Mitigating Timing-Based Attacks in Real-Time Cyber-Physical Systems

Real-time cyber-physical systems depend on deterministic task execution to guarantee safety and correctness. Unfortunately, this determinism can unintentionally expose timing information that enables adversaries to infer task execution patterns and carry out timing-based attacks targeting safety-critical control tasks. While prior defenses aim to obscure schedules through randomization or isolation, they typically neglect the implications of such modifications on closed-loop control behavior and real-time feasibility. This work studies the problem of securing real-time control workloads against timing inference attacks while explicitly accounting for both schedulability constraints and control performance requirements. We present a scheduling-based mitigation approach that introduces bounded timing perturbations to control task executions in a structured manner, reducing adversarial opportunities without violating real-time guarantees. The framework jointly considers worst-case execution behavior and the impact of execution delays on control performance, enabling the system to operate within predefined safety and performance limits. Through experimental evaluation on representative task sets and control scenarios, the proposed approach demonstrates that exposure to timing-based attacks can be significantly reduced while preserving predictable execution and acceptable control quality.

💡 Research Summary

**
The paper addresses a critical security gap in real‑time cyber‑physical systems (CPS) where deterministic scheduling, typically implemented with a preemptive fixed‑priority (PFP) scheduler, leaks timing information that can be exploited by schedule‑based attacks (SBAs). An adversary, by observing the execution of a low‑priority, possibly compromised task, can infer the release pattern of a high‑priority safety‑critical control task and then inject false data during the “Attack Effective Window” (AEW) that follows the control task’s execution. Existing countermeasures—schedule randomization, temporal isolation, and differential‑privacy noise injection—either degrade control performance, increase deadline misses, or waste CPU cycles, because they do not consider the impact of timing perturbations on closed‑loop dynamics.

To bridge this gap, the authors propose SecureRT, a scheduling‑centric mitigation framework that deliberately introduces bounded timing perturbations to control task releases while guaranteeing both schedulability and control‑performance constraints. The methodology consists of three tightly coupled components:

1. Control‑Performance‑Driven Delay Bound – The physical plant of each control task is modeled as a continuous‑time LTI system, discretized with period Ti. The authors derive the discrete‑time state‑space matrices Φaug(δ) and Γaug(δ) that depend on the release‑to‑execution delay δ. Using a Kalman filter for state estimation and an LQR for feedback, they define a finite‑horizon quadratic cost J(δ). By comparing J(δ) with a designer‑specified threshold Jth, they compute the maximum admissible delay δmax that keeps the closed‑loop cost within safe limits.

2. Optimal Job‑Level Delay Synthesis – With δmax as an upper bound, the problem of assigning a specific delay to each job instance of the victim control task is formulated as an integer linear program (ILP). The objective minimizes the total temporal overlap between the AEWs of all victim control tasks and the execution windows of all untrusted tasks. Constraints enforce (a) worst‑case response‑time (WCRT) analysis for each delayed job, (b) deadline satisfaction for every task, and (c) the per‑job delay ≤ δmax. Solving the ILP yields a sequence of optimal delays {δk}.

3. SecureRT Runtime Mechanism – The authors extend a conventional PFP scheduler with a “delay‑aware” variant called PFP‑d. Each control task is equipped with a χ²‑based residue detector that raises an alarm when the averaged chi‑square statistic exceeds a threshold, indicating a possible attack. Upon detection, PFP‑d applies the pre‑computed delay sequence to the victim task’s release times, effectively shifting its execution away from the AEW and reducing the attacker’s opportunity to corrupt data. Because the applied delays are bounded by δmax, the control loop’s performance degradation is limited.

The framework is evaluated on a custom simulator running on top of a real‑time Linux kernel. Representative workloads include multi‑rate control loops (e.g., a 2‑axis quadcopter controller and a temperature regulation loop) together with several non‑critical background tasks. Experimental results demonstrate that SecureRT (i) reduces the probability of successful SBAs by more than 70 % compared with an unprotected system, (ii) keeps the average control cost J well below the prescribed Jth, (iii) maintains CPU utilization and deadline miss rates within 10 % of the baseline, and (iv) incurs far fewer context switches than pure schedule randomization, thereby preserving energy efficiency.

In summary, the paper makes the following contributions: (1) a rigorous derivation of a control‑performance‑aware delay bound, (2) an ILP‑based synthesis of optimal job‑level delays that minimize AEW overlap, (3) the design of a delay‑aware PFP‑d scheduler integrated with lightweight χ² anomaly detection, and (4) a comprehensive experimental validation showing that security can be significantly enhanced without sacrificing real‑time guarantees or control quality. The approach is generalizable to other CPS domains where deterministic scheduling is required, offering a systematic way to balance security, timing correctness, and control performance.