A Security-Aware, Real-Time Operating System

Problem Statement

Real-time embedded systems are pervasive, used in everything from aircraft autopilots to automotive electronics. The main challenge to detecting malware in these environments is that most approaches to malware detection change the timing behavior of the software being monitored, which may alter their behavior.

Our Solution: TrackOS

TrackOS is a real-time operating system (RTOS) that provides a new technique for detecting malware on real-time embedded systems. Instead of altering behavior of monitored software, TrackOS creates a separate task, which runs in the “slack time” of the real time system. Using static analysis of the unmodified binaries, this monitor task is able to determine what well-behaved tasks look like and to unobtrusively check that the critical tasks on the system are all well behaved. If any tasks appear to be hijacked, the monitor task can notify a policy manager, which can perform appropriate remediations.

We have prototyped TrackOS and applied its analysis to an autopilot software system. In our demo on a remote-controlled helicopter, the policy manager performs an “auto-land” operation.

How TrackOS Works

TrackOS combines three technologies for an embedded-system security:

  1. Static analysis: At compile time, we analyze a task’s executable to generate a call graph that is stored in non-volatile memory (program memory). We implement a lightweight static analysis that is able to analyze a 910KB binary and generate a call graph in just over 10 seconds on a modern laptop.
  2. Control-flow integrity (CFI): At runtime, a monitor task traverses the observed task’s control stack from the top of the stack, containing the most recent return addresses, to the bottom of the stack. The control stack is compared against the static call graph stored in memory. The overhead is completely controllable by the user using the RTOS’s scheduler, just like any other task.
  3. Program-data integrity: Our CFI approach is only valid as long as it is executing. An attacker that can reflash a microcontroller can simply overwrite TrackOS and any of its tasks. Consequently, we need a check that the program memory has not been modified. We implement a software-based attestation framework to provide evidence to this effect.

To our knowledge, this is the first integration of software-based program-data integrity with control-flow integrity. In September 2012, we filed a patent application.