different types of target programs, with performance and overheads consistent with the theoretical analysis; and beats well-established preeminent control flow checking algorithms in these dimensions. Furthermore, it is validated that GTCGC not only can be accommodated in pico-satellites conveniently with still sufficient system margins left, but also has the ability to minimize the risk of control flow errors being undetected in their space missions. Therefore, due to its effectiveness, efficiency, and compatibility, the GTCFC solution is ready for applications on COTS processors on pico-satellites in their real space missions.

Qingling Zhao,Zonghua Gu,Min Yao,Haibo Zeng

DOI: https://doi.org/10.1016/j.sysarc.2016.01.008

IF: 5.836

2016-01-01

Journal of Systems Architecture

Abstract:Today's safety-critical Cyber-Physical Systems (CPS) often need to integrate multiple diverse applications with varying levels of importance, or criticality. Mixed-Criticality Scheduling (MCS) has been proposed with the objectives of achieving certification at multiple criticality levels and efficient utilization of hardware resources. Current work on MCS typically assumes tasks at different criticality levels are independent and do not share any resources (data). We propose HLC-PCP (Highest-Locker Criticality, Priority-Ceiling Protocol), which extends the well-known Priority Ceiling Protocol (PCP) to be applicable to AMC (Adaptive Mixed Criticality), a variant of MCS. We present methods for worst-case blocking time computation with HLC-PCP, used for schedulability analysis of AMC with resource sharing, for both the dual-criticality model and the general multi-criticality model. (C) 2016 Elsevier B.V. All rights reserved.

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Weiyi Wang,Lang Feng,Zhiguo Shi,Cheng Zhuo,Jiming Chen

DOI: https://doi.org/10.23919/date58400.2024.10546789

2024-01-01

Abstract:Internet of Things (IoT) devices face an escalating threat from code reuse attacks (CRAs) as they can reuse existing code for malicious purpose. Thus a practical cost-effective Control-Flow Integrity (CFI) mechanism for IoT devices is urgently needed. However, existing CFI solutions suffer from impractical-ities, including high performance overhead and a heavy reliance on offline perfect Control-Flow Graph (CFG) generation. To tackle these challenges, we propose a fine-grained dependable CFI scheme for IoT devices that real-time updates the CFG of devices. We evaluate the implementation on RISC-V architectures and the results show that our CFI scheme provides both backward- and forward-edge protection with almost no performance overhead in the case of fixed CFG, negligible power overhead, and low hardware overhead. Compared to the current hardware-assisted CFI designs, our design eliminates the dependence on the offline perfect CFG generation and performs real-time CFG updating for better practicality.

Gong Rui,Chen Wei,Liu Fang,Dai Kui,Wang Zhiying

DOI: https://doi.org/10.1145/1363686.1364048

2008-01-01

Abstract:Control flow checking is a commonly used method to promote the fault tolerance of embedded systems. Conventional control flow checking by software signatures (CFCSS) imposes large overheads on code size and performance. A control flow checking scheme based on 8051 architecture, the control flow checking and recovering by compiler signatures and hardware checking (CFCCH) is proposed in this paper. Compared to CFCSS, the CFCCH is preferred to be implemented on the 8051 architectures to efficiently reduce code size and program execution time while keep the same fault tolerant ability.

Tanmaya Mishra,Thidapat Chantem,Ryan Gerdes

DOI: https://doi.org/10.1145/3538275

2021-11-23

Abstract:Computing systems, including real-time embedded systems, are becoming increasingly connected to allow for more advanced and safer operation. Such embedded systems are resource-constrained, such as lower processing capabilities, as compared to general purpose computing systems like desktops or servers. However, allowing external interfaces to such embedded systems increases their exposure to attackers. With an increase in attacks against embedded systems ranging from home appliances to industrial control systems operating critical equipment that have hard real-time requirements, it is imperative that defense mechanisms be created that explicitly consider such resource and real-time constraints constraints. Control-flow integrity (CFI) is a family of defense mechanisms that prevent attackers from modifying the flow of execution. We survey CFI techniques, ranging from the basic to state-of-the-art, that are built for embedded systems and real-time embedded systems and find that there is a dearth, especially for real-time embedded systems, of CFI mechanisms. We then present open challenges to the community to help drive research in this domain.

Cryptography and Security

Feng Xia,Zhi Wang,Youxian Sun

DOI: https://doi.org/10.1109/cca.2004.1387220

2004-01-01

Abstract:Real-time distributed control systems (RDCSs) have an increasing importance in industrial process. The evolving standard IEC 61499 provides function block (FB) as a suitable metaphor for constructing RDCSs. However, the real-timeliness of such systems has not been well dealt with. From a real-time point of view, the FB model defined in IEC 61499 is extended with several timing characteristics. Task graph (TG) is employed to represent FB based RDCS. By exploiting the benefits of parallelism, pipeline scheduling, which can greatly shorten the control period, is utilized for real-time FBs. The problem of allocating FBs to parallel RDCSs subject to periodicity, time, precedence as well as resource constraints is examined. A heuristic algorithm is proposed to further decrease the minimum of control period while meeting these constraints, thus improving the quality of control (QoC). An illustrative example is presented, highlighting the advantages of the proposed method.

Feng Xia,Liping Liu,Youxian Sun

DOI: https://doi.org/10.1007/11548706_66

2005-01-01

Abstract:Today's embedded systems representatively feature computing resource constraints as well as workload uncertainty. This gives rise to the increasing demand of integrating control and scheduling in control applications that are built upon embedded systems. To address the impact of uncertain computing resource availability on quality of control (QoC), an intelligent control theoretic approach to feedback scheduling is proposed based on fuzzy logic control technology. The case with one single control task that competes for CPU resources with other non-control tasks is considered. The sampling period of the control task is dynamically adjusted. The goal is to provide runtime adaptation and flexible QoC management in the presence of CPU resource constraint and workload uncertainty. Preliminary simulation results argue that the fuzzy feedback scheduler is effective in managing QoC in real-time embedded control applications.

Yujie Wang,Cailani Lemieux Mack,Xi Tan,Ning Zhang,Ziming Zhao,Sanjoy Baruah,Bryan C. Ward

DOI: https://doi.org/10.1109/rtas61025.2024.00036

2023-01-01

Abstract:Real-time and embedded systems are predominantly written in C, a language that is notoriously not memory safe. This has led to widespread memory-corruption vulnerabilities in real-time embedded cyber-physical systems (CPS). This is concerning, as such devices are becoming increasingly networked with the Internet of Things (IoT) and other communication technologies (e.g., 5G), rendering them vulnerable to remote attacks. Attackers have demonstrated how memory-corruption vulnerabilities can be used to hijack program control flow to implement arbitrary attacker-controlled logic. One class of defenses that has been developed to prevent such attacks is called control-flow integrity (CFI), which applies checks at control-flow transitions to ensure the target is valid. Unfortunately, attackers have shown how to divert control flow to seemingly valid targets in an invalid and malicious sequence. This paper presents InsectACIDE, the first holistic CFI for embedded and real-time systems that does not require binary instrumentation and that is context sensitive, i.e., it checks that the sequence of control-flow transitions taken is valid, not just individual transitions, thereby detecting such attacks. InsectACIDE is implemented on an embedded Cortex-M processor using the TrustZone trusted execution environment, and holistic context-sensitive CFI is enforced for both applications and the kernel. InsectACIDE uses hardware debugging features on the Cortex-M processor and therefore does not require any kernel or application binary modification. Experimental results show that InsectACIDE incurs significantly less runtime overhead compared to the state-of-the-art holistic CFI solution. Real-time schedulability analysis is presented, along with a schedulability evaluation, to demonstrate the tradeoff between stronger protection and real-time schedulability.

Hamed Okhravi,T. Baron,Nicholas F. Brown,R. Walls,Bryan C. Ward,Craig A. Shue

DOI: https://doi.org/10.4230/LIPICS.ECRTS.2019.2

Abstract:Attacks on real-time embedded systems can endanger lives and critical infrastructure. Despite this, techniques for securing embedded systems software have not been widely studied. Many existing security techniques for general-purpose computers rely on assumptions that do not hold in the embedded case. This paper focuses on one such technique, control-flow integrity (CFI), that has been vetted as an effective countermeasure against control-flow hijacking attacks on general-purpose computing systems. Without the process isolation and fine-grained memory protections provided by a general-purpose computer with a rich operating system, CFI cannot provide any security guarantees. This work proposes RECFISH, a system for providing CFI guarantees on ARM Cortex-R devices running minimal real-time operating systems. We provide techniques for protecting runtime structures, isolating processes, and instrumenting compiled ARM binaries with CFI protection. We empirically evaluate RECFISH and its performance implications for real-time systems. Our results suggest RECFISH can be directly applied to binaries without compromising real-time performance; in a test of over six million realistic task systems running FreeRTOS, 85% were still schedulable after adding RECFISH.

Computer Science,Engineering

Feng Xia,Xingfa Shen,Liping Liu,Zhi Wang,Youxian Sun

DOI: https://doi.org/10.1007/11538356_47

2005-01-01

Abstract:The case where multiple control tasks share one embedded CPU is considered. For various reasons, both execution times of these tasks and CPU workload are uncertain and imprecise. To attack this issue, a fuzzy logic based feedback scheduling approach is suggested. The sampling periods of control tasks are periodically adjusted with respect to uncertain resource availability. A simple period rescaling algorithm is employed, and the available CPU resource is dynamically allocated in an intelligent fashion. Thanks to the inherent capacity of fuzzy logic to formalize control algorithms that can tolerate imprecision and uncertainty, the proposed approach provides runtime flexibility to quality of control (QoC) management. Preliminary simulations highlight the benefits of the fuzzy logic based feedback scheduler.

Feng Xia,Zhi Wang,Youxian Sun

DOI: https://doi.org/10.1109/ICSMC.2004.1401011

2004-01-01

Abstract:Control delay holds a significant impact on the quality of control (QoC) of a networked control system (NCS), degrading QoC and even causing system instability. With an objective of performance optimization through minimizing control delay, an event-driven approach to NCS design is proposed. The function block model defined in IEC61499 is extended and employed as the component for constructing event-driven NCS. Effective design principles integrating the scheduling methodology of pipelining are presented The NCS design for a DC servo system illustrates the proposed design principles. The impact of control period on QoC is visualized, and the optimal working range of control period is obtained. The QoC of NCS is measured by a general performance criterion. Simulation results for performance evaluation show that our approach leads to better QoC than the sequential system does.

Chao Zhang,Tao Wei,Zhaofeng Chen,Lei Duan,Laszlo Szekeres,Stephen McCamant,Dawn Song,Wei Zou

DOI: https://doi.org/10.1109/sp.2013.44

2013-01-01

Security and Privacy

Abstract:Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.

Wei-Dong Xu,Xiang-Gui Guo,Jian-Liang Wang,Huaicheng Yan,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tits.2024.3431012

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:This paper proposes a fault-tolerant and intrusion-tolerant control strategy for a two-dimensional (2-D) planar vehicular platoon system subject to unknown limitless reversals in fault directions (ULRFDs) and stochastic false data injection attacks (FDIAs). An algorithm is also proposed to realize some actual traffic scenarios such as multi-lane vehicle merging and a single vehicle joining or exiting a platoon. In contrast to the existing results, under stochastic FDIAs, the considered fault directions can be unknown, time-varying, and limitless continuously transformed, as well as the fault frequency is not limited. A novel Nussbaum function with a bounded and adjustable amplitude is constructed using the idea of time-elongation (instead of amplitude-elongation) to attenuate the control input shocks caused by the amplitude-elongation Nussbaum function and to solve the ULRFD problem effectively. Furthermore, two Zeno-free event-triggered mechanisms (ETMs) respectively for velocity and angular velocity are constructed to reduce the communication cost on the controller-actuator channels. It is worth mentioning that a passive intrusion-tolerant method without introducing any additional learning parameter is adopted to solve stochastic FDIAs on the controller-actuator channels. This simplifies our controller structure and reduces the online computational load. Finally, simulation results validate the effectiveness and supremacy of the proposed control strategy and algorithm.

Antonio Joia Neto,Ivan de Oliveira Nunes

2023-03-07

Abstract:The wide adoption of IoT gadgets and Cyber-Physical Systems (CPS) makes embedded devices increasingly important. While some of these devices perform mission-critical tasks, they are usually implemented using Micro-Controller Units (MCUs) that lack security mechanisms on par with those available to general-purpose computers, making them more susceptible to remote exploits that could corrupt their software integrity. Motivated by this problem, prior work has proposed techniques to remotely assess the trustworthiness of embedded MCU software. Among them, Control Flow Attestation (CFA) enables remote detection of runtime abuses that illegally modify the program's control flow during execution. Despite these advances, current CFA methods share a fundamental limitation: they preclude interrupts during the execution of the software operation being attested. Simply put, existing CFA techniques are insecure unless interrupts are disabled on the MCU. On the other hand, we argue that the lack of interruptability can obscure CFA usefulness, as most embedded applications depend on interrupts to process asynchronous events in real-time. To address this limitation, we propose Interrupt-Safe Control Flow Attestation (ISC-FLAT): a CFA technique that is compatible with existing MCUs and enables interrupt handling without compromising the authenticity of CFA reports. Similar to other CFA techniques that do not require customized hardware modifications, ISC-FLAT leverages a Trusted Execution Environment (TEE) (in particular, our prototype is built on ARM TrustZone-M) to securely generate unforgeable CFA reports without precluding applications from processing interrupts. We implement a fully functional ISC-FLAT prototype on the ARM Cortex-M33 MCU and demonstrate that it incurs minimal runtime overhead when compared to existing TEE-based CFA methods that do not support interrupts.

Cryptography and Security

Yuan Li,Mingzhe Wang,Chao Zhang,Xingman Chen,Songtao Yang,Ying Liu

DOI: https://doi.org/10.1145/3372297.3417867

2020-01-01

Abstract:Control-flow integrity (CFI) is a promising technique to mitigate control-flow hijacking attacks. In the past decade, dozens of CFI mechanisms have been proposed by researchers. Despite the claims made by themselves, the security promises of these mechanisms have not been carefully evaluated, and thus are questionable. In this paper, we present a solution to measure the gap between the practical security and the claimed theoretical security. First, we propose CScan to precisely measure runtime feasible targets of indirect control transfer (ICT) instructions protected by CFI, by enumerating all potential code addresses and testing whether ICTs are allowed to jump to them. Second, we propose CBench as a sanity check for verifying CFI solutions? effectiveness against typical attacks, by exploiting a comprehensive set of vulnerable programs protected by CFI and verifying the recognized feasible targets. We evaluated 12 most recent open-source CFI mechanisms and discovered 10 flaws in most CFI mechanisms or implementations. For some CFIs, their security policies or protected ICT sets do not match what they claimed. Some CFIs even expand the attack surface (e.g. introducing unintended targets). To facilitate a deeper understanding of CFI, we summarize the flaws into 7 common pitfalls which cover the whole lifetime of CFI mechanisms and reveal issues that affect CFI mechanisms in practical security.

Jaekwon Lee,Seung Yeob Shin,Lionel Briand,Shiva Nejati

2023-08-11

Abstract:Weakly hard real-time systems can, to some degree, tolerate deadline misses, but their schedulability still needs to be analyzed to ensure their quality of service. Such analysis usually occurs at early design stages to provide implementation guidelines to engineers so that they can make better design decisions. Estimating worst-case execution times (WCET) is a key input to schedulability analysis. However, early on during system design, estimating WCET values is challenging and engineers usually determine them as plausible ranges based on their domain knowledge. Our approach aims at finding restricted, safe WCET sub-ranges given a set of ranges initially estimated by experts in the context of weakly hard real-time systems. To this end, we leverage (1) multi-objective search aiming at maximizing the violation of weakly hard constraints in order to find worst-case scheduling scenarios and (2) polynomial logistic regression to infer safe WCET ranges with a probabilistic interpretation. We evaluated our approach by applying it to an industrial system in the satellite domain and several realistic synthetic systems. The results indicate that our approach significantly outperforms a baseline relying on random search without learning, and estimates safe WCET ranges with a high degree of confidence in practical time (< 23h).

Software Engineering