Real-time systems have recently been shown to be vulnerable to timing inference attacks, mainly due to their predictable behavioral patterns. Existing solutions such as schedule randomization lack the ability to protect against such attacks, often limited by the system's real-time nature. This paper presents SchedGuard: a temporal protection framework for Linux-based hard real-time systems that protects against posterior scheduler side-channel attacks by preventing untrusted tasks from executing during specific time segments. SchedGuard is integrated into the Linux kernel using cgroups, making it amenable to use with container frameworks. We demonstrate the effectiveness of our system using a realistic radio-controlled rover platform and synthetically generated workloads. Not only is SchedGuard able to protect against the attacks mentioned above, but it also ensures that the real-time tasks/containers meet their temporal requirements.

中文翻译：

---

SchedGuard：使用Linux容器防止计划泄漏

实时系统最近被证明容易受到定时推理攻击，这主要是由于其可预测的行为模式。诸如调度随机化之类的现有解决方案缺乏防范此类攻击的能力，通常受到系统实时性的限制。本文介绍了SchedGuard：这是一个基于Linux的硬实时系统的时间保护框架，该框架通过防止在特定时间段内执行不受信任的任务来防止后调度程序侧通道攻击。SchedGuard使用cgroups集成到Linux内核中，因此可以与容器框架一起使用。我们使用一个现实的无线电控制流动站平台和综合生成的工作量来演示我们系统的有效性。