Imagine a high-stakes orchestra where every musician (a computer task) must play their note at the exact same moment to keep the music (the physical system, like a car or a power grid) safe. In these "Real-Time Cyber-Physical Systems," timing is everything. If a musician is even a split-second late, the whole performance could crash, leading to disaster.

However, this strict, predictable rhythm has a dark side. Because the schedule is so rigid and predictable, a sneaky eavesdropper (an attacker) can listen to the rhythm, figure out exactly when the most important musicians (safety-critical tasks) are playing, and sneak in during the tiny gaps between notes to tamper with the music. This is called a Timing-Based Attack.

The Problem: The Predictable Rhythm

Think of the system's schedule like a train timetable. The "Safety-Critical Train" (the control task) leaves the station at 10:00, 10:10, 10:20, and so on.

The Attacker's Trick: A malicious "untrusted" train (a lower-priority task) knows exactly when the Safety-Critical Train arrives and leaves. The attacker waits for the Safety-Critical Train to drop off its cargo (data) and then immediately jumps in to swap the cargo with something fake before the next train arrives.
The Window: There is a specific "Attack Window" right after the Safety-Critical Train leaves. If the bad train can get there in time, it can sabotage the system.

The Old Solutions (and why they failed)

Previous attempts to stop this were like trying to hide the train schedule by:

Randomizing the schedule: Making the trains leave at random times. Problem: This confuses the system itself, causing delays that might make the car crash or the power grid fail.
Isolating the trains: Keeping the bad trains in a separate yard. Problem: This wastes space and resources, making the system inefficient.

The New Solution: SecureRT (The "Smart Delay" Framework)

The authors of this paper propose a new framework called SecureRT. Instead of random chaos or strict isolation, they use a calculated, "smart" delay.

Imagine the conductor (the scheduler) has a secret plan. When they suspect an attack, they don't cancel the train; they just tell the Safety-Critical Train to wait a specific, pre-calculated amount of time before leaving.

Here is how it works in three steps:

1. The Safety Check (Will the train still arrive on time?)

Before making any changes, the system calculates the maximum safe delay. It asks: "If we make the train wait 3 seconds, will it still reach its destination before the deadline?"

If the answer is yes, the delay is safe.
If the answer is no, the delay is too long and could cause a crash.
This ensures the system remains schedulable (safe and on time).

2. The Performance Check (Will the music still sound good?)

Even if the train arrives on time, waiting too long might make the music sound off-key. The system calculates how much the "control performance" (the quality of the music) will degrade if the train waits.

They set a limit: "The music can only get 5% worse."
They find the maximum admissible delay—the longest wait that keeps the music sounding good enough.

3. The Smart Shuffle (The Optimization)

Now, the system solves a complex puzzle. It looks at the "Attack Window" and the schedule of the "Bad Trains" (untrusted tasks).

It calculates a sequence of delays (e.g., wait 3 seconds, then wait 0 seconds, then wait 5 seconds) that shifts the Safety-Critical Train's arrival just enough so that the "Bad Trains" can no longer fit into the Attack Window.
It's like moving the train's departure time so that the bad guy is stuck at a red light right when the train is supposed to leave.

How It Works in Real Life

The system runs a "detector" (like a security guard) that watches for signs of tampering.

Normal Mode: The trains run on the standard, fast schedule.
Attack Detected: If the guard sees a suspicious pattern (the "Bad Train" trying to sneak in), the system instantly switches to SecureRT mode.
The Switch: It applies the pre-calculated "Smart Delays" to the Safety-Critical Train. The train leaves at slightly different times than usual, throwing off the attacker's timing.
The Result: The attacker can no longer predict when to strike. The "Bad Train" misses the window, the data stays safe, and the system continues to run smoothly without crashing.

The Bottom Line

The paper demonstrates that you don't have to choose between security and safety. By using a "Smart Delay" strategy, you can:

Confuse the attacker so they can't guess when to strike.
Keep the system safe by ensuring the delays never exceed the safety limits.
Keep the system performing well by ensuring the delays don't ruin the control quality.

In their experiments with a simulated car control system, they showed that while a standard system gets hacked and crashes, and a "random delay" system gets hacked and sounds bad, their SecureRT system successfully blocks the attack while keeping the car driving perfectly.

Technical Summary: Mitigating Timing-Based Attacks in Real-Time Cyber-Physical Systems

Problem Statement

Real-time Cyber-Physical Systems (CPS), such as those in automotive, avionics, and industrial IoT domains, rely on deterministic task execution to ensure safety and correctness. This determinism, often achieved through Preemptive Fixed-Priority (PFP) scheduling, inadvertently creates timing side-channels. Adversaries can exploit the predictable nature of these schedules to infer the execution patterns of safety-critical control tasks.

Specifically, the paper addresses Schedule-Based Attacks (SBAs). In these attacks, an adversary compromises a lower-priority, untrusted task to predict the arrival times of a high-priority "victim" control task. By calculating the Attack Effective Window (AEW)—the time interval following a victim task's execution where its data buffers are vulnerable—the attacker can launch False Data Injection (FDI) attacks. These attacks manipulate control inputs stored in shared I/O buffers, potentially degrading closed-loop control performance or causing system failure.

Existing defenses, such as schedule randomization or temporal isolation, often fail to account for the critical implications of such modifications on control performance and schedulability. Randomization can increase context switches and deadline misses, while noise injection (e.g., Laplace distribution) may violate the strict timing guarantees required by hard real-time safety-critical systems.

Methodology: The SecureRT Framework

The authors propose SecureRT, a framework that mitigates timing inference attacks by introducing bounded, structured job-level delays to victim control tasks. The approach is designed to minimize the temporal overlap between the victim's AEW and the execution of untrusted tasks without violating real-time guarantees or degrading control quality.

The framework operates through three sequential steps:

1. Design-Time Analysis

Schedulability Analysis (WCRT): The framework performs a conservative Worst-Case Response Time (WCRT) analysis to determine the peak job-level delay ( $\Delta^{peak}_v$ ). This is the maximum delay that can be applied to a victim task's job releases without causing the victim or any lower-priority tasks to miss their deadlines. The analysis accounts for "carry-in" interference from higher-priority tasks and the jitter introduced by delayed releases.
Control Performance Analysis: Recognizing that delays affect the physical plant's dynamics, the authors model the control task as a delay-aware Linear Quadratic Regulator (LQR) system. They synthesize a delay-aware controller and compute the maximum admissible delay ( $\Delta^{max}_i$ ). This is the largest delay that keeps the control cost ( $J$ ) below a predefined threshold ( $J_{Th}$ ) set by the system designer.
Optimization Formulation: An optimization problem is formulated to generate an optimal job-level delay sequence ( $\Delta_i$ $Δ_{i}$ ) for each control task. The objective is to minimize the total temporal overlap between the AEWs of victim tasks and the execution windows of all untrusted tasks over a hyperperiod.
- The overlap function is non-linear and piecewise. To solve this, the authors linearize the problem using Mixed-Integer Linear Programming (MILP). They introduce auxiliary continuous variables and binary decision variables (using the Big-M method) to transform the overlap calculation into linear constraints suitable for standard solvers (e.g., Gurobi).

2. Runtime Execution (PFP-d Scheduler)

The framework integrates a custom scheduler, PFP-d (Preemptive Fixed Priority with delay), with an online anomaly detector.

Anomaly Detection: Each control loop is equipped with a $\chi^2$ -based residue detector that monitors the difference between sensed and estimated outputs. If the statistic exceeds a threshold ($Th$), an attack is flagged.
Mitigation: Upon detecting an attack on a specific victim task, the scheduler switches from standard PFP to PFP-d. It retrieves the precomputed optimal delay sequence and applies the corresponding delay to the release time of the current and subsequent job instances of the victim task.
Reset: The mitigation remains active for a predefined duration ( $T_{RES}$ ), after which the system resets to nominal operation.

3. Complexity and Overhead

The runtime algorithm (Algorithm 1) operates with $O(1)$ complexity per time step. Since the optimal delay sequences are computed offline and stored, the runtime overhead is negligible, making the approach suitable for resource-constrained embedded platforms.

Key Contributions

Joint Optimization of Security and Control: Unlike prior works that focus solely on schedule obfuscation, SecureRT explicitly accounts for the impact of scheduling modifications on closed-loop control performance and schedulability.
Bounded Delay Derivation: The paper derives strict upper bounds for job-level delays ( $\Delta^{peak}$ and $\Delta^{max}$ ) that guarantee both system schedulability and control stability.
Optimal Delay Synthesis: A novel MILP formulation is presented to generate optimal, cyclic job-level delay sequences that minimize the attack surface (AEW overlap) while adhering to the derived bounds.
SecureRT Framework: The integration of an online $\chi^2$ detector with a customized PFP-d scheduler provides a practical, lightweight defense mechanism against posterior SBAs.

Experimental Results

The authors evaluated SecureRT using a realistic automotive case study (Cruise Control, ESP, and Trajectory Tracking controllers) implemented on a Raspberry Pi 4 with a patched Linux kernel (PREEMPT_RT) to ensure hard real-time behavior.

Case Studies: Four scenarios were compared:
1. Baseline (PFP, No Attack): System operates normally.
2. Attack (PFP, No Delay): An attacker successfully performs FDI, causing significant deviation in plant state and a steady increase in control cost.
3. Random Delays (State-of-the-art): Applying random delays (Laplace distribution) reduced predictability but failed to consistently prevent FDI, leading to performance degradation and cost increases.
4. SecureRT (PFP-d): The optimal delay sequence successfully minimized the overlap between the victim's AEW and the attacker's execution. The system maintained stable plant tracking, and the control cost remained close to the nominal value despite the ongoing attack.
Quantitative Improvement: In the automotive case study, the optimal delay sequence reduced the overlap duration available for FDI attacks by 60% (from 45ms to 18ms).
General Schedulability: Extensive synthetic experiments across various utilization ranges and task counts (5, 10, and 20 tasks) demonstrated that SecureRT maintains high schedulability, particularly when victim tasks are high-priority and system utilization is low to moderate.

Significance and Claims

The paper claims that SecureRT offers a significant advancement over existing mitigation strategies by bridging the gap between cybersecurity and control theory. Its primary significance lies in the ability to secure real-time control workloads against timing inference attacks without compromising the deterministic guarantees or the physical performance of the system.

The authors emphasize that their approach is not merely a theoretical exercise but a deployable solution for resource-constrained environments. By using bounded, structured delays rather than unbounded randomization, SecureRT ensures that safety-critical systems can operate within predefined performance limits while significantly reducing the attack surface. The work concludes by noting that future extensions will aim to apply this framework to multi-core systems and dynamic-priority schedulers (like EDF).

Mitigating Timing-Based Attacks in Real-Time Cyber-Physical Systems