Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SecureCore RTAS2013

1,271 views

Published on

Published in: Technology, Business
  • If you are looking for customer-oriented academic and research paper writing service try ⇒⇒⇒ WRITE-MY-PAPER.net ⇐⇐⇐ liked them A LOTTT Really nice solutions for the last-day papers
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My friend sent me a link to to tis site. This awesome company. They wrote my entire research paper for me, and it turned out brilliantly. I highly recommend this service to anyone in my shoes. ⇒ www.HelpWriting.net ⇐.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SecureCore RTAS2013

  1. 1. SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems Man-Ki Yoon, Sibin Mohan, Jaesik Choi, Jung-Eun Kim, Lui Sha Dept. of Computer Science, UIUC Information Trust Institute, UIUC Lawrence Berkeley National Lab Apr 9th, 2013
  2. 2. Rethinking Real-Time Embedded System Security SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 2 Increased Capability More Networked Open, Standard Platform More Vulnerable to Security Attacks
  3. 3. SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 3 SecureCore Architecture Intrusion Detection, not prevention •Most critical component: control application •System recovery upon detection Behavior monitoring •Predictable timing behaviors of real-time apps •Profile using statistical learning Multicore-based core-to-core monitoring •On-chip HW for processor state inspection •Hypervisor-based protection/isolation
  4. 4. Rest of the Talk • System and Application Model • Timing-based Intrusion Detection (Overview) • SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) • Implementation and Evaluation • Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 4
  5. 5. • Multicore-based Real-Time Control System System and Application Model SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 5 Physical plant Time Controller Sensor data Sensor data Actuation cmd Actuation cmd SecureCore MonitoredCore SecureCore Architecture
  6. 6. • Multicore-based Real-Time Control System System and Application Model SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 6 Physical plant Time Controller Sensor data Sensor data Actuation cmd Actuation cmd Threat Model: Malicious code execution • Embedded in the control code • Activated after system initialization • Irrelevant how it gained entry SecureCore MonitoredCore SecureCore Architecture
  7. 7. Timing-Based Intrusion Detection • Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 7 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 𝒆 𝟏 𝒆 𝟐 𝒆 𝟑 𝒆 𝟒 𝒆 𝟓 𝒆 𝟔 Malicious Code 𝑒3 ∗ ≠ 𝑒3 Observed Legitimate
  8. 8. Timing-Based Intrusion Detection • Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 8 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 𝑒6|𝑝𝑎𝑡ℎ1 = 3𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2 = 7𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ3 = 5𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2, 𝑖𝑛𝑝𝑢𝑡 𝑋 = 7 𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2, 𝑖𝑛𝑝𝑢𝑡 𝑌 = 9 𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2, 𝑖𝑛𝑝𝑢𝑡 𝑋 =? 𝑚𝑠 Execution time variations Control flow path Input values System effects (e.g., shared resource) 𝒆 𝟏 𝒆 𝟐 𝒆 𝟑 𝒆 𝟒 𝒆 𝟓 𝒆 𝟔
  9. 9. Timing-Based Intrusion Detection • Idea: Deterministic timing of real-time applications – Any malicious activity consumes finite time to execute – Deviation from expected timing → Suspicious! SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 9 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 𝑒1 𝑒2 𝑒3 𝑒4 𝑒5 𝑒6 𝑒6|𝑝𝑎𝑡ℎ1 = 3𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2 = 7𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ3 = 5𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2, 𝑖𝑛𝑝𝑢𝑡 𝑋 = 3 𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2, 𝑖𝑛𝑝𝑢𝑡 𝑌 = 2 𝑚𝑠 𝑒6|𝑝𝑎𝑡ℎ2, 𝑖𝑛𝑝𝑢𝑡 𝑋 =? 𝑚𝑠 Execution time variations Control flow path Input values System effects (e.g., shared resource) • Profile probabilistic execution time model • Estimate Prob(e*) • Capture even legitimate variations Statistical learning-based profiling/detection 0.0000 0.0002 0.0004 0.0006 0.0008 0.0010 0.0012 0.0014 0.0016 0.0018 0.0020 272000 274000 276000 278000 280000 282000 Prob.Density Execution Time
  10. 10. Outline • System and Application Models • Timing-based Intrusion Detection (Overview) • SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) • Implementation and Evaluation • Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 10
  11. 11. SecureCore Architecture SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 11 Plant Complex Controller Safety Ctrl. Decision Module Sensor Data Actuation Command Monitored Core Secure Core OS OS Hypervisor I/O Proxy Inter-Core Communication Timing Trace Module Scratch Pad Memory Secure Monitor
  12. 12. Timing-Based Intrusion Detection • Block-level monitoring – Narrowing estimation domain • Less variation, better accuracy – Block boundary: check point • Detect unexpected flow deviations SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 12 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6
  13. 13. How to Get Timing Profiles SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 13 Raw Traces Trace Tree Profiles Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 6 Block 6 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 6 Block 6 0.0000 0.0005 0.0010 0.0015 0.0020 272000 274000 276000 278000 280000 282000 Statistical Learning
  14. 14. Timing Trace Module SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 14 rlwimi 0,0,0,0,1 rlwimi 0,0,0,0,2 rlwimi 0,0,0,0,3 rlwimi 0,0,0,0,4 INST_REG_PID INST_ENABLE_TRACE INST_DISABLE_TRACE INST_TRACE foo() { INST_TRACE; Do_something(); INST_TRACE; Do_something(); INST_TRACE; } main() { INST_REG_PID; … INST_ENABLE_TRACE; … foo(); ... INST_DISABLE_TRACE; } Trace Instructions Timestamp i+2 PID BA AddrHead Timestamp i Addr i Timestamp i+1 Addr i+1 Addr i+2 ... ... AddrTail 0x000 Timestamp j Addr j Timestamp j+1 Addr j+10x010 0xFF0 4 Bytes 0x8a0 0x8b0 0x8c0 SPM Layout - PID registration for preventing traces from being forged - BA: Base Address ( = PC of INST_REG_PID)
  15. 15. Timing Trace Module SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 15 rlwimi 0,0,0,0,1 rlwimi 0,0,0,0,2 rlwimi 0,0,0,0,3 rlwimi 0,0,0,0,4 INST_REG_PID INST_ENABLE_TRACE INST_DISABLE_TRACE INST_TRACE foo() { INST_TRACE; Do_something(); INST_TRACE; Do_something(); INST_TRACE; } main() { INST_REG_PID; … INST_ENABLE_TRACE; … foo(); ... INST_DISABLE_TRACE; } Trace Instructions Timestamp i+2 PID BA AddrHead Timestamp i Addr i Timestamp i+1 Addr i+1 Addr i+2 ... ... AddrTail 0x000 Timestamp j Addr j Timestamp j+1 Addr j+10x010 0xFF0 4 Bytes 0x8a0 0x8b0 0x8c0 SPM Layout - Read Timestamp and Program Counter from the processor registers - Addri = BA – PCi (i.e., relative address from BA)
  16. 16. Raw Traces SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 16 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 INST_TRACE INST_TRACE INST_TRACE INST_TRACE INST_TRACE INST_TRACE INST_TRACE Addr1 Addr2 Addr3 Addr4 Addr6 Addr5 Addr7 (Addr1, t5) (Addr2, t6) (Addr4, t7) (Addr6, t8) (Addr7, t9) (Addr1, t10) (Addr2, t11) (Addr4, t12) (Addr5, t13) (Addr7, t14) … (Addr1, t1) (Addr3, t3) (Addr7, t4) (Addr2, t2)
  17. 17. Trace Tree SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 17 (Addr1, t5) (Addr2, t6) (Addr4, t7) (Addr6, t8) (Addr7, t9) (Addr1, t10) (Addr2, t11) (Addr4, t12) (Addr5, t13) (Addr7, t14) … (Addr1, t1) (Addr3, t3) (Addr7, t4) (Addr2, t2) Addr1 Addr3 Addr2 Addr7 Block1 Block2Block6 Addr4 Addr5 Addr7 Block6Block4 Addr2 Addr6 Addr7 Addr4 Block6 Block3 Block5 t2-t1 t3- t2 t4- t3 t6-t5 t11-t10 t7-t6 t12-t11 t13-t12 t9-t8 t8-t7 t14-t13 …… … … … ……
  18. 18. Trace Tree SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 18 (Addr1, t5) (Addr2, t6) (Addr4, t7) (Addr6, t8) (Addr7, t9) (Addr1, t10) (Addr2, t11) (Addr4, t12) (Addr5, t13) (Addr7, t14) … (Addr1, t1) (Addr3, t3) (Addr7, t4) (Addr2, t2) Addr1 Addr3 Addr2 Addr7 Block1 Block2Block6 Addr4 Addr5 Addr7 Block6Block4 Addr2 Addr6 Addr7 Addr4 Block6 Block3 Block5 t2-t1 t3- t2 t4- t3 t6-t5 t11-t10 t7-t6 t12-t11 t13-t12 t9-t8 t8-t7 t14-t13 …… … … … …… Same execution block, but on different paths. Each has its own timing profile From a trace tree, we can get • Execution time samples (each node) • Legitimate execution flows
  19. 19. Timing Profile • What is a good estimation of execution times? – Min & max, mean, … • Not representative • Cannot capture variations well – Probabilistic timing model • Estimate the likelihoods of execution times! – Probability distribution • Parametric vs. Non-parametric distribution – Unknown shape SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 19
  20. 20. (FigureisfromCSCE666PatternAnalysisbyRicardoGutierrez-OsunaatTAMU) Example Execution Time Profile Using Kernel Density Estimation (KDE) • Non-parametric Probability Density Function Estimation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 20 1 2 3 1. Given samples of execution times 2. Draw scaled distribution at each sample point 3. Sum them up - Kernel & bandwidth affect shape and smoothness - Gaussian kernel Estimated pdf Kernel function Bandwidth (Smoothing constant)
  21. 21. Intrusion Detection Using Timing Profiles SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 21 0.0000 0.0002 0.0004 0.0006 0.0008 0.0010 0.0012 0.0014 0.0016 0.0018 0.0020 272000 273000 274000 275000 276000 277000 278000 279000 280000 281000 282000 Prob.Density Execution Time PDF of the Execution Time of an example block Highly likely Multiple peaks: different inputs or system effects How much deviation should we consider malicious? Threshold test Prob(𝑒∗ ) < 𝜽 Prob(𝑒∗ ) ≥ 𝜽 Malicious Legitimate •E.g., 𝜃 = 0.01 or 0.05 •At least 𝜃 of measurements were close to 𝑒∗
  22. 22. Summary of Timing-Based Intrusion Detection SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 22 Complex Controller Secure Monitor Monitored Core Secure Core Timing Trace Module Scratch Pad Memory Addr1 Addr3 Addr2 Addr7 Block1 Block2Block6 Addr4 Addr5 Addr7 Block6Block4 Addr2 Addr6 Addr7 Addr4 Block6 Block3 Block5 [Profile] Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 [Run-time Execution] (Addr1, ti) (Addr2, ti+1) (Addr4, ti+2) (Addr6, ti+3) (Addr7, ti+4) Trace Traverse and check
  23. 23. Outline • System and Application Models • Timing-based Intrusion Detection (Overview) • SecureCore – Architecture Design – Timing-based Intrusion Detection (Detail) • Implementation and Evaluation • Limitations and Future Work SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 23
  24. 24. Implementation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 24 CC SC DM SM Monitored Core Secure Core IOP LWE Linux 2.6.34 TTM SPM Hypervisor Inverted Pendulum (IP) Dynamics Simics (P4080) Host PC Serial (tty) Pseudo Terminal (pts)Byte channel Freescale P4080 on Simics • Only two cores (Core 0 and 1) • Cache (L1 and L2) and bus models for system effects • ISA modification for trace instruction
  25. 25. Implementation SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 25 CC SC DM SM Monitored Core Secure Core IOP LWE Linux 2.6.34 TTM SPM Hypervisor Inverted Pendulum (IP) Dynamics Simics (P4080) Host PC Serial (tty) Pseudo Terminal (pts)Byte channel Inverted Pendulum Control • Controller and dynamics (cart position, rod’s angle) • Generated from Simulink IP model
  26. 26. Application Model • IP Control + FFT (EEMBC) SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 26 FFT Init FFT Phase #1 FFT Phase #2 FFT Phase #3 IP Control PathID = 1, 2 PathID = 0 1 run if PathID = 0, 1 2 runs if PathID = 2 0 + 1 meter Malicious code • Injected at the end of FFT Phase #3 • Simple loop (some array copy) • 440, 720, 1000 cycles for 1,3,5 loops • (FFT Phase#3: ~260,000 cycles) • Activated when the cart passes +0.7 m • Execute randomly thereafter • Loop execution • Sends old actuation cmd Timing Profile • ~10,000 runs (no malicious code activation) • ‘ksdensity’ (Matlab) for Gaussian KDE • Total exec time: 850,000 ~ 1,200,000 cycles (~1ms) • Control period: 10 ms
  27. 27. Early Detection SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 27 0 5 10 15 20 25 30 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 Time (sec) Cartposition(meter) No attack 𝜽: 𝟎. 𝟎𝟏 (1%) Loop count: 3 ( ~ 720 cycles) 0 5 10 15 20 25 30 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 Time (sec) Cartposition(meter) No attack No protection Attack activated 0 5 10 15 20 25 30 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 Time (sec) Cartposition(meter) No attack No protection Simplex only Attack activated 0 5 10 15 20 25 30 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.2 Time (sec) Cartposition(meter) No attack No protection Simplex only Our methodAttack activated
  28. 28. Intrusion Detection Accuracy SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 28 • Criteria: False prediction rates – False positive: predict “malicious” when not – False negative: fail to detect a real attack PredictedReal 1/1024 (0.10%) 7/1015 (0.69%) 1 loop 3 loops 5 loops 827/1022 (81%) 574/1046 (55%) 130/1098 (12%) 578/1050 (55%) 117/1011 (12%) 0/1024 (0%) False positive rates False negative rates Trade off: Low 𝜽? High 𝜽? Detect well More false alarms Miss often Fewer false alarms 272000 274000 276000 278000 280000 282000 Probability Execution Time Low 𝜽 High 𝜽
  29. 29. Limitations and Future Work • Limitations – Low detection accuracy for short malicious code → More deterministic execution – Still high false positive → Long-term monitoring • Other future work – Monitoring multiple applications on multiple cores – Monitoring of other behavioral aspects (e.g., Memory, I/O) – Multi-dimensional monitoring SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 29
  30. 30. Thank you SecureCore: A Multicore-based Intrusion Detection Architecture for Real-Time Embedded Systems 30

×