Scheduling Randomization Protocol to Improve Schedule Entropy for Multiprocessor Real-Time Systems

Abstract

Because most tasks on real-time systems are conducted periodically, its execution pattern is highly predictable. While such a property of real-time systems allows developing the strong schedulability analysis tools providing high analytical capability, it also leads that security attackers could analyze the predictable execution patterns of real-time systems and use them as attack surfaces. Among the few approaches to foil such a timing-inference security attack, TaskShuffler as a schedule randomization protocol received considerable attention owing to its simplicity and applicability. However, the existing TaskShuffler is only applicable to uniprocessor platforms, where the task execution pattern is quite simple to analyze when compared to multiprocessor platforms. In this study, we propose a new schedule randomization protocol for real-time systems on symmetry multiprocessor platforms where all processors are composed of the same architecture, which extends the existing TaskShuffler initially designed for uniprocessor platforms.

1. Introduction

The primary concerns in designing safe critical real-time systems are to develop a methodology to effectively allocate limited computing resources (e.g., memory and CPU (central processing unit)) to multiple real-time tasks (e.g., motor control and sensing), and to derive a mathematical analysis mechanism. This mechanism would ensure every operation conducted by real-time tasks are completed within predefined time units (called deadlines) to satisfy real-time requirements [1]. The former and latter, which are respectively referred to as real-time scheduling algorithms and schedulability analysis, have been extensively studied over the past several decades in the field of real-time systems [2,3,4].

Unlike conventional research, which mostly focuses on the timing guarantees under various computing environments with different operational constraints, recent studies have focused on the security aspect because the modern real-time systems are exposed to unknown security attacks. For instance, modern real-time systems are increasingly being connected to unsecured networks such as the Internet, which allows the sophisticated adversaries to launch security attacks on UAVs (unmanned aerial vehicles) [5], industrial control systems [6], and automobiles [7,8].

Predictability, which is a key property of real-time systems, facilitates the development of several effective schedulability analysis mechanisms, but causes an increase in the success ratio of security attacks because of easy timing inferences [9,10,11]. Because most of the real-time tasks are conducted periodically, the execution patterns can be highly predictable, and most of the strong schedulability analysis mechanisms such as deadline analysis (DA) [12] and response-time analysis (RTA) [13] exploit such a property to judge whether each real-time operation can be completed within the deadline on the target environment. Such a seemingly advantageous property plays a double-edged sword because the security attackers can analyze the predictable execution patterns of real-time systems and use them as attack surfaces. For example, recent studies have shown that an adversary can launch cache-based side-channel attacks by collecting information about important tasks or set up new covert channels [9,14]. The success ratio of such attacks is quite high because the periodic execution of real-time tasks results in repeated (based on the hyper-period of all real-time tasks on the system) scheduling patterns. After observing the real-time task schedules on the target systems, the adversary can predict future schedules of the system.

The main challenge in preventing such timing inference-based security attacks on real-time systems is making the initially predictable schedule unpredictable, while simultaneously satisfying the real-time constraint. Among the few proposed mechanisms that have been used to address the problem of the uniprocessor system, TaskShuffler (a schedule randomization protocol) has received considerable attention owing to its simplicity and applicability [15]. TaskShuffler exploits the notion of priority inversion budget, defined as the time interval between the finishing time of worst-case operation and deadline, of each task. Priority inversion budget value of each task implies that the task can complete its execution even if the other tasks execute for the amount of worst-case inversion budget instead of the task. Utilizing the calculated priority inversion budget value of each task, the TaskShuffler effectively selects random tasks at each schedule point and dynamically manages the value to induce uncertainty and satisfy the real-time constraint simultaneously.

As multiprocessor platforms have been increasingly adopted modern real-time systems to conduct highly resource-consuming tasks, the state-of-the-art techniques need to be tailored for multiprocessor platforms. For example, the latest embedded platforms developed for autonomous driving car consist of multiple CPUs to execute heavy-load tasks such as multiple sensing and image processing (e.g., NVIDIA Drive AGX Pegasus with 8-core “Carmel" CPUs based on ARM architecture) [16]. However, the existing TaskShuffler is only applicable to uniprocessor platforms, where the task execution pattern is quite simple to analyze when compared to multiprocessor platforms.

In this study, we propose a new schedule randomization protocol for real-time systems on symmetry multiprocessor platforms where all processors are composed of the same architecture, which extends the existing TaskShuffler initially designed for uniprocessor platforms. To develop a schedule randomization protocol for multiprocessor platforms, we need to address the following issues:

(i)

How to define the problem of improving the security (i.e., uncertainty of schedules) of real-time systems and satisfying the schedulability simultaneously on multiprocessor platforms, differentiating it from the uniprocessor case (Section 2),

(ii)

How to calculate the priority inversion budget value for each task on multiprocessors (Section 4.1),

(iii)

How to utilize the calculated priority inversion budget values in randomized schedules effectively, to improve uncertainty (Section 4.2), and

(iv)

How to satisfy the real-time requirement after applying the proposed schedule randomization protocol (Section 4.2).

To address point (i), we first recapitulate the underlying idea and purpose of the existing TaskShuffler designed for the uniprocessor case. Then, we define the problem for the multiprocessor case, which is addressed in this study. To address point (ii), we investigate each task’s surplus computing power allowed for lower-priority tasks without missing its corresponding deadline. To address point (iii), such lower-bound computing power is effectively utilized by the new schedule randomization protocol proposed in this study. In addition, we demonstrate that if the task set is schedulable with the fixed-priority (FP) preemptive scheduling, then it is schedulable with the proposed schedule randomization protocol; this addresses point (iv). Using experimental simulations, we then discuss various factors affecting the uncertainty of new schedules.

2. Problem Definition

TaskShuffler assumes that the attacker knows task sets’ parameters as well as scheduling policy of the target system [15]. The attacker aims at gleaning sensitive data such as the victim task’s private key in shared resources such as DRAM (dynamic random access memory). Figure 1 briefly presents a scenario where the attacker launches a cache side-channel attack exploiting the scheduling pattern of real-time systems. The attacker first hijacks a task $tas{k}_A$ consecutively executing with a victim task $tas{k}_V$; it assumes that $tas{k}_A$ is relatively easy to hijack compared to $tas{k}_V$ because $tas{k}_A$ is not related to the security operation. Then, the attacker fills all cache sets with $tas{k}_A$’s data before $tas{k}_V$ executes. Thereafter, $tas{k}_V$ operates a cryptographic operation with a private key. Here, all cache sets were already filled with $tas{k}_A$’ data, and thus some cache sets are replaced by $tas{k}_V$’ data. Later, $tas{k}_A$ reads cache sets and measures the latencies. Some cache sets used by $tas{k}_V$ result in slow latencies because of cache misses for $tas{k}_A$. The attacker collects such timing information and reasons the location of the private key in the shared memory.

To make such an attack scenario feasible, the attacker should monitor the execution pattern of the target system for a long time to catch the proper timing to launch the attack. Because the same execution pattern of real-time systems is (mostly) repeated, the success ratio of the attack would increase. Figure 2 presents the scheduling pattern of $\tau =\{{\tau }_0(T_0=5,C_0=1,D_0=5),{\tau }_1(8,2,8),{\tau }_2(20,3,20)\}$ scheduled by a fixed-priority scheduling (${\tau }_0$ and ${\tau }_2$ have the highest and lowest priorities, respectively) without (Figure 2a) and with (Figure 2b) TaskShuffler on a uniprocessor platform. It shows which task executes in 200 time slots, and the number in each rectangle presents the task index executed at the time slot. As shown in Figure 2a, the scheduling pattern is repeated every 40 time units because the least common multiple of periods of tasks in $\tau$ is 40. On the other hand, the scheduling pattern is obfuscated by TaskShuffler (most importantly) without schedulability loss (Figure 2b). That is, every task both in Figure 2a,b completes its execution without any deadline miss. It implies that TaskShuffler could improve potential durability against timing-inference attacks by obfuscating the scheduling pattern of real-time systems without schedulability loss.

In this study, we aim to develop a new schedule randomization protocol for multiprocessor platforms by extending the existing TaskShuffler initially designed for uniprocessor platforms. To achieve this, we first recapitulate the underlying idea and purpose of the existing TaskShuffler designed for the uniprocessor case. Then, we define the problem for the multiprocessor case, which is addressed in this study.

The key property of real-time systems is that most of the tasks operate repetitively at periodic intervals. This indicates that the same scheduling pattern for a certain period of time (e.g., one hyper-period of all tasks) can be exhibited in the next period. Although such property aids in developing better-performing analysis techniques that can easily judge the schedulability of real-time systems, an adversary can launch timing-inference attacks by collecting information about important tasks or set up new covert channels.

The TaskShuffler compensates for such shortcoming of real-time systems by reducing the predictability of schedules for real-time tasks. Therefore, even if an observer can record the exact schedule for a certain time period, the same will not be exhibited in the next period under the TaskShuffler. The underlying idea of the existing TaskShuffler is to pick up a random task from the ready queue, unlike most of the real-time systems where the highest priority task is selected for scheduling. Such counterintuitive mechanisms lead to the priority inversion problem and deadline misses, placing system safety at risk. To solve this problem, the TaskShuffler only allows limited priority inversion for each task. That is, it restricts the use of priority inversion so that every task meets the original real-time constraint (i.e., meeting deadlines). To this end, it calculates the lower-bound amount of priority inversion that each task can tolerate, using the TaskShuffler protocol. When the priority inversion limit is reached during execution, the lower-priority task stops running, and the highest priority task is selected to be scheduled.

Then, the TaskShuffler achieves the following goal G.

G.

Suppose that a task set $\tau$ is scheduled by a given FP scheduling algorithm S, and its schedulability is guaranteed by a given schedulability analysis A. Then, $\tau$’s schedulability is still guaranteed by a given schedulability analysis $A^{\prime }$ when it is scheduled by the FP algorithm $S^{\prime }$ incorporating the TaskShuffler protocol of uniprocessors.

Let $\lambda \left(S\right)$ be the set of schedulable task sets scheduled by FP scheduling, and $\lambda \left(A\right)$ be the set of task sets each of whose schedulability is guaranteed by a given schedulability analysis supporting FP scheduling. In addition, $\lambda {\left(S\right)}^{\prime }$ denotes the set of schedulable task sets scheduled by FP scheduling incorporating TaskShuffler, and $\lambda \left(A^{\prime }\right)$ is the set of task sets each of whose schedulability is guaranteed by a given schedulability analysis supporting FP scheduling incorporating TaskShuffler. Figure 3a shows the regions of task sets covered by $\lambda \left(S\right)$, $\lambda \left(A\right)$, $\lambda \left(S^{\prime }\right)$, and $\lambda \left(A^{\prime }\right)$ for uniprocessor platforms. $\lambda \left(S\right)=\lambda \left(A\right)$ in Figure 3a indicates a well-known fact that every schedulable task set $\tau \in \lambda \left(S\right)$’s schedulability is guaranteed by the given exact schedulability analysis (e.g., RTA supporting FP scheduling) [13]. Then, the TaskShuffler targets task sets belonging to $\lambda \left(A\right)$ ($=\lambda \left(S\right)$) and applies the TaskShuffler protocol; note that task sets out of $\lambda \left(A\right)$ has nothing to do with the goal G. It utilizes a specialized schedulability analysis $A^{\prime }$ to support the FP scheduling $S^{\prime }$ incorporating the TaskShuffler protocol. When $A^{\prime }$ is conducted for each task ${\tau }_i\in \tau$, the lower-bound amount of priority inversion for each task is calculated, and the TaskShuffler exploits it without compromising the schedulability of task sets $\tau \in \lambda \left(A\right)$. Therefore, it achieves $\lambda \left(S\right)=\lambda \left(A\right)=\lambda \left(A^{\prime }\right)=\lambda \left(S^{\prime }\right)$ as shown in Figure 3a.

For multiprocessor platforms, there is no exact schedulability analysis for our system model [17], which provides $\lambda \left(S\right)\ne \lambda \left(A\right)$ as shown in Figure 3b. Therefore, we target $\left(\lambda \right(A)⊊\lambda (S\left)\right)$ in which tasks’ schedulabiliy are guaranteed by the DA schedulability analysis and aim at achieving the goal G on multiprocessors.

3. System Model

We consider a task set $\tau$ the Liu and Layland task (and system) model (considered as the de-fecto standard in the field of real-time scheduling theory) in which every task ${\tau }_k\in \tau$ is scheduled by global, preemptive and work-conserving FP real-time scheduling algorithm on m identical multiprocessors [1]. A scheduling algorithm is called global, preemptive and work-conserving if a task migrates from one processor to another, a lower-priority task is preempted by a higher-priority one, and the processor is never idle when there are jobs to be executed, respectively. In FP scheduling, the priority is assigned to each task such that all jobs invoked by the same task have the same priority. The Liu and Layland model assumes that tasks are independent, no synchronization is needed, and resources (except processors or cores) are always available. According to the task model, we assume that all processors share the common cache and main memory. A task ${\tau }_k$ periodically invokes a job $J_k$ in every $T_k$ time units, and each job is supposed to execute for at most $C_k$ time units (also known as the worst-case execution time (WCET) ) to declare its completion. Every job invoked by ${\tau }_k$ should complete its execution in $D_k$ time units as a real-time constraint. j-th job invoked by a task ${\tau }_k$ is denoted by $J_k^j$, and it is invoked at the release time $r_k^j$ and should finish its execution within the absolute deadline $d_k^j=r_k^j+D_k$. We use the notation $J_k$ when it indicates an arbitrary job of a task ${\tau }_k$. A job $J_k$ is said to be schedulable when it finishes its execution before its absolute deadline $d_k^j$. Further, a task ${\tau }_k$ is said to be schedulable when all jobs invoked by ${\tau }_k$ are schedulable, and a task set $\tau$ is said to be schedulable when all tasks ${\tau }_k\in \tau$ are schedulable. $lp\left({\tau }_k\right)$ and $hp\left({\tau }_k\right)$ represent the set of tasks whose priorities are lower than that of ${\tau }_k$ and that whose priorities are higher than that of ${\tau }_k$, respectively. We consider online scheduling algorithms and offline schedulability analysis (in online scheduling algorithms and offline schedulability analysis, the priorities of pending or executing jobs (i.e., scheduled by the given scheduling algorithm) are determined after the system starts, while the schedulability of the given task set is judged before the system starts.)

4. Schedule Randomization Protocol for Multiprocessors

The key idea of our schedule randomization protocol is to select random jobs from the ready queue rather than the originally prioritized ones that are supposed to be selected by a given algorithm. This operation inevitably causes priority inversions for some tasks, which can induce an additional execution delay when compared to the existing schedule. This can result in a deadline miss in the worst case, even if the task is deemed schedulable by a given schedulability analysis. To avoid such situations, we should employ bounded priority inversions (calculated by the schedule randomization protocol) so that every task completes its execution before its corresponding deadline.

In this section, we first calculate the upper bound of allowed priority inversions for each task (in the first subsection), and then present how to effectively utilize such calculated priority inversions budget values in a schedule randomization protocol for multiprocessors.

4.1. Priority Inversion Budget Calculation

As an offline step of our schedule randomization protocol for multiprocessors, the maximum number of time units that are allowed for jobs of tasks in $lp\left({\tau }_k\right)$ to execute when a job of the task ${\tau }_k$ waits for another job to complete should be calculated (we use a subscript ‘k’ if the notation is related to a task whose schedulability will be judged. We use a subscript ‘i’ if the notation is related to higher priority tasks of ${\tau }_k$.). We refer such time units as the priority inversion budget, $V_k$, which will be utilized in the online step of randomization protocol. We define the worst-case inversion budget as follows.

Definition 1.

(Priority inversion budget $V_k$) The priority inversion budget $V_k$ of a task ${\tau }_k$ is defined as the maximum amount of time units in [$r_k$, $d_k$) that is allowed for jobs of tasks in $lp\left({\tau }_k\right)$ to execute while a job $J_k$ of a task ${\tau }_k$ waits on multiprocessors, which ensures schedulability of ${\tau }_k$.

Thus, $V_k$ can be lower-bound by calculating the allowable limit for delay in execution of $J_k$ caused by lower-priority jobs in $[r_k,d_k)$ without missing deadlines. To achieve this, we exploit the underlying mechanism of a well-known schedulability analysis called DA, which uses two notions of interference defined as follows.

Definition 2.

(Worst-case interference $I_k$ on ${\tau }_k$) The worst-case interference $I_k$ on a task ${\tau }_k$ in an interval $[r_k,d_k)$ on multiprocessors is defined as the maximum cumulative length of all the intervals in which $J_k$ is ready to execute but cannot be scheduled because of higher-priority jobs.

Definition 3.

(Worst-case interference $I_{k\leftarrow i}$ of ${\tau }_i$ on ${\tau }_k$) The worst-case interference $I_{k\leftarrow i}$ of a task ${\tau }_i$ on a task ${\tau }_k$ in an interval $[r_k,d_k)$ on multiprocessors is defined as the maximum cumulative length of all the intervals in which $J_k$ is ready to execute but cannot be executed on any processor when the job $J_i$ of the task ${\tau }_i$ is executing.

Using the definition of $I_k$, $V_k$ is calculated as follows.

$$\begin{array}{c}\hfill V_k=D_k-(C_k+I_k).\end{array}$$

(1)

For a job $J_k$ to interfere at a time unit in [$r_k$, $d_k$), there are m jobs at the time unit. By the definition of $I_{k\leftarrow i}$, $I_k$ is calculated as follows.

$$\begin{array}{c}\hfill I_k=\frac{{\sum }_{{\tau }_i\in hp\left({\tau }_k\right)}{I}_{k\leftarrow i}}{m}.\end{array}$$

(2)

To upper bound $I_{k\leftarrow i}$, we use the concept of workload of a task ${\tau }_i$ in an interval of length ℓ, which is defined as the maximum amount of time units required for all jobs released from ${\tau }_i$ in the interval of length ℓ. As shown in Figure 4, the left-most job (called the carry-in job) of ${\tau }_i$ starts its execution at t (i.e., the beginning of the interval) and finishes it at $t+\ell$. That is, it executes for $C_i$ without any delay. Thereafter, the following jobs are released and executed without any delay. By calculating the number of jobs executing for $C_i$ and the other jobs executing for a part of $C_i$, the workload of ${\tau }_i$ in an interval of length ℓ (i.e., $I_{k\leftarrow i}$) is calculated by [18].

$$\begin{array}{c}\hfill I_{k\leftarrow i}=⌈\frac{D_k+D_i-C_i}{T_i}⌉C_i+min\left(C_i,D_k-⌈\frac{D_k+D_i-C_i}{T_i}⌉T_i\right).\end{array}$$

(3)

Figure 5 illustrates the underlying idea of DA with an example in which the target task ${\tau }_k$’s schedulability is judged considering its four higher priority tasks ${\tau }_i\in hp\left({\tau }_k\right)$ on $m=3$. In the interval $[r_k^j,d_k^j)$, there is only one job $J_k^j$ of ${\tau }_k$, and there is no deadline miss if $J_k^j$’s execution is not hindered by more than $D_k-C_k+1$. As seen in Figure 5, $I_{k\leftarrow i}$ can be larger than $D_k-C_k+1$, and some portion of that inevitably executes in parallel with $J_k^j$ since we assume that each job cannot execution in parallel on more than one processor. Thus, DA limits the amount of $I_{k\leftarrow i}$ to $D_k-C_k+1$, which refines Equation (2) as follows.

$$\begin{array}{c}\hfill I_k=\frac{{\sum }_{{\tau }_i\in hp\left({\tau }_k\right)}min\left(I_{k\leftarrow i},D_k-C_k+1\right)}{m}.\end{array}$$

(4)

Theorem 1.

Suppose that ${\tau }_k\in \tau$ scheduled by a given fixed-priority scheduling algorithm is deemed schedulable by DA, and tasks in $lp\left({\tau }_k\right)$ do not delay ${\tau }_k$ more than $V_k$. Then, ${\tau }_k$ is still schedulable with the randomization protocol.

Proof. 

By the definition ${\tau }_k$ is schedulable if every job $J_k^j$ released by ${\tau }_k$ at $r_k^j$ can finish its execution within $D_k$. From Equation (1), we have

$$\begin{array}{c}\hfill C_k+I_k+V_k=D_k.\end{array}$$

(5)

The worst-case execution for $J_k^j$ is upper bounded by $C_k$, and the time in which $J_k^j$ is hindered by higher-priority jobs is upper bounded by $I_k$ according to Equation (4). Therefore, if the tasks in $lp\left({\tau }_k\right)$ do not delay ${\tau }_k$ for more than $V_k$, then every job $J_k^j$ of ${\tau }_k$ can finish its execution within $D_k$. □

4.2. Schedule Randomization Protocol

Based on the mechanism to calculate the priority inversion budget of each task ${\tau }_i$ explained in the previous section, we illustrate how the new schedule randomization protocol for multiprocessors operates in this section. Let $Q_r=(J_{\left(1\right)},J_{\left(2\right)},\cdots ,J_{\left(\right|Q_r\left|\right)})$ be the ready queue in which active jobs are sorted in decreasing order of priority. It implies that $J_{\left(1\right)}$ and $J_{\left(\right|Q_r\left|\right)}$ are the highest- and lowest-priority jobs in $Q_r$, respectively. We assume that TaskSuffler operates only when $Q_r$ is greater than m because all active jobs will be selected for schedule, otherwise.

The TaskSuffler for multiprocessor conducts Algorithm 1 for $Q_r>m$ at every scheduling decision. It first adds $J_{\left(1\right)}$ to the candidate list, $L_c$ (Line 1). If its remaining inversion budget $v_{\left(1\right)}$ is equal to zero, then it returns $J_{\left(1\right)}$ and $(m-1)$ highest-priority jobs in $Q_r$ (Lines 2–4). Otherwise, with letting $J_{\left(i\right)}$ be the job in the current iteration, it iterates the following for $J_{\left(2\right)}$ through $J_{\left(\right|Q_r\left|\right)}$ (Lines 5–11). If the remaining inversion budget $v_{\left(i\right)}$ of $J_{\left(i\right)}$ is larger than zero, it adds $J_{\left(i\right)}$ to the candidate list $L_c$ and considers the next job (Lines 6–7). Otherwise, it adds $J_{\left(i\right)}$ to the candidate list $L_c$ and stops the iteration (Lines 8–9). Then, if $|L_c|$ is smaller than or equal to m, it returns all jobs in $L_c$ and $(m-|L_c\left|\right)$ highest-priority jobs in $Q_r$. Otherwise, it returns randomly selected m jobs in $|L_c|$. After Algorithm 1 is conducted, the selected m jobs execute until the next scheduling decision.

Algorithm 1 TaskSuffler for multiprocessors.

1: $L_c\leftarrow J_{\left(1\right)}$ 2: if$v_{\left(1\right)}\le 0$then 3:       return $J_{\left(1\right)}$ and ($m-1$) highest-priority jobs in $Q_r$ 4: end if 5: for each $J_{\left(i\right)}\in Q_r$ for i from 2 to $|Q_r|$ do 6:       if $v_{\left(i\right)}>0$ then 7:           add $J_{\left(i\right)}$ to $L_c$ 8:       else 9:           add $J_{\left(i\right)}$ to $L_c$ and goto Step 12 10:      end if 11: end for 12: if$|L_c|\le m$then 13:       return all jobs in $L_c$ and ($m-L_c$) highest-priority jobs in $Q_r$ 14: else 15:       return randomly selected m jobs in $L_c$ 16: end if

Let ${\tau }_b$ denote the task of the lowest-priority job among selected jobs, and ${\tau }^u$ denote the set of tasks that were not selected. The next schedule decision is made at

$$\begin{array}{c}\hfill t^{\prime }=t+min\left(v_i\right|{\tau }_i\in (hp\left({\tau }_b\right)\cap {\tau }^u)),\end{array}$$

(6)

unless a new job arrives or any of the selected jobs finishes its execution before $t^{\prime }$. Thus, the remaining inversion budget of every released job belonging to a task ${\tau }_i\in (hp\left({\tau }_b\right)\cap {\tau }^u)$ is deducted by one at each time unit until the next schedule decision will be made, a new job arrives, or any of the selected jobs finishes its execution before $t^{\prime }$. The remaining priority inversion budget $v_i$ of each job $J_i$ is set to $V_i$ when $J_i$ is released.

Theorem 2.

Suppose that ${\tau }_k\in \tau$ scheduled by a given fixed-priority scheduling algorithm is deemed schedulable by DA schedulability analysis, then it is still schedulable under the schedule randomization protocol.

Proof. 

By Theorem 1, ${\tau }_k$ is schedulable if its execution is not hindered for more than $V_k$ by lower-priority tasks. ${\tau }_k$’s execution is interfered by lower-priority tasks only when ${\tau }_k$’s priority is lower than that of ${\tau }_b$, and the amount of interference from lower-priority tasks cannot be larger than $V_k$ since the next scheduling decision is made before $v_k$ becomes zero owing to Equation (6). □

To implement TaskShuffler to the existing scheduler, the system should be capable for tracking tasks’ remaining execution times and priority inversion budgets. Such monitoring ability is already commonly available on many real-time systems, whose aim is to guarantee that they do not exceed their execution allowances [19,20]. Utilizing such the ability, TaskShuffler may impose additional scheduling decisions according to the policy of TaskShuffler, compared to the vanilla scheduling algorithms (e.g., rate monotonic). It naturally increases scheduling costs such as preemption (or context switching) and migration costs. The system designers should consider how much such scheduling costs will happen for their target systems when TaskShuffler is considered to improve the schedule entropy without schedulability loss.

4.3. Schedule Entropy for Multiprocessors

Because our goal is to improve the uncertainty in scheduling to foil the fixed schedule pattern of real-time scheduling, we need to evaluate the improvement in the uncertainty of our proposed schedule randomization protocol. To overcome this issue, we use the concept of schedule entropy initially designed for a uniprocessor [21,22,23]. The underlying idea of schedule entropy is to measure randomness (or unpredictability) of schedule at each time unit, called slot entropy, and derive the summation of all slot entropies over a hyper-period L (defined as the least common multiple of $T_i$ of all tasks ${\tau }_i\in \tau$). The slot entropy $H_{\tau }\left(t\right)$ at a time slot t for a task set $\tau$ is calculated as follows.

$$\begin{array}{c}\hfill H_{\tau }\left(t\right)=-\sum _{{\tau }_i\in \tau }Pr({\tau }_i,t)lo{g}_{2}Pr({\tau }_i,t),\end{array}$$

(7)

where $Pr({\tau }_i,t)$ is the probability mass function of a task ${\tau }_i$ appearing at time t. $Pr({\tau }_i,t)$ is obtained empirically by observing multiple hyper-periods [15]. Then, the schedule entropy $H_{\tau }$ is calculated by the summation of all slot entropies over a hyper-period L as follows.

$$\begin{array}{c}\hfill H_{\tau }=\sum _{t=0}^{L-1}{H}_{\tau }\left(S_t\right).\end{array}$$

(8)

According to the considered task model, we assume that all processors share the common cache and main memory. Then, it also implies that which processor is assigned to a task ${\tau }_i$ does not affect the level of scheduling entropy. That is, the level of scheduling entropy is influenced by whether ${\tau }_i$ is scheduled or not in a time slot. Such the assumption is the limitation of our study, and thus it should be considered as potential future work.

5. Evaluation

In this section, we evaluate the performance of our schedule randomization protocol with randomly generated synthetic task sets to understand the effect of our approach on various factors more fully.

We randomly generated even task sets from nine system utilization groups, $[0.01+0.1·i,0.09+0.1·i]$ for $i=0,\cdots ,8$, that is, 100 instances per group. The system utilization of a task set is defined as the sum of the utilizations of all tasks (${\sum }_{{\tau }_i\in \tau }(C_i/T_i)$) in the task sets. We considered three different numbers of processors $m=2,4$ and 8. Each system utilization group has five sub-groups, each of which has a fixed number of tasks; for $m=2,4$ and 8, the number of tasks for five sub-groups are {$5,7,9,11,13$}, {$6,9,12,15,18$} and {$7,11,15,19,23$}. Each task period $T_i$ was randomly selected from {20, 40, 80, 160, 320, 640, 1280, 2560}, and each WCET $C_i$ was selected from $min([1,50],T_i)$. A total of 100 task sets were generated for each sub-group, and thus $7·3·5·100=10,500$ task sets were generated in total. As our goal is to improve the uncertainty of the schedule without compromising schedulability, we only selected the task sets whose schedulability is guaranteed by DA schedulability. We used rate-monotonic (RM) scheduling as our base scheduling algorithm in which our proposed schedule randomization was applied. To obtain the converged schedule entropy of each task set, we conducted a simulation for 10,000 hyper-periods of the task set as it ensures less than 0.01% (recommended to obtain the converged schedule entropy [15]) of difference in schedule entropy between those from 9999 and 10,000 hyper-periods.

Figure 6 shows the plot of average schedule entropy of each sub-group’s task sets (i.e., 100 task sets for each sub-group) over varying system utilization groups for $m=2,4$ and 8 (Due to limited space on x-axis, $[0.01+0.1·i,0.09+0.1·i]$ for $i=0,\cdots ,8$ is represented as [0.0, 0.1], [0.1, 0.2], ⋯, [0.7, 0.8], [0.8, 0.9].). As shown in Figure 6a, the schedule entropy of a task set is high on average when it consists of a large number of tasks (System utilization group [0.8, 0.9] exhibits an exceptional result because of heavy utilization of its task set, which result that most of the task sets exhibit zero schedule entropy). This is because a higher number of tasks with our schedule randomization protocol possibly provides larger options for tasks to be randomly selected in every time slot. For example, the schedule entropy $H_{\tau }\left(t\right)$ at a time slot t of a task set $\tau$ having two tasks ${\tau }_i\in \tau$ each of whose $Pr({\tau }_i,t)$ is 1/2 is 1, while $H_{\tau }\left(t\right)$ is 2 if $\tau$ has four tasks ${\tau }_i\in \tau$ each of whose $Pr({\tau }_i,t)$ is 1/4. This implies that a larger number of tasks for each task set can improve schedule entropy. In addition, Figure 6a demonstrates that task sets included in the groups whose system utilization is low or high (e.g., [0.0, 0.1], [0.1, 0.2], [0.7, 0.8] or [0.8, 0.9]) result in relatively low average schedule entropy while the others (e.g., [0.2, 0.3]–[0.6, 0.7]) results in high average schedule entropy. Because the task sets with low system utilization have less WCET, no process operates (i.e., processors are idling) in most of the time slots. When it comes to high utilization, most of the tasks have low $V_i$ values; therefore, the chances of tasks to be randomly selected are quite low. Therefore, a low schedule entropy results in both cases.

From Figure 6a–c, we can observe that the average schedule entropy of task sets decreases as the number of processors m increases. This is mainly due to the underlying pessimism of the DA schedulability analysis in calculating $I_k$ in Equation (4). As Figure 5 implies, the DA schedulability analysis assumes that the execution corresponding to $I_{k\leftarrow i}$ is performed as much as possible in the interval [$r_k^j$, $r_k^j+D_k-C_k+1$) to upper bound $I_k$. However, this does not happen in most cases since two jobs released consecutively from the same task may execute at intervals from each other, which implies that the amount of execution contributing to $I_k$ is overestimated under the DA schedulability analysis. Such pessimism of the DA schedulability analysis increases for a larger value of m. As our schedule randomization protocol is based on the DA schedulability analysis to derive $V_i$, task sets with a lower value of $V_i$ (from a larger value of m) results in a lower average schedule entropy.

While Figure 6 presents the average schedule entropy over varying system utilization groups,

Table 1. m = 2.

	5 Tasks	7 Tasks	9 Tasks	11 Tasks	13 Tasks
[0.0, 0.1]	434.2	612.9	727.2	801.1	967.8
[0.1, 0.2]	597.0	853.8	1357.3	1575.6	1599.9
[0.2, 0.3]	930.4	1269.4	1811.5	1901.7	2166.2
[0.3, 0.4]	1166.0	2008.1	2082.4	2280.5	2784.5
[0.4, 0.5]	2049.6	2038.7	2152.4	2112.5	2659.2
[0.5, 0.6]	1626.3	1754.0	2221.2	2211.9	2674.5
[0.6, 0.7]	1659.7	1084.8	1583.9	2372.3	2529.1
[0.7, 0.8]	981.1	1978.5	1802.6	2280.7	1915.0
[0.8, 0.9]	1332.2	2229.9	2043.6	2183.4	1952.1

,

Table 2. m = 4.

	6 Tasks	9 Tasks	12 Tasks	15 Tasks	18 Tasks
[0.0, 0.1]	257.3	695.5	845.2	1147.1	1321.0
[0.1, 0.2]	377.6	977.1	1441.6	1556.8	1602.6
[0.2, 0.3]	669.6	1023.0	1584.3	2196.7	1712.7
[0.3, 0.4]	409.5	997.6	1416.2	1752.8	1875.8
[0.4, 0.5]	428.2	652.6	1567.5	1327.4	1462.2
[0.5, 0.6]	480.8	416.3	430.4	735.3	1184.2
[0.6, 0.7]	-	401.7	67.4	-	1208.2

and

Table 3. m = 8.

	7 Tasks	11 Tasks	15 Tasks	19 Tasks	23 Tasks
[0.0, 0.1]	144.9	583.9	861.4	878.6	1014.1
[0.1, 0.2]	126.8	357.6	789.5	811.4	1196.0
[0.2, 0.3]	45.3	-	343.3	470.8	728.3
[0.3, 0.4]	-	-	-	643.5	-

show the maximum schedule entropy obtained from each setting. As the minimum schedule entropy of every setting is zero, Table 1, Table 2 and Table 3 also represent the range of schedule entropy that can be obtained from each setting. “-” in the tables represents a value lower than 0.1, and we exclude rows of the tables if all values corresponding to the row are “-”. The trends shown in Figure 6a–c also appear in Table 1, Table 2 and Table 3, but the maximum schedule entropy of task sets in the high system utilization group are relatively high compared to the average schedule entropy of those task sets. This indicates that a very low number of task sets in the high system utilization group shows exceptionally high schedule entropy from a certain task parameter setting following the considered task set generation method, and the other task sets are with zero schedule entropies.

One may wonder whether much additional scheduling overhead is required to apply our schedule randomization protocol into the existing scheduling algorithm. Note that the schedule decision on preemptive scheduling algorithm (basically considered in our paper) without the schedule randomization protocol is made only when a job finishes its execution or a new job is released. In addition, an additional schedule decision stemming from the schedule randomization protocol is made when $v_i$ (i.e., the remaining priority inversion budget value of $V_i$) of a job becomes zero. Figure 7 shows the ratio between the number of schedule decisions made by naive RM and that made by RM with the schedule randomization protocol. As shown in Figure 7, for task sets with high system utilization or for larger m shows less schedule decision ratio. With high system utilization or larger m, each task has a lower priority inversion budget as aforementioned, and the schedule randomization protocol works rarely with such settings. Overall, a high schedule decision ratio implies a larger scheduling overhead, and thus the system designers should carefully consider the trade-off between scheduling overhead and the degree of security they want to achieve for their target system.

6. Related Work

The problem of information leakage for real-time systems has been addressed in several studies. Mohan et al. considered real-time tasks with different security levels and focused on information leakage on shared computing resources (e.g., RAM and cache). They proposed a mechanism for FP scheduling to flush the status of shared resources conditionally, which reduces the chances of an attacker from obtaining sensitive information of the resources [24]. Because they incorporated a security mechanism into the existing FP scheduling, an additional timing overhead was inevitably required. Therefore, they proposed a new sufficient schedulability analysis to accommodate that fact. In [25], an exact schedulability was proposed to improve the analytical capability. In addition, this work was extended to mixed-criticality systems in [26]

The aforementioned studies addressed the issues only for non-preemptive scheduling; therefore, Pellizzoni et al. extended this work to preemptive scheduling [27]. They extended it to a more general task model, and proposed an optimal priority assignment method that determines the task preemptibility.

Another approach to improve the security of real-time systems is to randomize the schedules without compromising schedulability. TaskShuffler addressed in this study was proposed by Yoon et al. for a preemptive FP scheduling algorithm [15]. The goal of TaskShuffler is to improve uncertainty in schedule and reduce the success ratio of timing inference attacks simultaneously. Kr¨uger et al. proposed an online schedule randomization protocol for time-triggered systems [28]. While the aforementioned two approaches are applicable to uniprocessor platforms, we focus on multiprocessor platforms.

7. Conclusions

In this study, we aimed to develop a new scheduling randomization protocol for symmetry multiprocessors to improve the security and conserve schedulability of real-time systems simultaneously, by extending the existing TaskShuffler initially designed for uniprocessors. To this end, we first define the problem of improving the security of real-time systems and satisfying the schedulability simultaneously on multiprocessor platforms, differentiating it from the uniprocessor case. Then, we employed DA schedulability to derive priority inversion budget values for each task, and proposed an algorithm to effectively utilize the calculated priority inversion budget values in randomized schedules to improve uncertainty. Based on the simulation results, we investigated the effect of our approach on various factors. Non-preemptive [29] or partitioned [2] scheduling will be considered in our future work.

As our study adopts a fundamental task model (of the Liu and Lyland) assuming no consideration of task dependency, resource consideration and scheduling costs (e.g., migration or preemption cost), it cannot be directly applied to actual real-time systems without relieving the assumptions. We also leave it as our promising future work.