A Task Parameter Inference Framework for Real-Time Embedded Systems

While recent studies addressed security attacks in real-time embedded systems, most of them assumed prior knowledge of parameters of periodic tasks, which is not realistic under many environments. In this paper, we address how to infer task parameters, from restricted information obtained by simple system monitoring. To this end, we first develop static properties that are independent of inference results and therefore applied only once in the beginning. We further develop dynamic properties each of which can tighten inference results by feeding an update of the inference results obtained by other properties. Our simulation results demonstrate that the proposed inference framework infers task parameters for RM (Rate Monotonic) with reasonable tightness; the ratio of exactly inferred task periods is 95.3% and 65.6%, respectively with low and high task set use. The results also discover that the inference performance varies with the monitoring interval length and the task set use.


Introduction
Real-Time Embedded Systems (RTES) have been deployed in time-critical environments, often involving control tasks each of which invokes a series of jobs with periodic releases, which has been widely studied in the industrial informatics community [1][2][3][4][5][6]. While traditional RTES have been little exposed to security attacks due to isolation from the external world and use of specialized hardware/protocol, increased connectivity yields new security attacks on RTES. Therefore, recent studies have addressed vulnerability issues by incorporating security mechanisms into RTES, without compromising timing constraints [7][8][9]; for example, a study in [8] has proposed a schedule randomization protocol against timing inference attacks such as side-channel or covert-channel attacks [10][11][12][13][14][15]. Also, targeting Electronic Control Units (ECU), some studies have developed a new denial-of-service attack [16] and a new intrusion detection system [17].
The attacks presented by those existing studies (from both defensive and offensive aspects) assume that the adversary knows important information of task parameters such as task period and actual/worst-case execution time; for example, the attacks in [8,9] and those in [16,17] assume knowledge of all task parameters and some task parameters including task priority ordering, respectively. Since information of task parameters is not necessarily open to the public, we need (i) to know whether it is feasible to infer task parameters from restricted information obtained by simple system monitoring and (ii) to develop a systematic way how to infer, both of which have not been fully addressed in existing studies. As shown in Figure 1, it is very challenging to infer task parameters, from information of the task index of currently-executing jobs (Section 2 will discuss how to obtain the information by simple system monitoring). In this paper, we propose a framework to infer task parameters, only from information about the task index of currently-executing jobs, and we apply the framework to RM (Rate Monotonic) [18]; once developed, the framework makes it possible to predict future job release and execution patterns of a given RTES so as to facilitate security attacks. To this end, we develop two types of properties that can narrow down (a) the feasible range of each task period and (b) the feasible group of each task's execution chunks that belong to the same job. First, we design static properties that are independent of inference results, which are therefore applied only once in the beginning. Second, we propose dynamic properties, each of which can yield tighter inference for (a) and (b) by feeding an update of the inference results obtained by other properties. Since all the properties to be developed in this paper do not assume any prior knowledge of job release times, task/job priority ordering, and distribution of actual execution times (many studies for security issues in RTES implicitly assume that the actual execution time is static [8,9,11,19]), the proposed framework successfully operates with various environments.
Our simulation results for the proposed inference framework make the following implications. First, the proposed framework infers task parameters for RM with reasonable tightness; the ratio of exactly inferred task periods is 95.3% and 65.6%, respectively with low and high task set use. Second, the inference performance gets improved, as the system use decreases or the monitoring interval length increases.
In summary, this paper makes the following contributions: • Introduction of a task parameter inference problem for given restricted information, • Development of useful properties that narrow down (a) and (b), • Demonstration of reasonably tight inference of task parameters for RM, and • Identification of factors that affect inference performance: the monitoring interval length and the system use.
The remainder of this paper is structured as follows. Section 2 explains the system and adversary model. Section 3 presents the overall structure of the inference framework. Sections 4 and 5 propose static and dynamic properties, respectively. Section 6 evaluates the effectiveness of the proposed framework, and finally, Section 9 concludes the paper.

System and Adversary Model
System model. We target a real-time embedded system which deploys a uniprocessor, and the system has a set of periodic real-time tasks. Each task τ i ∈ τ is modeled by the period (T i ) and the worst-case execution time (C i ); τ i invokes a series of jobs, each separated from its predecessor by exactly T i time units (in this paper, we assume quantum-based time; without loss of generality, let one time unit be the quantum length, and therefore all task/job parameters are non-zero natural numbers). We do not assume any relationship between jobs belonging to different tasks; therefore, individual tasks do not necessarily invoke their jobs in a synchronous manner. Different from recent studies for security issues in real-time systems [8,9,11], the actual execution time of each job of τ i (denoted by A i (J) for job J) is not necessarily equal to C i ; instead, 1 ≤ A i (J) ≤ C i holds.
We target one of the most popular preemptive real-time scheduling algorithms: RM, which gives a higher priority to a job whose invoking task's period is shorter. Each task has a unique task index, but it does not necessarily imply the task priority. We assume that the target system normally operates without any deadline miss for all jobs.
Adversary model. The main objective of the adversary is to infer task parameters C i and T i for every task τ i ∈ τ, which potentially yields various security attacks such as side-channel attacks [10][11][12][13] or covert-channel attacks [15]. We consider that the adversary monitors the target system during the monitoring interval (denoted by MI) and obtains very restricted information-the task index of currently-executing jobs, which is feasible for many environments such as ECU connected with control area network [16,17]. Please note that the task index information does not necessarily imply that we should know the task indexes used in the system; instead, we only need to distinguish every task from other tasks, which is feasible using various techniques such as [20]. For example, an attacker can number tasks in Figure 1 after s/he differentiates all tasks.
Notations. We can formally express the monitoring interval (MI) as follows. From knowledge of the task index of currently-executing jobs, we naturally track which task was executed and whether CPU was idle or busy in each time quantum. We define the busy (likewise idle) interval as an interval in which a series of jobs are consecutively executed without idling CPU (likewise no job is executed). We can express MI as a union of busy and idle intervals in which different types of intervals alternate (for the ease of presentation, we assume that MI starts with an idle interval), meaning that where BI x (likewise II x ) denote the xth busy (likewise idle) interval, as shown in Figure 1. We also define a subinterval as an interval between the time instant when a job of a task starts or resumes its execution and that when it stops its execution by the scheduler; therefore, each job in its subinterval continuously runs without being interrupted by any other job or idle interval. Let SI a x denote the ath subinterval in BI x . By definition, a full or partial execution of a single job is performed in each subinterval, and it is not allowed to execute more than one job in each subinterval. As MI is decomposed into II x and BI x , BI x can be decomposed into SI 1 x ∪ SI 2 x ∪ ..., as shown in Figure 1. In this paper, let N BI denote the number of busy intervals in MI, and N SI x denote the number of subintervals in BI x . Also, let τ(SI a x ) denote the task executed in SI a x . Finally, let t start (Interval) and t end (Interval) denote the start and end time of Interval; for example, t start (MI), t start (BI x ), and t start (SI a x ) denote the start time of MI, BI x , and SI a x , respectively.

Inference Framework Overview
The proposed framework aims at inferring task parameters (T i , C i ) for every task executed in the monitoring interval MI, so as to facilitate other security attacks. Once we investigate MI, we can arrange the following information: Info 1 . A set of tasks executed in MI (denoted by τ), and Info 2 . t start (BI x ) and t end (BI x ) for every 1 ≤ x ≤ N BI , and t start (SI a x ), t end (SI a x ) and τ(SI a x ) for every pair of 1 ≤ x ≤ N BI and 1 ≤ a ≤ N SI x .
Based on Info 1 and Info 2 , the framework develops properties regarding task periods and subinterval groups for job separation. While it is straightforward to require the former, the need/role of the latter will be explained now. The hth subinterval group of τ k (denoted by SG h (τ k )) is defined as a group of subintervals in each of which the potentially same job of τ k is executed. What we meant by "the potentially same job" is as follows. If two subintervals SI a x and SI b y satisfying τ(SI a x ) = τ(SI b y ) = τ k belong to different subinterval groups, then it means that a job of τ k executed in SI a x is different from that in SI b y . Otherwise, a job of τ k executed in SI a x can be either different from or the same as that in SI b y . Whenever we find new evidence that different jobs of a task are executed in subintervals belonging to the same subinterval group, we split the subinterval group into two.
Once we gather sufficiently specific information of subinterval groups and then combine it to task period information, we finally know not only T i , but also statistics for A i (J), allowing the prediction of C i . To this end, we maintain the following information regarding task periods and subinterval groups: , and t + release J latest (SG h (τ k )) for every pair of τ k ∈ τ and possible h, Here, T − i and T + i denote the lower and upper bounds of T i , respectively. t release (J), t − release (J), and t + release (J) also denote the release time of a job J, its lower bound, and its upper bound. J earliest (SG h (τ k )) and J latest (SG h (τ k )) denote a job with the earliest and latest release time among jobs executed in subintervals in SG h (τ k ). Therefore, Info 4 includes information regarding the feasible range of release times of jobs with the earliest and latest release times, and will be used for deriving Info 3 in the later sections.
Then, the proposed inference framework's objective can be expressed by obtaining Info 3 and Info 4 as tightly as possible, and the framework operates with the following steps.
Step 1 . Obtain Info 1 and Info 2 from MI.
Step 2 . Set the default values to Info 3 and Info 4 .
Step 3 . Apply static properties for Info 3 and Info 4 .
Step 4 . Apply dynamic properties for Info 3 and Info 4 .
Step 5 . If there is any change of Info 3 and Info 4 in Step 4 , go to Step 4 ; otherwise, stop the inference framework. In Step 2 , we set T − i and T + i to 1 and MAX T (sufficiently large value) for every τ i ∈ τ, respectively. Also, we assign only one unified subinterval group SG uni (τ k ) for every τ k ∈ τ, and set t − release (J earliest (SG h (τ k )) and t − release (J latest (SG h (τ k )) to t start (MI), and t + release (J earliest (SG h (τ k )) and t + release (J latest (SG h (τ k )) to t end (MI); the unified subinterval group will be split by properties to be presented in later sections.
When it comes to Step 3 , static properties to be developed in Section 4, rely on Info 1 and Info 2 only. Hence, the properties are not affected by any change of Info 3 and Info 4 , implying that we apply the properties only once in the beginning. In Step 4 , dynamic properties to be developed in Section 5, utilize some of Info 3 and Info 4 , and have potential to further narrow down Info 3 and Info 4 , from an update of Info 3 and Info 4 by other properties. Therefore, we repeatedly apply the properties whenever there is an update of Info 3 and Info 4 .
Once we apply our inference framework with Step 1 to Step 5 , we are able to not only infer each task period, but also differentiate different jobs belonging to the same task, which implies that we know the execution time of each job. Therefore, for the remainder of the paper, we focus on inferring each task period.

Task Inference by Static Properties
In this section, we aim at inferring Info 3 and Info 4 , and derive static properties that are independent of Info 3 and Info 4 .
The first static property determines the range of the release times of the earliest and latest jobs in a subinterval group as follows.
Subinterval Group Property 1. We can split the unified subinterval group SG uni (τ k ) into several groups each of which includes subintervals belonging to the same busy interval. After splitting, the following inequalities hold for a subinterval group SG h (τ k ) which includes subintervals In short, the release time of a job with the earliest release time among jobs executed in subintervals in SG h (τ k ) is between the start time of the busy interval and the start time of the earliest subinterval in SG h (τ k ). Also, the release time of a job with the latest release time among jobs executed in subintervals in SG h (τ k ) is between the start time of the busy interval and the start time of the latest subinterval in SG h (τ k ).
In addition, if b 1 = 1 (i.e., SI b 1 x is the earliest subinterval in its busy interval BI x ), then we can find an exact value of the release time of the earliest job in SG h (τ k ) as follows: Proof. Since no job is released and executed in an idle interval, the release time of any job in a busy interval cannot be earlier than the starting time of the busy interval, implying the first inequalities in Equations (1) and (2). The second inequalities in Equations (1) and (2) hold as follows. Since there exists a job which starts its execution at t start (SI b 1 x ), a job with the earliest release time in SG h (τ k ) cannot be released later than t start (SI b 1 x ). Similarly, since the latest subinterval in which τ k is executed starts at t start (SI b m x ), a job with the latest release time in SG h (τ k ) cannot be released later than t start (SI b m x ). Equation (3) immediately holds because no job is released and executed in an idle interval. Now, we present useful properties that narrow down the range of every task period, starting from the property indicating the period of a task is at least as much as the length of a subinterval in which the task is executed.
Task Period Property 1. The following inequality holds for SI a x satisfying τ(SI a x ) = τ k , for every pair of The inequality means that the period of τ k is at least the difference between the start and end time of each subinterval for τ k .
Proof. The length of SI a x is no longer than A k (J) for every job J of τ k , and A k (J) ≤ C k ≤ T k holds. Therefore, the property holds.
Based on the observation that any job cannot be released within an idle interval, we derive the following property.
Task Period Property 2. The following inequality holds for BI x for every 1 ≤ x ≤ N BI − 1: The inequality means that the period of τ k is at least half of the difference between the start time of the next busy interval and the end time of the current busy interval. (5) is wrong. Then, there exists at least one job released in

Proof. Suppose that Equation
, and the job's deadline is no later than t start (BI x+1 ), meaning that the idle interval [t end (BI x ), t start (BI x+1 )) subsumes the interval between the job's release and deadline, which implies no execution of the job. This contradicts the supposition.
Analyzing the job release/execution patterns, we can derive the following property regarding each task period. Task Period Property 3. Suppose that there are at most n − 2 subintervals satisfying τ(SI a x ) = τ k within a continuous interval of length n · L, where n is a natural number not smaller than 2. Then, the following inequality holds: Proof. Suppose that Equation (6) is wrong; we will show the contradiction. If we focus on an interval of length n · L, the interval contains at least n − 1 jobs whose release times and deadlines are within the interval. Since each job has at least one unit of execution, there should be at least n − 1 subintervals. This contradicts the supposition.
Please note that we can apply a binary search to find the largest L in Task Period Property 3. This is because if we find a continuous interval of length n · L satisfying the property, we also find that of length n · L (if L < L).
We also note that it may be time-consuming to test all feasible intervals of given length n · L within MI. To alleviate computation cost, we may select some of candidate intervals, e.g., [t start (MI), t start (MI) + n · L), [t start (MI) + n · L, t start (MI) + 2 · n · L), [t start (MI) + 2 · n · L, t start (MI) + 3 · n · L) and so on. Likewise, we may also limit the number of trials for n.

Example 1.
We explain how static properties work using an example in Figure 1. In the example, the monitoring interval MI is [0, 90), and there are 5 tasks: τ 0 , τ 1 , τ 2 , τ 3 and τ 4 . Due to the space limit, we explain how the framework narrows down the range of T 2 of τ 2 . After applying Task Period Property 1, we know T 2 ≥ 2.
Since the length of the longest idle interval is 3, Task Period Property 2 also yields T 2 > 1.5. If we focus on [13,19), there is no execution of τ 2 , deriving T 2 > 3 from Task Period Property 3. Considering the quantum length equal to 1, we conclude T 2 ≥ 4. The feasible range of T i for all tasks are shown in Table 1.

Task Inference by Dynamic Properties
Different from static properties, dynamic properties utilize Info 3 and Info 4 ; we can feed an update of Info 3 and Info 4 by a dynamic property back to other dynamic properties, potentially improving inference performance by collaboration of different dynamic properties.
We first narrow down the range of the release time of the earliest and latest jobs in a subinterval group as follows.
Subinterval Group Property 2. Suppose that there are two consecutive subinterval groups of τ k : x , SI a 2 x , ..., SI a n x where a 1 < a 2 < ... < a n , and (ii) , and x ≤ y. Then, we can determine the range of the release times of the earliest and latest jobs in SG h (τ k ) as follows (here, the term "two consecutive subinterval groups" SG h−1 (τ k ) and SG h (τ k ) implies that there is no subinterval group which is later than SG h−1 (τ k ) and earlier than SG h (τ k )).
t end (SI a n x ) ≤ t release J latest (SG h (τ k )) ≤ t start (SI b m y ).
The structure of the above inequalities are similar to that of Subinterval Group Property 1.
Proof. Suppose that t release J earliest (SG h (τ k )) is earlier than t end (SI a n x ). Then, it contradicts the definition of a subinterval group-different jobs should be executed in subintervals in different groups. Therefore, the first inequalities in Equations (7) and (8) hold. We already prove the second inequalities in Equations (7) and (8) in Subinterval Group Property 1.
Subinterval Group Property 2 is effective for the situation where all subintervals in two consecutive subinterval groups belong to the same busy interval. Whenever a subinterval is split by some properties to be presented later, the property yields a tighter value of t − release J earliest (SG h (τ k )) and t − release J latest (SG h (τ k )) than Subinterval Group Property 1. This is because, t end (SI a n x ) in Equations (7) and (8) is no earlier than t start (BI x ) in Equations (1) and (2), if SG h−1 (τ k ) and SG h (τ k ) belong to the same busy interval.
Using the above subinterval group property, we can determine the range of each task period as follows.
Task Period Property 4. Suppose that there are two consecutive subinterval groups of τ k : (i) SG h−1 (τ k ) consisting of subintervals SI a 1 x , SI a 2 x , ..., SI a n x where a 1 < a 2 < ... < a n , and (ii) , and x ≤ y. Then, we can determine the range of τ k 's period as follows.
The first inequality means, the period of τ k is at least the difference between the lower-bound of the release time of a job with the earliest release time among jobs executed in subintervals in SG h (τ k ) and the upper-bound of the release time of a job with the latest release time among jobs executed in subintervals in SG h (τ k ). The second inequality means, the period of τ k is at most the difference between the upper-bound of the release time of a job with the earliest release time among jobs executed in subintervals in SG h (τ k ) and the lower-bound of the release time of a job with the latest release time among jobs executed in subintervals in SG h (τ k ).
Proof. Since subintervals in different subinterval groups belong to different jobs, J latest (SG h−1 (τ k )) and J earliest (SG h (τ k )) belong to different jobs. Therefore, T k cannot be smaller than the length between the latest release time of J latest (SG h−1 (τ k )) and the earliest release time of J earliest (SG h (τ k )), implying Equation (9). Similarly, T k cannot be larger than the length between the earliest release time of J latest (SG h−1 (τ k )) and the latest release time of J earliest (SG h (τ k )), implying Equation (10).
Task Period Property 4 can upper-bound and lower-bound each task period, based on the information of the release time of the earliest and latest jobs in each subinterval group, which can be obtained by Subinterval Group Property 2.
The following property also narrows down the range of each task period.
Task Period Property 5. Suppose that τ(SI a x ) = τ(SI b y ) = τ k , where either (x < y) or (x = y and a < b) holds, and t start (SI a x ) and t start (SI b y ) are release times of jobs of τ k . Then, the following equality holds.
where n is a natural number.
Proof. Since t start (SI a x ) and t start (SI b y ) are release times of jobs of τ k , the number of jobs whose release times are within [t start (SI a x ), t start (SI b y )) can be a natural number. This proves the property.
This property, once incorporated with Equation (3) in Subinterval Group Property 1 and other properties to be developed later, is powerful because the property discretizes the possible candidates of each task period.  [51, 53). Similarly, T + i = 35 − 25 = 10 is derived from a subinterval group of τ 2 consisting of [27, 29) (whose busy interval starts at t = 25), and another subinterval group of τ 2 consisting of [35, 37) . We summarize the task period inference results for every task in τ in Table 2. If we find a pair of tasks satisfying T + i < T − j (implying T i < T j ) through Task Period Properties 1-4 presented so far, we additionally know the priority ordering of the tasks under RM. Once we use such task priority ordering information, we are able to not only split a subinterval group, but also narrow down the range of the release time of the earliest job in the split subinterval group, recorded in the following property.

Subinterval Group Property 3. Suppose that SI a x and SI
x satisfying τ(SI b x ) = τ k and a < b < c. Then, the following two properties hold. Case 1. If there exists SI b x satisfying a < b < c, τ(SI b x ) = τ j , and T k < T j , then SI c x should be the earliest subinterval of a subinterval group of τ k (denoted by SG h (τ k )) and the following inequality holds: Case 2. If there exists SI b x satisfying a < b < c, τ(SI b x ) = τ j , and T k > T j , then SI b x should be the earliest subinterval of a subinterval group of τ j (denoted by SG g (τ j )) and the following inequality holds: The structure of the above inequalities are similar to that of Subinterval Group Property 1.
Proof. Now we prove Case 1. From T k < T j and τ(SI a x ) = τ(SI c x ) = τ k = τ(SI b x ) = τ j , we know that the job priority executed in SI a x is the same as that in SI c x , which is higher than that in SI b x . Therefore, jobs executed in SI a x and SI c x are different, implying that SI c x should be the earliest subinterval of a subinterval group of τ k . Since the job priority executed in SI c x is higher than that in SI b x , a job executed in SI c x cannot be released earlier than t end (SI b x ). We can prove Case 2 using the same proof technique.
Considering a special case of Subinterval Group Property 3, we can derive an exact release time of the earliest job in a subinterval group, which is useful for Task Period Property 5.
Subinterval Group Property 4. If Case 1 of Subinterval Group Property 3 holds with b = c − 1, then we can find an exact value of a parameter of SG h (τ k ) as follows: x ). (15) Proof. The property immediately holds if we apply Subinterval Group Property 3 with b = c − 1 and b = a + 1.
Now, we explain how all the dynamic properties collaborate with each other. Dependency relationship between dynamic properties. Once Subinterval Group Property 3 separates a subinterval group, both separated groups' parameters (i.e., the range of the release time of the earliest and latest jobs in each group) are determined by Equations (12) and (13) of the property itself and Equations (7) and (8) in Subinterval Group Property 2. This subinterval group separation may allow Task Period Property 4 to further narrow down the range of the task period. This update for the task period may also result in new priority ordering information by finding T + i < T − j relationship, which in turn, yields potential subinterval group separation chance by Subinterval Group Properties 3 and 4 again.
Similarly, once Subinterval Group Property 4 finds an exact release time of a job, Task Period Property 5 has a chance to narrow down the range of a task period, which may find additional T + i < T − j relationship. This, in turn, may yield an update by Subinterval Group Properties 3 and 4 again.

Example 3.
We also continue applying all properties presented so far, to the previous example in Figure 1.
Since Table 2 shows that τ 2 has the shortest period, implying the highest priority. Therefore, Subinterval Group Property 4 provides several exact release time information for τ 2 , which are t = 11 and 51. Together with another release time t = 35 from Subinterval Group Property 1, Task Period Property 5 yields T 2 = 8. Finally, Table 3 presents the final results for task period inference. Now, we know exact task periods of all tasks except τ 3 . However, we know that τ 3 has the lowest priority, and therefore it does not affect any schedule of other tasks. We therefore trace all execution times of all tasks except τ 3 . Then, it is possible to know future release times of jobs of all tasks except τ 3 , and to predict their execution times, based on the distribution of observed actual execution times.

Evaluation
In this section, we evaluate inference performance of the proposed framework for RM. We first describe simulation environments, and then discuss the factors that affect the inference performance.
We consider the following two inputs for task set generation: (a) system use groups (represented by [i]) for i = 0.1, 0.2, · · · , 1.0, each of which represents the system use ∑ τ j ∈τ C j /T j in [i-0.1,i), and (b) the distribution of ratio between C i and T i for five bimodal and five exponential distributions in [21]. For each combination of (a) and (b), we randomly generate 100 task sets based on the task set generation technique in [21,22], yielding 10,000 task sets in total. Here, T i is uniformly selected in [1,1000], and C i is chosen in [1, T i ] based on the distribution in (b); also, we do not include task sets unschedulable by RM through response time analysis [23]. Once T i and C i of each task in a task set is determined, we generate a series of periodic jobs from each task starting from t = 0. In addition, for each task set, we test ten options of the monitoring interval L MI : 1000, 2000, ..., 9000, and 10,000 time units.
We measure the number of feasible choices of each task period inferred by the proposed inference framework. For example, if the framework reveals that the period of the target task is one of 12, 13, 14 and 15, then the number of feasible choices of the task period is four; therefore, if the number of feasible choices for a task is exactly one, it means that the framework succeeds to find the exact value of the task period. We set MAX T to 1000, implying that there are 1000 feasible choices of each task period before we apply the proposed inference framework.
In Figure 2a, we visualize the ratio of exactly inferred task periods (i.e., the ratio of tasks which have a single feasible choice), over increasing L MI with the system use group [0.2]. The x-axis exhibits the monitoring interval L MI (from 1000 to 10,000), and the y-axis represents two values: the number of feasible choices (from 1 to 64) and the ratio of exactly inferred task periods (from 0% to 100%). For example, with L MI = 10,000, the number of feasible choices is 2.72 and the ratio of exactly inferred task periods is 95.3%. This means, with the monitoring interval of 10,000 time units, the number of candidates of the exact period of each task is two or three on average, and we can find the exact period for 95.3% tasks (while cannot find that for 4.7% tasks). In Figure 2b, we visualize the number of feasible choices over increasing the system use. The x-axis means the system zse (from [0.1] to [1.0]), and the y-axis represents the number of feasible choices when L MI is 1000 and 10,000, respectively.  The ratio of exactly inferred task periods increases as the monitoring interval length increases, as shown in Figure 2a. The ratio reaches 90.6% with L MI = 3000, and increases to 95.3% with L MI = 10,000. The results demonstrate that the proposed inference framework successfully finds the exact task period for most tasks with the system use group [0.2]. Focusing on Figure 2b, even under high system use [0.7] which is close to the RM use bound, the ratio is 65.6% with L MI = 10,000. This implies that the proposed inference framework operates effectively even with high system use.
We next derive a guideline to determine the proper length of the monitoring interval L MI . As shown in Figure 2a, as L MI linearly increases, the average number of feasible choices of each task period exponentially decreases with the system use group [0.2]. In particular, the number nearly converges after L MI = 10,000 (2.81, 2.75 and 2.72 for L MI = 8000, 9000 and 10,000, respectively), implying that an interval of 8000 time units is a sufficiently large length of the monitoring interval. Based on a pair of the average number of feasible choices and the ratio of exactly inferred task periods (e.g., 2.27 and 95.3%, respectively), we conclude that the proposed framework does not effectively narrow down the number of feasible choices for a limited number of tasks (e.g., 4.7%) while it successfully reveals the exact period for most tasks (e.g., 95.3%).
We then present the inference performance of RM with ten system use groups from [0.1] to [1.0] and two monitoring interval length L MI 1000 and 10,000. As seen in Figure 2b, the proposed framework shows high accuracy for lower system use, but it decreases as the system use increases, which holds for both L MI = 1000 and 10,000. This is because high system use entails fewer idle intervals; since many properties in the proposed framework use the characteristics of idle intervals, such conditions yield fewer clues to narrow down the number of feasible choices of each task period.
In summary, the simulation results discover the following. First, the proposed framework infers task parameters with reasonable tightness for RM. Second, the inference performance increases, as the system use decreases or the length of the monitoring interval increases. One may argue that the proposed framework exhibits excellent performance with low task set use (e.g., 95.3% ratio of exactly inferred task periods with the system use group [0.2]), but unfavorable performance with high task set use (e.g., 65.6% ratio of exactly inferred task periods with the system use group [0.7]). After revealing several task periods, we may try other techniques (to be developed) to infer the unrevealed task periods. Therefore, it is important to reveal some task periods, even though the other task periods are not identified. It remains open how to incorporate other properties to improve the ratio with high system use and how to automatically adapt the monitoring interval for given target ratio.

Towards Other Scheduling Algorithms
We would like to emphasize that the proposed framework can be applied to any other scheduling algorithm because all properties except Subinterval Group Properties 3 and 4 are applicable to any work-conserving scheduling algorithm. To improve the inference performance for the target (work-conserving) scheduling algorithm, it is preferable to develop algorithm-specific properties as this paper developed Subinterval Group Properties 3 and 4 for RM. In this section, we develop algorithm-specific properties for another popular scheduling algorithm EDF (Earliest Deadline First) [18]. Since T i < T j does not imply the task priority ordering under EDF, it is challenging to develop EDF-specific properties. Now, we first present a property similar to one of RM-specific properties (i.e., Subinterval Group Properties 3 and 4). We then present how to apply our inference framework with the property, and finally we show the inference performance for EDF.
For EDF, we propose the following property.
Subinterval Group Property 5. Suppose that SI a x and SI c x (where a < c) satisfy (i) τ(SI a x ) = τ(SI c x ) = τ k , and (ii) there is no subinterval SI b x satisfying τ(SI b x ) = τ k and a < b < c. Then, the following two properties hold. Case 1. If there exists SI b x satisfying a < b < c, τ(SI b x ) = τ j , and T k < T j , then SI c x should be the earliest subinterval of a subinterval group of τ k . Case 2. If there exists SI b x satisfying a < b < c, τ(SI b x ) = τ j , and T k > T j , then SI b x should be the earliest subinterval of a subinterval group of τ j .
Proof. Now we prove Case 1. From T k < T j and τ(SI a x ) = τ(SI c x ) = τ k = τ(SI b x ) = τ j , we consider two cases depending on relationship between absolute deadlines of SI a x and SI b x . If the absolute deadline of a job executed in SI a x is earlier, SI a x and SI c x should be the latest and earliest subintervals within different subinterval groups of τ k . Otherwise, considering T k < T j , the release time of the job executed in SI b x should be earlier than that in SI a x . Then, due to job priorities depending on absolute deadlines, SI a x cannot be placed earlier than SI b x , which contradicts a < b. Therefore, Case 1 holds. We can prove Case 2 using the same proof technique.
Please note that the above property, although simpler than Subinterval Group Property 3 for RM, is derived using characteristics of EDF, and therefore the proof is different from RM. Different from Subinterval Group Property 3, the first inequalities in Equations (12) and (13) do not hold under EDF. This is because, while RM guarantees that the priority of a job executed in SI b x is higher than that in SI c x in Case 1, the same cannot hold under EDF due to job-level (rather than task-level) priority assignment. Because of the same reason, Subinterval Group Property 4 cannot hold under EDF. Then, we can apply our inference framework proposed in Section 3 (i.e., Step 1 to Step 5 ) to EDF, by applying Subinterval Group Property 5 as dynamic properties in Step 4 instead of Subinterval Group Properties 3 and 4 for RM. Figure 3 demonstrates the inference performance of EDF, which corresponds to Figure 2b, where task set generation and all other settings are the same as the ones described in Section 6.  As shown in Figure 3 (and Figure 2b), the inference performance of EDF exhibits similar trend to that of RM. However, RM is easier to infer task parameters than EDF, especially with high system use. For example, in system use group [1.0] and L MI of 1000, the average number of feasible choices of each task period inferred under RM is smaller than that under EDF (308/247 = 1.25). Similar to RM, our inference framework for EDF effectively finds the exact period when the system use is low and exhibits reasonable inference performance when the system use is high.
In summary, we show how to develop algorithm-specific properties of EDF, and demonstrate that our proposed inference framework for EDF also operates effectively . Please note that it deserves another full paper to develop algorithm-specific properties of other complex scheduling algorithms.

Related Work
As real-time systems become connected to infrastructure, security issues in real-time systems have attracted attention; therefore, several recent studies tried to address security issues of real-time systems-how to attack and defend security vulnerability for periodic real-time tasks, which is the basic real-time task model. We may classify such studies into two categories: (i) adding additional security protection mechanisms without changing the prioritization policy, and (ii) randomizing schedules by changing the prioritization. For both categories, the main difficulty is how to achieve timing guarantees in the presence of additional/new mechanisms, which is the primary goal of real-time systems.
The papers belonging to the first category add a mechanism of flushing information remaining in computing resources, or integrate additional (periodic) security tasks [9,19,[24][25][26]. Mohan et al. [19] focused on fixed priority scheduling (such as RM) on a uniprocessor platform, and proposed how to modify the original scheduling algorithm to accommodate the flushing mechanism, which prevents other tasks from eavesdropping information in computing resources owned by critical tasks. Based on [19], Pellizzoni et al. [9] explored tradeoffs between security requirements (achieved by the flushing mechanism) and real-time guarantees. Then, the studies for the flushing mechanism were extended towards considering preemption overheads [26] and mixed-criticality systems [25]. On the other hand, Hasan et al. [24] developed how to integrate additional (periodic) security tasks without compromising timing guarantees.
The papers in the second category [7,8] are different from those in the first one in that they tried to avoid security attacks by randomizing schedules, meaning the prioritization change. TaskShuffler [8] proposed how to randomize schedules under fixed priority scheduling (such as RM). To this end, the paper introduces the worst-case maximum inversion budget for each task, and arbitrarily delays high-priority tasks' execution within their budget; the delay within the budget guarantees not to compromise timing guarantees of high-priority tasks. Similar to TaskShuffler [8], Kruger et al. proposed another schedule randomization technique without compromising timing guarantees.
This paper is different from the papers in the two categories as follows. Most (if not all) security attacks that the existing papers for the periodic task model aim at avoiding are based on knowledge of task parameters such as the task period, the worst-case execution time and the task release time. However, the information of task parameters is not necessarily open to the public. Therefore, different from general-purpose systems, the initial point of security attacks for real-time systems is to know task parameters, and this paper satisfies the following curiosities. First, is it possible to infer task parameters? Second, if possible, how can we infer task parameters? Since this paper successfully answered the two questions, it can be followed to conduct research that infers the task parameters more effectively and avoids the task parameter inference techniques revealed by this paper and following papers, which is a main contribution of this paper.

Conclusions and Discussion
In this paper, we developed a framework that infers task parameters from restricted information. Despite difficulties due to lack of knowledge of job release times, task/job priority ordering, and distribution of actual execution times, we showed that the framework can effectively narrow down the feasible range of task parameters. To this end, we developed static properties that can be used for any work-conserving scheduling algorithm; we then developed dynamic properties tailored to RM. Finally, we showed how to apply the inference framework to other scheduling algorithms, e.g., EDF. As long as we develop algorithm-specific properties, we can use the proposed inference framework effectively for the corresponding algorithm.
In the future, we would like to extend this paper in two directions. First, we need to consider more general task and resource models than the periodic task model and a uniprocessor platform. As of now, some properties can be used for the sporadic task model, but others cannot. We need to tailor the properties by considering sporadic releases. When it comes to resource models, we may consider more general resources than uniprocessors such as the periodic resource model and a multiprocessor platform; the technique developed for a uniprocessor platform in this paper can be a basis for those resources. Second, we would like to extend this framework to other scheduling algorithms and improve the tightness of inference results, by developing new properties tailored to other target scheduling algorithms. As we explained in Section 7, it deserves another full paper to address the second direction for each target scheduling algorithm.