SchedGuard: Protecting against Schedule Leaks Using Linux Containers
This addresses security vulnerabilities in real-time systems for applications like embedded and IoT devices, though it builds incrementally on existing container-based protection methods.
The paper tackles the vulnerability of real-time systems to timing inference attacks by introducing SchedGuard, a temporal protection framework for Linux-based hard real-time systems that prevents untrusted tasks from executing during specific time segments, and demonstrates its effectiveness on a radio-controlled rover platform while ensuring real-time requirements are met.
Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents SchedGuard: a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.