Mixed-Trust Computing: Safe and Secure Real-Time Systems

IF 2 Q3 COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS
Dionisio de Niz, Bjorn Andersson, Mark H. Klein, J. Lehoczky, Amit Vasudevan, Hyoseung Kim, Gabriel Moreno
{"title":"Mixed-Trust Computing: Safe and Secure Real-Time Systems","authors":"Dionisio de Niz, Bjorn Andersson, Mark H. Klein, J. Lehoczky, Amit Vasudevan, Hyoseung Kim, Gabriel Moreno","doi":"10.1145/3635162","DOIUrl":null,"url":null,"abstract":"Verifying complex Cyber-Physical Systems (CPS) is increasingly important given the push to deploy safety-critical autonomous features. Unfortunately, traditional verification methods do not scale to the complexity of these systems and do not provide systematic methods to protect verified properties when not all the components can be verified. To address these challenges, this article proposes a real-time mixed-trust computing framework that combines verification and protection. The framework introduces a new task model, where an application task can have both an untrusted and a trusted part. The untrusted part allows complex computations supported by a full OS with a real-time scheduler running in a VM hosted by a trusted hypervisor. The trusted part is executed by another scheduler within the hypervisor and is thus protected from the untrusted part. If the untrusted part fails to finish by a specific time, the trusted part is activated to preserve safety (e.g., prevent a crash) including its timing guarantees. This framework is the first allowing the use of untrusted components for CPS critical functions while preserving logical and timing guarantees, even in the presence of malicious attackers. We present the framework its schedulability analysis and the coordination protocol between the trusted and untrusted parts. Our implementation on a Raspberry Pi 3 is also discussed along with experiments showing the behavior of the system under failures of untrusted components, and a drone application to demonstrate its practicality.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":"113 42","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2023-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Cyber-Physical Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3635162","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS","Score":null,"Total":0}
引用次数: 0

Abstract

Verifying complex Cyber-Physical Systems (CPS) is increasingly important given the push to deploy safety-critical autonomous features. Unfortunately, traditional verification methods do not scale to the complexity of these systems and do not provide systematic methods to protect verified properties when not all the components can be verified. To address these challenges, this article proposes a real-time mixed-trust computing framework that combines verification and protection. The framework introduces a new task model, where an application task can have both an untrusted and a trusted part. The untrusted part allows complex computations supported by a full OS with a real-time scheduler running in a VM hosted by a trusted hypervisor. The trusted part is executed by another scheduler within the hypervisor and is thus protected from the untrusted part. If the untrusted part fails to finish by a specific time, the trusted part is activated to preserve safety (e.g., prevent a crash) including its timing guarantees. This framework is the first allowing the use of untrusted components for CPS critical functions while preserving logical and timing guarantees, even in the presence of malicious attackers. We present the framework its schedulability analysis and the coordination protocol between the trusted and untrusted parts. Our implementation on a Raspberry Pi 3 is also discussed along with experiments showing the behavior of the system under failures of untrusted components, and a drone application to demonstrate its practicality.
混合信任计算:安全可靠的实时系统
考虑到部署安全关键自主功能的推动,验证复杂的网络物理系统(CPS)变得越来越重要。不幸的是,传统的验证方法不能扩展到这些系统的复杂性,并且在并非所有组件都可以验证时,不能提供系统的方法来保护已验证的属性。为了应对这些挑战,本文提出了一种结合验证和保护的实时混合信任计算框架。该框架引入了一个新的任务模型,其中应用程序任务可以同时具有不受信任的部分和受信任的部分。不受信任的部分允许由完整的操作系统支持的复杂计算,并在由受信任的管理程序托管的VM中运行实时调度器。受信任的部分由管理程序中的另一个调度器执行,因此不受不受信任部分的影响。如果不可信部分未能在特定时间内完成,则激活可信部分以保持安全性(例如,防止崩溃),包括其时间保证。该框架是第一个允许将不受信任的组件用于CPS关键功能,同时保留逻辑和定时保证的框架,即使在存在恶意攻击者的情况下也是如此。给出了该框架的可调度性分析和可信部分与不可信部分之间的协调协议。我们在树莓派3上的实现也与实验一起讨论,显示了系统在不可信组件故障下的行为,以及无人机应用程序来展示其实用性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
ACM Transactions on Cyber-Physical Systems
ACM Transactions on Cyber-Physical Systems COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS-
CiteScore
5.70
自引率
4.30%
发文量
40
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信