Dependable Systems Lab wins Distinguished Paper Award at EDCC 2015
Everyone who owns a computer knows a thing or two about security software. One thing we have all learned is that security software can be cumbersome. On a system as complex, personalized and terrifically useful as a laptop, the benefits of running security software outweigh the costs.
Along with our laptops, we also encounter hundreds of small computer systems each day in, cars, hospital equipment, ventilation, traffic lights; computers are everywhere. These embedded systems, become more useful as they incorporate wireless communication and join the Internet of Things (IoT). A pacemaker can be upgraded without doing surgery once it includes wireless communication. Traffic patterns for an entire city can be altered for a special event from a central location if traffic control is part of IoT. But wireless communication comes with security risks and embedded systems cannot bear the memory costs that existing security software exact. The embedded system’s memory is just too small.
Embedded systems are designed for very specific tasks and have limited memory to keep manufacturing costs down. Many of their behaviors are critical and can’t tolerate any lag for security checks. For these reasons, security software in embedded systems needs to be able to run quickly while using very small amounts of memory. Smart meters or point of sale terminals are examples of embedded systems that are aggregated and centrally controlled. Aggregation makes embedded systems particularly intolerant to any false alarms from security software. One or two warnings a week on your laptop can easily be dealt with but in a system of thousands of smart meters, any false reporting would add up to a cacophony of false alarms that could bring down the whole system. As more wireless communication is incorporated into embedded systems, a very efficient way of securing them has to be found.
In ECE’s Dependable System’s Lab, engineers have developed a new way of structuring security software that vastly reduces the demands on memory. They have made these improvements by rethinking what is really needed to construct a working model of an embedded system.
All security software is based on some form of model of “healthy” behavior to expect from the computer it is monitoring. By comparing a model of expected behavior with the ongoing behavior of the system the security software can identify something suspicious. Existing security software models the system based on the order of system calls and the pattern of accessing data, monitoring system behavior against this model in real time. Using this type of model uses a lot of memory. Checking each behavior against the model is a bit like checking a street map that is the same size as the city it represents.
Farid Molazem, a graduate student with ECE, has found that you can monitor an embedded system with a much simpler model that still provides a picture of the behavior of the entire system. By monitoring just a few key system calls, Farid Molazem can represent the activity in a much more useful way. This is possible with embedded systems because they are relatively simple and so the correct behavior of the system is much easier to predict than it would be in a system as complex as a laptop.
The thinking behind this method can be illustrated using a bipartite graph. On one side are functions of the embedded system that are critical to security, communication with a server for example. On the other side of the graph are all of the behaviours that could be checked to make sure the computer is working in an expected and safe way. Farid Molazem has developed an algorithm that will maximize the number of crucial behaviours being monitored with the least number of system calls.
People preform this kind of optimization often in their daily lives without really thinking about it. ECE Professor Karthik Pattabiraman likens it to grocery shopping with limited room in your shopping basket. If you choose staples that can be used in a number of different dishes you maximize the number of recipes you can cook with a limited number of items.
There are many advantages to modeling the system this way. It will vastly reduce the amount of memory needed to monitor the system and the algorithm that Farid Molazem has developed does not generate any false alarms. Developers of embedded systems can choose the security parameters that are most crucial to the particular system so the security of a pacemaker can be defined differently than the security of a smart meter.
By demonstrating how the cost on memory can be reduced by an order of magnitude while producing no false positive reports, Farid Molazem and the Dependable Systems team at ECE received a Distinguished Paper Award at the European Dependable Computing Conference.
Find out more:
11TH European Dependable Computing Conference-Dependability in Practice
Flexible Intrusion Detection Systems for Memory-Constrained Embedded Systems