Enforcing Full-Stack Memory-Safety in Cyber-Physical Systems

• Published in: Engineering Secure Software and Systems Vol. 10953; pp. 9 - 26
• Main Authors: Chekole, Eyasu Getahun, Chattopadhyay, Sudipta, Ochoa, Martín, Huaqun, Guo
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2018; Springer International Publishing
• Series: Lecture Notes in Computer Science
• ISBN: 3319944959; 9783319944951
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-94496-8_2

Memory-safety attacks are one of the most critical threats against Cyber-Physical Systems (CPS). As opposed to mainstream systems, CPS often impose stringent timing constraints. Given such timing constraints, how can we protect CPS from memory-safety attacks? In this paper, we propose a full-stack memory-safety attack detection method to address this challenge. We also quantify the notion of tolerability of memory-safety overheads (MSO) in terms of the expected real-time constraints of a typical CPS. We implemented and evaluated our proposed solution on a real-world Secure Water Treatment (SWaT) testbed. Concretely, we show that our proposed solution incurs a memory-safety overhead of 419.91 µs, which is tolerable for the real-time constraints imposed by the SWaT system. Additionally, We also discuss how different parameters of a typical CPS will impact the execution time of the CPS computational logic and memory safety overhead.