This work focuses on eliminating timing-side channels in real-time safety-critical cyber-physical network protocols like Controller Area Networks (CAN). Automotive Electronic Control Units (ECUs) implement predictable scheduling decisions based on task level response time estimation. Such levels of determinism exposes timing information about task executions and therefore corresponding message transmissions via the network buses (that connect the ECUs and actuators). With proper analysis, such timing side channels can be utilized to launch several schedule-based attacks that can lead to eventual denial-of-service or man-in-the-middle-type attacks. To eliminate this determinism, we propose a novel schedule obfuscation strategy by skipping certain control task executions and related data transmissions along with random shifting of the victim task instance. While doing this, our strategy contemplates the performance of the control task as well by bounding the number of control execution skips. We analytically demonstrate how the attack success probability (ASP) is reduced under this proposed attack-aware skipping and randomization. We also demonstrate the efficacy and real-time applicability of our attack-aware schedule obfuscation strategy Hide-n-Seek by applying it to synthesized automotive task sets in a real-time Hardware-in-loop (HIL) setup.

翻译：本工作专注于消除实时安全关键型网络物理系统协议（如控制器局域网CAN）中的定时侧信道。汽车电子控制单元基于任务级响应时间估计实现可预测的调度决策。这种确定性暴露了任务执行及其通过连接ECU与执行器的网络总线进行消息传输的时序信息。通过适当分析，此类定时侧信道可被用于发起多种基于调度表的攻击，最终导致拒绝服务或中间人攻击。为消除这种确定性，我们提出一种新颖的调度混淆策略，通过跳过特定控制任务执行及相关数据传输，并结合随机偏移受害者任务实例来实现。在此过程中，我们的策略通过限制控制执行跳过的次数来兼顾控制任务的性能。我们通过分析证明了在该攻击感知的跳过与随机化策略下，攻击成功概率的降低。此外，我们通过在实时硬件在环实验中应用于合成的汽车任务集，证明了所提出的攻击感知调度混淆策略Hide-n-Seek的有效性与实时适用性。