Real-time vs Non-real-time System Security

TL;DR

Real-time systems (think car engine control, medical devices) and non-real-time systems (like web servers, email clients) have different security needs. Real-time systems are much more sensitive to timing attacks and require stricter controls on resource access and code execution because a delay can cause physical harm or system failure. Non-real-time systems focus more on data confidentiality and integrity.

Understanding the Differences

Let’s break down why these differences exist, and how to protect both types of systems.

1. What are Real-Time & Non-Real-Time Systems?

• Real-time Systems: These need to respond to events within a guaranteed timeframe. Missing that deadline can be catastrophic. Examples include:
  
  • Industrial control systems (ICS)
  • Automotive engine management
  • Medical life support equipment
  • Flight control systems
• Non-Real-Time Systems: These don’t have strict timing requirements. A slight delay is usually acceptable. Examples include:
  
  • Web servers
  • Email clients
  • Office productivity software

2. Key Vulnerability Differences

1. Timing Attacks: Real-time systems are far more vulnerable to these. An attacker could deliberately cause delays or interrupt processes to disrupt critical functions.
   
   • Example: A delay in a brake control system could prevent braking, causing an accident.
2. Resource Exhaustion: Both are susceptible, but the impact is greater on real-time systems. Even small resource shortages can lead to failures.
   
   • Example: A denial of service attack that fills a real-time system’s memory could halt critical operations.
3. Code Integrity: Critical for both, but real-time systems often have stricter requirements for verifying code hasn’t been tampered with.
   
   • Example: Modified firmware in a pacemaker could deliver incorrect electrical impulses.
4. Data Confidentiality & Integrity: More of a focus in non-real-time systems, protecting sensitive information like passwords and financial data.

3. Security Measures for Real-Time Systems

1. Secure Boot: Ensures only trusted code runs on the system.
   
   • This often involves cryptographic verification of firmware before execution.
2. Real-time Operating System (RTOS) Security: Use an RTOS designed with security in mind, and configure it properly.
   
   • Many RTOSes have features like memory protection units (MPUs) to isolate processes.
3. Least Privilege Principle: Grant only the necessary permissions to each process.
4. Network Segmentation: Isolate real-time networks from other, less secure networks.
   
   • Use firewalls and intrusion detection systems (IDS).
5. Code Auditing & Static Analysis: Regularly review code for vulnerabilities.
6. Hardware Security Modules (HSMs): Protect cryptographic keys used for secure boot and communication.
   
   • Example command to check HSM status (varies by vendor):

     show_hsm_status

4. Security Measures for Non-Real-Time Systems

1. Regular Patching: Keep software up to date with the latest security fixes.
   
   • Automated patching systems are highly recommended.
2. Strong Authentication & Authorization: Use strong passwords, multi-factor authentication (MFA), and role-based access control (RBAC).
3. Web Application Firewalls (WAFs): Protect web applications from common attacks like SQL injection and cross-site scripting (XSS).
   
   • Example: Configure a WAF rule to block requests containing suspicious keywords.
4. Intrusion Detection & Prevention Systems (IDS/IPS): Monitor network traffic for malicious activity.
   
   • Use tools like Snort or Suricata.
5. Data Encryption: Protect sensitive data both in transit and at rest.

5. Common Mistakes to Avoid

• Treating all systems the same: Real-time and non-real-time systems require different approaches.
• Ignoring supply chain security: Ensure components from third-party vendors are trustworthy.
• Lack of monitoring & logging: You can’t protect what you don’t see.