Timeliness and Security in Real-Time Data Services

1
Timeliness and Security in Real-Time Data
Services

• Sang Hyuk Son
• Department of Computer Science
• University of Virginia
• Charlottesville, Virginia 22903
• son_at_cs.virginia.edu

2
Outline

• Introduction to real-time systems
• Trends in real-time system applications
• Key research issues
• Real-time and secure data services
• QoS management
• Flexible security
• Summary

3
Real-Time Systems

• A system whose basic specification and design
  correctness arguments must include its ability to
  meet its timing constraints.
• Its correctness depends not only on the logical
  correctness, but also on the timeliness of its
  actions.

4
Input
Real-Time System
Real World
Output

• Input
• current state (view) update
• tasks to be performed by real-time systems
• Output
• actions to change real world situation
• information to be retrieved to support
  decision-making

5
Real-Time Systems

• Real-time systems
• timeliness and predictability
• typically embedded in a large complex system
• dependability (reliability) is crucial
• explicit timing constraints (soft, firm, hard)
• A large number of applications
• aerospace and defense systems, nuclear systems,
  robotics, process control, agile manufacturing,
  stock exchange, network and traffic management,
  multimedia computing, and medical systems
• Rapid growth in research and development
• workshops, symposia, journals
• standards (POSIX, RT-SQL, RT-CORBA, RT-Java, etc)

6
Time Constraints
v(t)
v0
d
t
v(t)
v0
d2
t
d1
7
Trends in Real-Time Systems Applications

• Soft real-time requirements rather than hard ones
• much wider applications
• relates well with the notion of QoS
• soft is harder to deal with than hard ones
• Operate in unpredictable environments
• WCET too pessimistic or high variance in
  execution time
• unbounded arrival rate overload unavoidable
• Need to support multi-dimensional requirements
• real-time, power, size, cost, security, and
  fault-tolerance
• conflicting resource requirements and system
  architecture
• Embedded and component-based

8
Example Application
arrival rate? resource requirement?
delay? congested?
Resources?
Service delay? Throughput? Differentiation?
User population? Processing power?

• Performance-critical applications in
  unpredictable environments
• open systems on the Internet e-business servers,
  web hosting
• data-driven systems real-time databases, smart
  spaces

9
Sensor Networks Swarm Computing
Resource management, team formation, real-time,
mobility, power, security
Smart Dust
Heterogeneous Sensors/Actuators/processors

• battlefield awareness
• earthquake response
• tracking movements of animals

• smart paint
• MEMS in human bloodstream

10
Smart Spaces

• Pervasive
• Global connectivity

Smart School
Smart Classroom
Smart City
Smart Factory
11
Key Research Issues

• How to support aggregated properties (control
  them)
• theory and practice of feedback control
• middleware architecture for large-scale
  distributed systems
• How to manage real-time data
• timeliness and data freshness
• flexible security
• How to support multidimensional requirements
• system composition via components
• reflection-based approaches

12
Data Services for Real-Time Systems

• Critical in real-time systems
• real-time computing needs to access data
• real-world applications involve time constrained
  access to data that may have temporal property
• traditional real-time systems manage data in
  application-dependent structures
• as systems evolve, more complex applications
  require efficient access to more data
• Function of real-time data services
• gathering data from the environment, processing
  it in the context of information acquired in the
  past, for providing timely and temporally
  consistent responses

13
Real-Time Data Services Examples

• They are used to monitor and control real-world
  activities
• Networking and telecommunication systems
• routers and network management systems
• switching systems
• Control systems
• automatic tracking and object positioning
• Real-time streaming from sensors and video
  servers
• E-commerce
• Web-based data services

14
Something to Remember ...

• Real-time ? FAST
• Real-time ? nonosecs or ?secs
• Real-time means explicit or implicit time
  constraints
• A high-performance database which is simply fast
  without the capability of specifying and
  enforcing time constraints are not appropriate
  for real-time applications

15
Time Constraints on Data

• Where do they come from?
• state of the world as perceived by the
  controlling system must be consistent with the
  actual state
• Requirements
• timely monitoring of the environment
• timely processing of sensed information
• timely derivation of needed data
• Temporal consistency of data
• absolute consistency freshness of data between
  actual state and its representation
• relative consistency correlation among data
  accessed by a transaction

16
Static Data and Temporal Data

• Static data
• data in a typical database
• values not becoming obsolete as time passes
• logical consistency is the key consideration
• Temporal data
• arrive from continuously changing environment
• represent the state at the time of sensing
• has observed time and validity interval
• users of temporal data need to see temporally
  coherent views of the data (state of the world)
• When must the data be temporally valid?
• ideally, at all times
• in practice, only when they are used by
  transactions

17
An Example

• Data object is specified by
• (value, absolute validity interval, time-stamp)
• Interested in temperature and pressure
• with relative validity interval of 5
• Let current time 100
• temperature (347, 10, 95) and pressure (50,
  20, 98)
• -- temporally consistent
• temperature (347, 10, 98) and pressure (50,
  20, 91)
• -- temporally inconsistent

18
BeeHive Project

• Global real-time database system
• object-based with added object semantics
• support in RT, FT, QoS, and Security
• different types of data video, audio, images and
  text
• sensors and actuators
• Novel component technology
• data deadline, forced delay, conditional priority
  inheritance
• real-time logging and recovery
• flexible security
• QoS management based on feedback control
• Cogency Monitor

19
Current Research Activities in BeeHive
BeeHive Front End Java
Simulation
Cogency Monitor
Basic BeeHive Storage Manager
Expand DB
Database
Security
RTDB Internals
Admission Control
QoS Control
20
QoS Management in RT Data Services

• Motivation
• increasing demands for real-time data services
• web-based information services
• sensor networks
• decision support systems
• temporary overload and service degradation
  inevitable
• Service quality QoS parameters
• timeliness
• data freshness
• behavior in transient state

21
Objectives and Approaches

• Soft guarantees for timeliness and data freshness
• Approaches
• feedback control
• controller design and parameter tuning
• admission control
• adaptive update policy
• conflict between timeliness freshness
• dynamic balancing between updates and
  transactions
• differentiated services
• absolute/relative miss ratios

22
Performance Metrics

• Transaction types
• sensor updates
• periodic updates to reflect the current status
• application transactions
• Major performance metrics
• data freshness
• deadline miss ratio
• behavior in transient state overshoot and
  settling time

23
RTDB Services
Update Streams
S1
S2
Sn
Deadline Freshness
Base(Sensor) Data Set
Adm Ctrl

User Transactions
Derived Data Set
Static Data Set
qRTDB
Scheduling/CC
24
Data Freshness
Database
Database Freshness Set of continuous data
Perceived Freshness Set of continuous data
accessed by timely transactions
25
Timeliness Specification
Miss ratio
Overshoot
Steady state error
??
Reference
Steady State
Transient State
Time
Settling time
26
QMF Architecture
27
Feedback Control Architecture
Completed Transactions
EDF Scheduler
RTDB
MR(t)
FR(t)
QoS Manager (Actuator)
?U
PID Controller
Updates
MRs
Accepted Transactions
?U
FRs
Admission Controller
FCS
Submitted Transactions
Updates
28
Real-Time Secure Data Management

• Characteristics
• transactions with timing constraints
• data with temporal properties
• distributed multimedia data
• mixture of sensitive and unclassified data
• Requirements
• timeliness and predictability
• temporal consistency
• synchronization of multimedia data
• security enforcement
• high performance

29
Real-Time Secure Data Management

• Issues
• integrate support of different types of
  requirements
• predictability yet flexible execution
• conflicts between real-time and security
• storage, retrieval, and synchronization of
  distributed data
• real-time management resources
• high performance yet fault-tolerant
• trade-offs
• scalability of solutions

30
Security and Real-Time

• For timeliness, no priority inversion in
  real-time applications
• tasks with earlier deadline or higher criticality
  has higher priority for better service
• In secure systems, no security violation is
  allowed
• Incompatible under the binary notion of absolute
  security
• priority inversion vs security violation
• Higher security services require more resources

31
Example of the Problem
T1
T2
- high priority
- low priority
Access
Access
- high security
- low security
Resource

• Both require lock on the resource
• How to resolve this conflict?
• if lock is given to T1, security violation
• if lock is given to T2, priority inversion

32
Requirement for Real-Time Secure DBS

• Supporting both requirements of real-time and
  security for real-time databases
• How to provide acceptably high security
  while remains available and provides timely
  services?

33
Research Issues

• Flexible security vs absolute security
• paradigm for flexible security services
• identifying correct metrics for security level
• Adaptive security policies
• Mechanisms to enforce required level of security
  and trading-off with other requirements
• access control, authentication, encryption, ..
• time-cognizant protocols, data deadlines, ...
• replication, primary-backup, ...
• Specification to express desired system behavior
• verification of consistency/completeness of
  specification

34
Flexible Security Services

• Flexible vs absolute (binary) security
• traditional notion of security is binary secure
  or not
• problem of binary notion of security difficult
  to provide acceptable level of security to
  satisfy other conflicting requirements
• research issue quantitative flexible security
  levels
• One approach
• represent in terms of of potential security
  violations
• problem not precise --- percentage alone reveals
  nothing about implications on system security
• e.g., 1violation may leak most sensitive data
  out

35
Flexible Security for Access Control

• Possible approaches to provide flexible security
• control potential violations between certain
  security levels
• even if it allows potential security violations,
  it does not completely compromise the security of
  the system
• use different algorithms in an adaptive manner
• A possible configuration

Top secret
Top secret
Top secret
Top secret
Secret
Secret
Secret
Secret
Confidential
Confidential
Confidential
Confidential
Unclassified
Unclassified
Unclassified
Unclassified
B
C
D
A
36
Flexible Security Policies (5 levels)

• Completely secure no violations allowed
• Secure levels 2, 3 4 high 3 levels kept
  completely secure
• Secure levels 3 4 high 2 levels kept
  completely secure
• Split security violations allowed between top 2
  levels, and among low 3 levels
• Secure level 4 highest level kept completely
  secure
• No security violations can occur between any
  levels
• Gradual security control the number of violation
  between each level

37
Performance Study

• Significant improvement in real-time performance
  as more potential covert channels allowed
• completely secure (6.5) vs no security (3.3)
  for 500 data items
• complete secure (5) vs no security (1) for 1000
  data items
• Trade-off capacities of security policies are
  strictly ordered
• from completely secure through multiple secure
  levels to no security

38
Simulation Results
39
Flexible Security in BeeHive System

• Four available security levels on users/objects
  or communications
• computation costs increase with level of
  security
• Client negotiated range of security levels for
  transaction communications
• Dynamic level changes as a function of real-time
  load

40
Security Manager Services

• Multi-level authentication and confidentiality
  encryption
• Client authorization and session control
• Session key generation and management
• Transaction management
• Dynamic security level control for transaction
  communications and synchronization

41
Security Manager Environment
Client Table
Session Table
client security level key
session keys status
Mapper/ Admission Control
transaction handoff
session transaction requests
Security Manager
Scheduler
transaction object session data
TransData
transaction results
thread n
object read write
thread n-1
Beehive
42
Impact of Difference in Message Size
43
Adaptive vs. Non-Adaptive
44
Level Switching (100 adaptive client)
MADE
LEVEL
3
2
LEVEL
1
0
45
Discussions

• Good performance gains achievable in soft
  real-time system during overload conditions
• Reasonable performance with small message sizes
  with I/O overhead
• Flexibility using adaptive security policies is
  effective and useful in practical systems

46
Improved Security using RT Semantics

• Exploiting real-time properties for improved
  security
• timely detection of security violation is
  essential
• critical in real-time secure applications
• Example Intrusion detection using time signature
• temporal data need to be refreshed/updated
  periodically
• refresh rate can be chosen between some min and
  max rate
• typically a single rate is chosen and fixed,
  while new rate within the min-max window can be
  reassigned after some interval for improved
  security
• time semantics should be unknown to intruder

47
Intrusion Detection using RT Semantics

• Idea of embedding security rules into data
  objects
• Rules are used to specify constraints
• define correct states of data objects and
  inter-object relationships
• actions to be taken on certain events
• violation of security constraints can be detected
  (ECA rule)
• update request on a sensitive temporal data
  object (event)
• triggers a rule to check right update time using
  periodic update rate (condition)
• reports suspicious update request (action)

48
Normal and Suspicious Activities

• Establishing normal behavior is necessary to
  detect intrusion
• Ability to distinguish normal from suspicious
  depends on the range of fluctuations of normal
  behavior
• Key parameter is acceptable tolerance in
  deviation from normal
• false alarms (false positives) increases with low
  tolerance
• missed detection (false negatives) increases with
  high tolerance
• Issue identify time semantics that are
  effective even with varying system workload (and
  which ones are not effective)
• certain artificial time semantics can be
  associated with sensitive data for intrusion
  detection purpose (e.g., both time and duration
  of access)

49
Reflection Methodology

• Identify the reflective information (semantics)
• Retain the information to be accessible for
  analysis
• Perform security checks and analysis
• Retain the information at runtime (flexibility)
• Expose the information to the security management
  code

50
Reflection - Example
PCB - not reflective
PCB Reflective
registers
registers
ptr to stack
ptr to stack
priority
priority
deadline
What it takes to execute!
security info
time semantics
51
Reflection in Real-Time Systems

• Enhances visibility of information between levels
  (off-line to on-line)
• semantic information (real-time, FT, security ..)
• individual module and system-wide policies

Simple Examples
1
1
vs
FT 3 exec.
2
2
3
3
Node 1 Node 2 Node 3
T1 P1 T2 P2 T3 P3
System does not know they are related
Lost information
52
Data Services in Sensor Networks

• Recent advances in low-cost low-power devices
• large scale sensor networks (ad hoc mobile
  networks)
• each node consists of sensors/actuators/processors
  
• Key issues in data services
• how to collect and disseminate real-time data
• QoS management under resource constraints
• how to conserve energy while satisfying
  application requirements
• real-time constraints and security requirements

53
Summary

• Most current real-time systems technology is
  based on
• predictable operating environments, known
  workload, WCET, wired networks, highly reliable
  nodes, no other conflicting requirements (e.g.,
  power, security, FT, ..)
• Trends
• soft RT, unpredictable environments,
  multidimensional requirements, QoS, security,
  embedded and wireless, simple and unreliable
  nodes, aggregate behavior control, power
  management, ...
• New set of solutions needed
• QoS in real-time data services
• real-time secure data services reflective
  approach
• data services in sensor networks

54
Recent Papers

• V. Lee, K. Lam, S. H. Son, and E. Chan,
• "On the Transaction Processing with Partial
  Validation and Timestamps Ordering in Mobile
  Broadcast Environments,"
• IEEE Transactions on Computers, vol. 51,
  no. 10, Oct. 2002.
• C. Park, S. Park, and S. H. Son, "Multi-version
  Locking Protocol with Freezing for Secure
  Real-Time Database Systems," IEEE Transactions
  on Knowledge and Data Engineering, vol. 14, no.
  5, pp 1141-1154, Sept/Oct 2002.
• A. Datta and S. H. Son,
• "A Study of Concurrency Control in
  Real-Time Active Database Systems," IEEE
  Transactions on Knowledge and Data Engineering,
  vol. 14, no. 3, pp 465-484, June 2002.
• S. H. Son, R. Mukkamala, and R. David,
  "Integrating Security and Real-Time Requirements
  using Covert Channel Capacity," IEEE
  Transactions on Knowledge and Data Engineering,
  vol. 12, no. 6, pp 865-879, Dec. 2000.

55
Recent Papers (contd)

• Lee, V., Stankovic, J, and Son, S.H., Intrusion
  Detection in Real-Time Databases using Time
  Signatures, IEEE Real-Time Technology and
  Applications Symposium, Washington, DC, June
  2000.
• Son, S.H., Zimmermann, R., and Hansson, J., An
  Adaptable Security Manager for Real-Time
  Transactions, Euromicro Conference on Real-Time
  Systems, Stockholm, Sweden, June 2000.
• A. Datta, S. H. Son, and V. Kumar, "Is a Bird in
  Hand Worth More than Two in the Bush?
   Limitations of Priority Cognizance in Conflict
  Resolution for Firm Real Time Database Systems,"
• IEEE Transactions on Computers, vol. 49,
  no. 5, pp 482-502, May 2000.
• S. H. Son, "Issues and Approaches to Supporting
  Timeliness and Security in Real-Time Database
  Systems," Journal of Systems Architecture, vol,
  46, no. 4, pp 397-410, Feb. 2000.
• Son, S.H. Chaney, C, and Thomlinson, N., Partial
  Security Policies to Support Timeliness in Secure
  Real-Time Databases, IEEE Symposium on Security
  and Privacy, Oakland, California, May 1998.

56
Recent Papers (contd)

• J. Stankovic, S. H. Son, and J. Hansson,
  Misconceptions About Real-Time Databases, IEEE
  Computer, June 1999.
• J. Stankovic and S. H. Son, An Architecture and
  Object Model for Distributed Object-Oriented
  Real-Time Databases, Journal on Computer Systems
  Science and Engineering, 14(4), July 1999.
• J. Stankovic, S. H. Son, and C. Nguyen, The
  Cogency Monitor An External Interafce
  Architecture for a Distributed Object-Oriented
  Real-Time Database System, IEEE Real-Time
  Technology and Applications Symposium, Denver,
  Colorado, June 1998.
• S. H. Son, R. David, and C. Chaney, "Design and
  Analysis of an Adaptive Policy for Secure
  Real-Time Locking Protocol," Journal of
  Information Sciences, vol. 99, no. 1-2, pp
  101-135, June 1997.
• K. Kang, S. H. Son, and J. Stankovic, "STAR
  Secure Real-Time Transaction Processing with
  Timeliness Guarantees," 23rd IEEE Real-Time
  Systems Symposium (RTSS'02), Austin, TX, Dec.
  2002.

57
A Proof

• Wondering why not many PhDs among the rich?
• 1. Knowledge is Power Knowledge Power
• 2. Time is Money Time Money
• 3. Power is the rate at which work is done
• Power Work / Time
• 4. Substituting Knowledge Money for Power
  Time
• Knowledge Work / Money
• 5. Solving for Money Money Work / Knowledge
• Money approaches infinity as Knowledge approaches
  zero, regardless of the Work done.
• Proven The less you know, the more you make.
• Quod Erat Demonstrandum