Analysis of Risks and Security Assurance in Real-Time Embedded Systems

Analysis of Risks and Security Assurance in Real-Time Embedded Systems

Xie Guoqi

School of Information Science and Engineering, Hunan University

Real-time embedded systems are an important branch of embedded systems, characterized by high timing accuracy, predictable timing behavior, and stringent deadlines. They are widely used in safety-critical fields such as automobiles. Meanwhile, the number of fatalities caused by road traffic accidents has been rising year by year, with an average of 1 person dying on the road every 24 seconds. Numerous safety incidents indicate that, under the growing complexity of systems and the rapid development of connectivity, real-time embedded systems still have design flaws and security risks. The following elaborates further using automobiles as an example.

(1) Complexity. The automotive field has long adopted a model-based development approach, with its automatic code generation technology exhibiting high agility, easily meeting the demands for diversified, customized, and intelligent system functions. However, this has also led to increasingly complex systems. Currently, a set of automotive software systems can reach several GB in size, but the accuracy of automatic code generation technology in representing complex logic is low, and the interaction between modules is prone to failure.

(2) Connectivity. Connected cars provide convenience but also bring information security issues. Attackers can infiltrate the vehicle and control its driving behavior, ultimately causing functional safety accidents. A single information security vulnerability exposure can force automakers to recall millions of vehicles of the same model. Complexity and connectivity intertwine factors such as real-time performance, functional safety, and information security, leading to an increase in the types of security risks and their concealment levels. Risk analysis and security assurance are effective means to ensure the safe operation of systems.

a. Risk Analysis. Risk analysis of real-time embedded systems can be divided into three categories: real-time analysis for delay violations, hazard analysis for functional safety failures, and threat analysis for information security attacks. Real-time analysis is the primary method of risk analysis and should focus on core critical components. Taking the automotive gateway as an example, it is the hub for cross-domain data exchange within the vehicle and has become a delay bottleneck in in-vehicle communication, yet current commercial automotive gateways have not determined their delay boundaries. Hazard analysis should not be limited to failures of individual components but should focus on failures caused by logical interactions between components. Threat analysis can utilize techniques such as intrusion detection based on deep learning models to address the issue of insufficient attack samples during the testing phase.

b. Security Assurance. Security assurance for real-time embedded systems includes functional safety assurance and information security assurance. For functional safety assurance, real-time performance should become one of the core attributes of functional safety, and a rapid functional safety verification and confirmation process should be established alongside reliability during the early design phase. At the same time, considering the resource constraints and cost sensitivity of real-time embedded systems, resources and costs can be optimized under the premise of ensuring functional safety. Real-time performance is a prerequisite for achieving information security assurance, and traditional techniques such as authentication, authorization, encryption, decryption, and code obfuscation can still be used to ensure the integrity, confidentiality, and availability of information security.

As complexity and connectivity continue to develop, the challenges faced by real-time embedded systems will become increasingly severe. For example, time synchronization becomes more difficult, and hazard analysis and threat analysis require cooperation, while functional safety and information security influence and intertwine with each other. From the perspective of combining science and engineering, effective methods to address these challenges can be found.