TrackOS™ Security-Assurance for Real-Time Operating Systems
Real-time embedded systems are pervasive; used in everything from aircraft autopilots to automotive electronics, and they are increasingly subject to cyber attack. Most embedded systems were not designed with defense-in-depth strategies, instead developers relied on the system’s segregation from other IT systems and networks. These systems are now being connected to networks in increasing numbers, exposing them to threats they were not designed to counter.
One of the most pervasive threats to network connected systems is in the form of malware or malicious code, and unfortunately most embedded systems do not have defenses against it. The main challenge to detecting and protecting against malware in these environments is that most approaches to malware detection change the timing behavior of the software being monitored. In real-time systems, timing behavior is mission critical, so previous approaches to malware detection are unworkable at best, catastrophic at worst.
Our Solution: TrackOS
TrackOS is a technology designed to work with real-time operating system (RTOS), providing a new technique for detecting malware on real-time embedded systems. Instead of altering behavior of monitored software, TrackOS creates a separate task, which runs in the “slack time” of the real-time system. Using offline static analysis of the unmodified embedded system binaries, this TrackOS is able to determine what well-behaved tasks look like. At runtime, TrackOS unobtrusively checks that the critical tasks on the system are well behaved. If any tasks appear to be hijacked, the TrackOS can notify a policy manager, which can perform appropriate remediations.
Though TrackOS was designed under a U.S. Federal Government grant for a program concerned about our country’s most critical systems, and though it was developed originally on autopilot software systems, TrackOS is appropriate for any real-time embedded systems.
In the original TrackOS implementation, the technology was demonstrated in remote-controlled helicopters. In this implementation, TrackOS includes a policy manager in the system that performs an “auto-land” operation on detection of malware. Other implementations may include different types of fail-safe behavior.
How TrackOS Works
TrackOS combines three technologies that together, secure embedded-systems:
- Static Analysis: Runs offline analysis of executables to generate call graphs that are stored in non-volatile memory (program memory). This can be done quickly, without access to source code for the embedded system to be protected.
- Control-Flow Integrity (CFI): At runtime, TrackOS traverses the monitored executable’s control stack from the top of the stack, containing the most recent return addresses, to the bottom of the stack. The control stack is compared against the static call graph stored in memory. The overhead for TrackOS is completely controllable using the RTOS’s scheduler, just like any other task.
- Program-Data Integrity: TrackOS includes a software-based attestation framework to provide evidence that TrackOS itself has not been tampered with, since our CFI approach is only valid as long as it is executing.
To our knowledge, this is the first integration of software-based program-data integrity with control-flow integrity. TrackOS is patent pending.