Purdue University Graduate School
Browse

File(s) under embargo

5

month(s)

14

day(s)

until file(s) become available

Anomaly Detection in Hard Real-Time Embedded Systems

thesis
posted on 2024-09-30, 12:25 authored by Boakye DankwaBoakye Dankwa

Lessons learned in protecting desktop computers, servers, and cloud systems from cyberattacks have not translated to embedded systems easily. Yet, embedded systems impact our lives in many ways and are subject to similar risks. In particular, real-time embedded systems are computer systems controlling critical physical processes in industrial controllers, avionics, engine control systems, etc. Attacks have been reported on real-time embedded systems, some with devastating outcomes on the physical processes. Detecting intrusions in real-time is a prerequisite to an effective response to ensure resilience to damaging attacks. In anomaly detection methods, researchers typically model expected program behavior and detect deviations. This approach has the advantage of detecting zero-day attacks compared to signature-based intrusion detection methods; however, existing anomaly detection approaches suffer high false-positive rates and incur significant performance overhead caused by code instrumentation, making them impractical for hard real-time embedded systems, which must meet strict temporal constraints.

This thesis presents a hardware-assisted anomaly detection approach that uses an automaton to model valid control-flow transfers in hard real-time systems without code instrumentation. The approach relies on existing hardware mechanisms to capture and export runtime control-flow data for runtime verification without the need for code instrumentation, thereby preserving the temporal properties of the target program. We implement a prototype of the mechanism on the Xilinx Zynq Ultrascale+ platform and empirically demonstrate precise detection of control-flow hijacking attacks with negligible (0.18%) performance overhead without false alarms using a real-time variant of the well-known RIPE benchmark we developed for this work. We further empirically demonstrate via schedulability analysis that protecting a real-time program with the proposed anomaly detection mechanism preserves the program’s temporal constraints.

History

Degree Type

  • Doctor of Philosophy

Department

  • Computer Science

Campus location

  • West Lafayette

Advisor/Supervisor/Committee Chair

Eugene Spafford

Additional Committee Member 2

Dongyan Xu

Additional Committee Member 3

Christina Garman

Additional Committee Member 4

Abraham Clements