Safety-Aware Integration of Hardware-Assisted Program Tracing in Mixed-Criticality Systems for Security Monitoring

In Mixed-Criticality Systems (MCS), low-critical applications have a larger attack surface compared to high-critical applications. Even though MCS isolate criticality domains of execution by design, a threat affecting a low-critical service can alter the execution of a high-critical task: e.g by degrading the system availability or user-experience. Such attack on low-critical tasks can even introduce an entry point for propagating the attack further to high-critical tasks. In this context, detecting such threats in applications during runtime is a major issue for MCS security. Control-Flow Integrity (CFI) monitoring is a common security technique for runtime threat detection in program execution: using a predefined policy, it identifies unauthorized control-flow (CF) transitions as malicious activity. Recent research has introduced the use of hardware-assisted CF tracing for CFI monitoring into industrial real-time systems, since such implementation does not require instrumentation of the monitored program. However, CF tracing brings a high performance overhead for monitoring, which depends on the monitored program execution path (the more executed CF transitions, the higher the overhead). On one hand to integrate the security service in a MCS, we must consider the worst-case monitoring overhead. On the other hand, this assumption is highly pessimistic for a practical deployment. We propose a first safety-aware method to integrate hardware-assisted CF based security monitoring with ARM CoreSight into a MCS, and metrics to evaluate the trade-off between performance impact and security monitoring coverage. Our security framework combines a predictable CF transition level monitoring with trace collection that can be used for CFI checking, together with an anomaly detection service to monitor the full program execution. We validate our approach on an industrial MCS platform with ARM CoreSight support, using a set of programs from TACLeBench benchmark.