SchedGuard: Protecting against Schedule Leaks Using Linux Containers

TL;DR

SchedGuard is a Linux kernel framework that prevents schedule-based side-channel attacks in real-time systems by controlling task execution times, ensuring security without compromising real-time performance.

Contribution

Introduces SchedGuard, a novel Linux kernel-based framework that protects real-time tasks from schedule leaks using container-aware temporal restrictions.

Findings

SchedGuard effectively prevents schedule inference attacks.

Real-time tasks meet their timing requirements with SchedGuard.

The system is practical for real-world applications like radio-controlled platforms.

Abstract

Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents SchedGuard: a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.