Software Availability Protection in Cyber-Physical Systems

Existing efforts in software protection have mostly focused on how to detect violations of confidentiality or integrity, with the goal of safeguarding information or ensuring the correctness of execution. Little has been done to study the handling of such violations, where the common practice is to crash the program. However, such strategies sacrifice availability, which is not acceptable in real-time safety-critical cyber-physical systems (CPSs), where untimely computation can have catastrophic physical-world consequences.

To bridge this gap, we present Gecko, an attack recovery approach that not only timely recovers the execution from the attack but also disables exploited features to improve system availability. Realizing Gecko presents two technical challenges. To defend against repeated exploitation, Gecko utilizes compartmentalization for runtime attack input identification and introduces fail-safe shadow compartments to disable the exploited features while ensuring graceful degradation. To remove attack impacts in a timely manner, Gecko employs selective data reset through snapshot recovery. It further uses an I/O reference monitor to avoid peripheral re-configuration. We developed a prototype of Gecko and evaluated it on three CPS platforms: ArduPilot, Jackal UGV, and OpenManipulator. Gecko achieves recovery with 83.3% task deadline hits while incurring a runtime overhead of 8.28%.