Chronos: Efficient Time-Based Detection and Response for Safety-Critical Real-Time Embedded Systems

This paper presents Chronos, a lightweight kernel extension that enhances real-time embedded systems with endpoint detection and response (EDR) capabilities. Chronos employs timing-based detection mechanisms to identify abnormal task behavior and enforces memory separation through the Memory Protection Unit (MPU) to isolate EDR and kernel code from untrusted application code. It dynamically adapts to system load, reducing the frequency of security checks during high utilization to maintain responsiveness, and increasing it during low utilization to enhance security coverage.

To detect reconnaissance and tampering attempts, Chronos instruments OS kernel APIs, blocking unauthorized modifications to security-critical code and data structures. When a security event is detected, forensic data is transmitted to a remote server for real-time threat analysis.

Chronos is implemented as an extension to FreeRTOS and evaluated on a system that simulates UAV operations. Performance was measured using the CoreMark benchmark. In the null policy configuration, Chronos incurred a runtime overhead of 0.25% and a 43.6% increase in code size. Under the most aggressive security policy, runtime overhead was 0.86% and code size increase was 45.1%. In both cases, 90% of the total code size increase was introduced by the networking library. These results demonstrate that Chronos is lightweight and suitable for resource-constrained real-time systems.