Partitioned Real-Time Scheduling for Preventing Information Leakage

Recent real-time systems have been gradually connected externally through the Internet. As each subsystem constituting a system has been developed from different vendors, the number of cases of security vulnerabilities in communication between subsystems has increased. In particular, real-time systems are vulnerable to timing inference attacks, such as cache-based side-channel attacks. Among the various methods for handling security problems of these systems, the flush task (FT) method is a simple and effective method to reduce the probability of information leakage by conditionally initializing the state of resources shared by tasks before a given scheduling. However, existing FT methods are for global scheduling only, and techniques for partitioned scheduling have not yet been studied. In this paper, we propose an FT-aware bin-packing (FT-bin-packing) algorithm that effectively allocates real-time tasks to identical multiprocessors to reduce the number of FTs invoked during the schedule of tasks in each processor. Based on the experimental results, we analyze the properties and performance of the FT-bin-packing algorithm. These results indicate that it can improve the performance of existing heuristic algorithms by up to 96.8% depending on the experimental setting.


I. INTRODUCTION
A system that is both functionally and temporally accurate is called a real-time system [1]. For example, an autonomous vehicle repeats three operations: recognition, judgment, and action. Currently, recognition is made using LiDAR, radar, camera, etc., judgment is made using an internal computing system, and action is performed using a motor [2]. These tasks are repeated with a cycle. If each task does not operate within a predefined time, called the deadline, it causes significant human and material damage. Complying with this deadline is called a real-time requirement, and meeting realtime requirements is a crucial concern in developing a realtime system. To satisfy real-time requirements in different fields, the real-time system community has been investigating how to allocate computing resources to real-time tasks and whether each task can complete execution within a deadline. The former method is called a real-time scheduling algorithm, and the latter one is called real-time analysis [3]- [5].
The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Ali Babar . A sporadic task model has been widely used as a basic model to represent the iterative execution of real-time systems. A sporadic real-time task is expressed in terms of its minimum arrival time (i.e., period), the worst-case execution time, and a deadline. A sporadic task is represented by an infinite sequence of task instances called jobs, with a time constraint of a minimum arrival time interval. Under the constraint of the minimum arrival time interval following the Liu and Layland model [1], two different jobs must be separated by at least one period. When a job arrives, a task must finish executing within its absolute deadline. Three paradigms are widely used for scheduling real-time tasks on multiprocessor platforms: partitioned, global, and semi-partitioned. A comprehensive survey of multiprocessor scheduling for real-time systems can be found in [6].
In this study, we consider partitioned scheduling wherein real-time tasks are assigned to identical processors and migration between processors is prohibited [7]. In addition, all tasks are executed with a fixed priority on the processor to which a task is assigned. Unlike global scheduling wherein migration between processors is allowed, partitioned scheduling has the following advantages. If one task overruns, it affects only the other tasks of the processor to which the task belongs. Because each task is executed only on a single processor, no penalty is applied in terms of migration. For example, if a task is preempted and executed in another processor, the task's state information and register values (called context) must be set again in the other processor. Hence, communication costs may be incurred, and additional costs, such as cache misses, are required. Partitioned scheduling is simpler in terms of communication than when each processor uses an independent ready queue and when multiple processors use a common queue. In addition, after tasks are assigned to a processor, an advantage is observed in that matured uniprocessor scheduling and analysis techniques can be used.
While many previous studies on real-time systems have focused on real-time requirements, recent studies have handled security issues that can only occur in real-time systems [10]- [12], [15], [16], [21]. This is because, compared to general-purpose systems, a traditional real-time system is recognized as being free from security attacks because it uses a specific network protocol in a limited space where the external connection is blocked. However, recent real-time systems have been gradually connected externally through the Internet. Further, as each subsystem constituting the system has been developed from a different vendor, the number of security vulnerabilities in the communication between subsystems has increased. Thus, information leakage problem has become critical in modern real-time systems because subsystems developed by different vendors share common computing resources. A security attacker can use sensitive information, such as a private key in these shared computing resources, and infers the location of sensitive information through security attacks, such as a side-channel attack.
Among the various methods used to address security problems of such a real-time system, the flush task (FT) method is a simple and effective method to reduce the probability of information leakage by conditionally initializing the state of resources shared by tasks before a given scheduling [13], [16], [21]. This security mechanism inevitably causes additional time overhead. Thus, the scheduling algorithm and schedulability analysis should be designed with this factor being considered. To address this issue, many studies have been conducted on global scheduling. For the first time, a scheduling incorporating the FT mechanism into a fixedpriority (FP) non-preemptive scheduling was proposed [21]. A real-time analysis technique that analyzes whether each task can finish execution within a deadline when tasks are scheduled via this scheduling has also been proposed. The key technique of this method is to find the upper-bound value of FTs that may exist in the interval of interest and to include this in the schedulability analysis. This method was extended to preemptive scheduling in the following work and extended to an exact analysis with a slightly higher computation overhead [15]. In addition, these methods are based on an assumption that computing resources are infinite [16]. In [8], a finite resource was assumed, and a resource-locking protocol considering the critical section problem was proposed. However, these techniques are used for global scheduling, and techniques for partitioned scheduling have not yet been studied. Because a number of real-time systems are implemented with partitioned scheduling, and it is important for these systems to consider their security in that security threats of real-time systems can cause tremendous human and economic loss.
In this study, we aim to develop a new scheduling framework that incorporates a security constraint into existing partitioned scheduling frameworks to address security vulnerabilities caused by the fixed scheduling pattern. Thus, we propose a flush-task-aware bin-packing (hereinafter called FT-bin-packing) algorithm that effectively allocates real-time tasks to identical multiprocessors to reduce the number of FTs invoked during the schedule of tasks in each processor. FT-bin-packing uses a new notion of the security relation graph that visualizes the security relation of real-time tasks associated with a noleak table [16]. Based on the security relation graph, the FT-bin-packing exploits a new task index (used for the task assignment algorithm) re-ordering method to reduce the number of FTs to the extent possible, known as security-relation-aware sorting (SR-SORT). Then, FT-bin-packing is incorporated into the existing bin-packing algorithms [7]. The main idea behind FT-bin-packing algorithm is to split the given tasks into multiple groups so that the number of FTs invoked during scheduling in each group can be reduced. To this ends, the given tasks need to be reordered (via SR-SORT) so that consecutive tasks have no security relation according to the associated noleak table. The security relation graph provides better information with nodes and edges associated with the tasks for the reordering than the noleak table. Then, FT-bin-packing algorithm effectively conducts task partitioning based on SR-SORT and the security relation graph. Thereafter, we apply the response time analysis (RTA) [17] that upper bounds the worst-case number of the FTs to guarantee schedulability of a given system. Based on the experimental results, we analyze the properties and performance of the FT-bin-packing algorithm. We found that it can improve the performance of existing heuristic algorithms by up to 96.8% depending on the experimental setting.
In summary, this paper makes the following contributions: • It proposes a new notion of a security relation graph that visualizes the security relation of the real-time tasks.
• It also proposes a new task-index re-ordering method called SR-SORT.
• A new flush-task-aware bin-packing algorithm, referred to as the FT-bin-packing algorithm, is proposed.
• Extensible experiments are conducted to analyze the properties and performance of the FT-bin-packing algorithm and demonstrate that it improves the performance of existing heuristic algorithms by up to 96.8%.

II. ADVERSARY AND SYSTEM MODEL
In this section, we first present our system model and then our adversary model including attackers' capabilities and their attack scenarios.

A. SYSTEM MODEL
We consider the Liu and Layland task model [1], [18] in which a set of tasks τ has n sporadic tasks τ 1 , · · · , τ n . Each task τ i (1 ≤ i ≤ n) has three parameters, the minimum inter-arrival time T i , relative deadline D i , and the worstcase execution time C i . This indicates that a task τ i invokes its instance(called job) infinitely, and each instance should complete its C i amount of execution before D i time units elapse as a real-time constraint. In addition, the release times of two consecutive jobs are at least T i apart. We consider a constrained deadline D i ≤ T i and assume that τ i is scheduled by a given partitioned, non-preemptive, work-conserving scheduling algorithm on identical multiprocessors. That is, each job cannot migrate from one core to another after it is allocated to a processor, each job cannot be preempted by any job after it starts its execution, and each processor is always kept busy provided that an unfinished ready job is available. We consider FP scheduling, which assigns priority to a task rather than a job. This indicates that all jobs released from a higher-priority task equally have higher priorities than those from a lower-priority task. We let lp(k) and hp(k) be a set of tasks whose priorities are lower and higher than τ k , respectively. Without loss of generality, we assume quantumbased scheduling, meaning that one value of each parameter indicates a single quantum. We also assume that a smaller index i of task τ i is a higher priority for FP scheduling. J i and J i,q denote an arbitrary job and the q-th job for task τ i , respectively. Let r i and f i be the release and finish times of a given job J i . Then, d i = r i +D i is the absolute deadline of J i , which means that J i should finish its execution before d i as a real-time constraint. Job J i is said to be schedulable when it satisfies the real-time constraint (i.e., f i ≤ d i ). Also,a task τ i is schedulable when every instance (i.e., job) is schedulable, and a task set τ is said to be schedulable when all tasks of τ are schedulable. Considering the interval between a release time r i and the finish time f i of every job of τ i , the response time R i of a task τ i is defined as the longest interval between them. By the definition of R i , if R i ≤ D i holds, then a task set τ is schedulable.
Based on the system model, we define our target problem as follows.
Definition 1 (Problem): Real-time and security constraints should be satisfied under a given partitioned, non-preemptive, work-conserving scheduling algorithm on identical multiprocessors.
Definition 2 (Real-Time Constraint): Every job instance J i of a task τ i should finish its execution before its deadline d i .
Definition 3 (Security Constraint): A timing penalty should be spent between two job executions to cleanse the state of shared resource if it is specified by noleak table.

B. ADVERSARY MODEL
We assume that attackers are aware of the exact parameters of the target task for their security attacks, similar to the general assumptions of existing studies [14], [21], [24]. This assumption stems from the fact that, because the most important functions of a real-time system operate periodically, their behavior can be inferred from long-term observations. In addition, attackers are familiar with the details of the system before performing the attack. An example of many timing inference attacks is a cache-based side-channel attack that exploits the fixed schedule of a real-time system [25], [26]. Under these circumstances, the cache set is associated with the main memory, and the attacker task τ A hijacked by the attacker runs in parallel with the victim task τ B . Here, the victim task continuously accesses sensitive information, such as the private key stored in the main memory, and while accessing, the corresponding information is stored in the associated cache. The attacker can repeat the following operation to infer the location of the private key.
τ A populates some (or all) cache sets with its own data before τ B performs its execution (called PRIME operation). After τ A yields (or completes) execution, it waits for a certain amount of time while τ B executes. Then, τ A conducts the PRIME operation again and measures how long it takes to load data for each cache set. If τ B accesses some cache set during its operation, the cache set is replaced with data from τ B . If so, τ A observes access times that are greater (due to cache misses) than the access times of other cache sets that cause cache hits. τ A iteratively collects this timing information and infers the location of the private key in main memory.
We aim to reduce the probability of success of such a timing inference attack by selectively initializing the state of a shared resource by referring to the noleak table associated with given real-time tasks. FT-bin-packing utilizing a new schedulability analysis called FT-RTA, partitions tasks into the given processors and then tasks in each processor are scheduled by any existing FP scheduler. Because such the partitioning and analysis are conducted offline in a algorithmic and mathematical way, FT-bin-packing does not cause an additional security vulnerability, other than that the FT scheduling can induce.

III. FT-BIN-PACKING ALGORITHM
In this section, we first introduce notions of the flush task and noleak models. Then, we propose a new task-partitioning algorithm that considers the security constraints.

A. FLUSH TASK WITH NOLEAK MODEL
Among several techniques to prevent information leakage in a real-time system using shared resources, the flush task technique has been widely studied due to the advantage of its simplicity in implementation. The high-level idea of the flush task technique is to initialize the state of the shared resource whenever there is a possibility of information leakage to prevent information from being observed by an attacker.
For instance, when one task finishes its work and successive tasks have a chance to see recently used information remaining in cache or DRAM, both cache and DRAM information can be initialized. An antenna controller software (ACSW) [19], [20] embedded in reconnaissance aerial vehicles can be an example to illustrate the notion of FT. ACSW periodically receives a micro command from a ground station, and the received commands are stored command queue. Then the command is also periodically retrieved to be used to perform the corresponding mission. Here, the information related to the command is very sensitive, and it should be protected from various security attacks. Therefore, the resource shared by relevant tasks should be conditionally flushed when it is necessary. The execution of such a flush task necessarily incurs a temporal overhead, and in a real-time system that considers the flush task, its scheduling algorithm and schedulability analysis must take this into account. Then, when several tasks are executed continuously by a given scheduler, the conditions under which the FT should be executed should be specified at the system design level. Security level and noleak models are the most widely used methods. As the latter is a more general model, this study considers the latter model. Table 1 presents an example of noleak relations associated with five tasks. In Table 1, ''T'' indicates that the information leakage from the task in the corresponding row to the task in the corresponding column should be prevented, and ''F'' indicates the opposite one. For example, an FT should be invoked between the end of τ 3 's execution and the start of τ 5 's execution, according to Table 1.

B. FT-BIN-PACKING ALGORITHM
As our proposed partitioning algorithm is derived from an existing bin-packing algorithm, we first recapitulate the existing algorithm. Then, we present our new heuristic partitioning algorithm that improves the performance of an existing algorithm by recognizing the security relation of given tasks.
The bin-packing algorithm attempts to solve the problem of packing multiple given objects into given bins [7]. In the most basic version, the size of each largest object was at most 1, and the size of each bin was 1. A bin can be filled until the sum of the size(or weight) of objects in the bin is 1 at the maximum. Objects cannot be split and must be allocated according to their size. Previous studies have already demonstrated that packing objects to given bins (called the bin-packing problem) is NP-complete. Therefore, many heuristic algorithms have been proposed to address this Algorithm 1 FT-FFD Algorithm 1: Input: a set τ = {τ 1 , . . . , τ n } of n tasks, a set P = {P 1 , . . . , P m } of processors 2: Each task index i of τ is newly assigned from 1 to n according to the descending order of U i . 3: τ = SR-SORT(τ ) 4: i ← 1; j ← 1 5: while i ≤ n do 6: while j ≤ m do 7: if FT-RTA(P j τ i ) = Success then 8: Step 5 10: else if j = m then 11: return Fail 12: end if 13: end while 14: end while 15: return Success problem. The first fit decreasing (FFD) algorithm is one of the simplest algorithms for addressing the bin-packing problem. In FFD, objects are first sorted based on size, and each bin has a certain order. Then, after checking whether the first to last bins can accommodate a given object, the object is packed in the first bin that can accept the object. In case of the problem of allocating real-time tasks into multiple processors, we exploit the bin-packing problem by changing the bins and objects to processors and tasks.
Algorithm 1 includes the FFD algorithm for the task allocation problem. Except for Line 3 from Algorithm 1, it is the same as FFD. FFD considers a set of tasks τ = {τ 1 , . . . , τ n }. Then, for a given task τ i (considered from τ 1 to τ n ), each processor from P 1 to P m is examined sequentially to verify whether τ i can be allocated to the considered processor without a deadline miss according to a given schedulability analysis (Lines 4-7). Meanwhile, Algorithm 1 uses the flush-task aware response-time analysis (FT-RTA), which is capable of upper bounding the number of FTs invoked during execution of task scheduling and incorporate it into the schedulability judgment. In the procedure, τ i is allocated to the first processor, wherein the included tasks (scheduled by the given scheduling algorithm) make any deadline miss according to the given schedulability analysis (Lines 8-9). If any task cannot be allocated to all processors, then the task set τ is deemed not schedulable by the given scheduling algorithm.
A number of other heuristic algorithms exist for task allocation, among which are the best fit decreasing (BFD) and worst fit decreasing (WFD). Similar to FFD, BFD and WFD sort tasks first, in order of highest utilization. When assigning each task to the processor, the considered task is first assigned to the processor with the smallest (i.e., BFD) or largest (i.e., WFD) available (i.e., not assigned to tasks) utilization in the processor, rather than considering the processors in Algorithm 2 SR-SORT Algorithm end if 8: while j ≤ n do 9: while k ≤ n do 10: if noleak(τ, τ j , τ k ) = F and τ k / ∈ τ temp then 11: τ temp = τ temp τ k 12: end if 15: end while 16: end while 17: end while 18: Each task index i of τ temp is newly assigned from 1 to n according to the inserted order. 19: return τ temp turn. Because the algorithms have a form similar to that of Algorithm 1, the explanation was not provided.
We present our proposed FT-bin-packing algorithm that utilizes a new notion of the security relation graph described in Figure 1. The underlying idea of FT-bin-packing is to re-assign the index of given tasks so that the noleak relation of any consecutive (in terms of task index) tasks is ''F'' by utilizing the security relation graph. This concept is based on the fact that the number of FTs invoked in the given interval is proportional to the number of jobs executed in the interval and their noleak relation considered at every iteration of FT-RTA; this is detailed in Section IV-B. The security relation graph for a given task set associated with the corresponding noleak table is constructed as follows: A pair of nodes (called from node from i and to node to i ) for each task τ i are created, and an directed edge is created from from i to to j if noleak relation from from i to to j is ''T''. Figure 1 presents a security relation graph associated with the noleak relation in Table 1. As shown in Figure 1, five from and to nodes are created, and an edge between from i to to j is created if the corresponding noleak relation is ''T''. Then, the FT-FFD (FT-bin-packing based on FFD) algorithm conducts a task assignment following the steps in Algorithm 1. Before FT-FFD executes steps of FFD (Lines 4-15), it re-orders (i.e., re-assigns) the task indexes of tasks by using the SR-SORT algorithm (Line 3) presented in Algorithm 2. The SR-SORT algorithm first sets i to 1 and τ temp to zero (Line 1). Then, it considers each task τ i sequentially (i.e., from i == 1 to i == n), and τ i moves to τ temp if it is not an element of τ temp (Lines 2-6). Thereafter, for a task τ j (after τ j = τ i is conducted in Line 3), each task τ k is considered (Lines 8-9), and then τ k moves to τ temp if noleak(τ, τ j , τ k ) = F (i.e., the noleak relation from τ j to τ k is ''F'') and τ k / ∈ τ temp hold (Lines [10][11][12][13][14]. Here, τ j becomes τ k if τ k moves to τ temp during the above iteration (Line 13). Each task index i of τ temp is newly assigned from 1 to n according to the inserted order after all iterations (Line 18), and then return τ temp (Line 19). τ temp will be used instead of τ (Line 3 in Algorithm 1), to conduct the remaining steps (i.e., Lines 4-15 in Algorithm 1) of the FT-FFD algorithm.

IV. SCHEDULABILITY ANALYSIS
As presented in the previous section, our proposed partitioning framework utilizes FT-RTA for the uniprocessor to judge the schedulability of the given tasks (in Line 7 of Algorithm 1). This section describes the procedure of FT-RTA, including the method for bounding the number of FT tasks invoked during job execution.

A. SCHEDULABILITY ANALYSIS
FT-RTA attempts to find the worst-case response time R k of a given task τ k associated with FTs and to verify whether it holds R k ≤ D k . If it holds, then every job of τ k is guaranteed to finish its execution without a deadline miss.
Unlike preemptive scheduling, it should consider so-called ''self-pushing phenomenon'' that occurs because execution of higher-priority jobs released during non-preemptive execution of a previous job of τ k are delayed, thereby inducing a higher interference to current job of of τ k . This implies that the worst-case response time of τ k cannot be derived by investigating only the first job in the critical instance [17], but multiple jobs should be examined until the execution of tasks with a priority higher than or equal to τ k 's priority is finished. FT-RTA exploits the existing schedulability analysis considering the self-pushing phenomenon proposed in [39], and then incorporates the method to upper-bound the number of FTs that can be invoked during the execution of involved jobs into the analysis.
To this ends, FT-RTA first computes level-k active period, defined as follows.
Definition 4 (Level-k Active Period [39]): A level-k active period is an interval [a, b) such that a processor is busy due to remaining execution of jobs of tasks whose priority is higher than or equal to τ k , and the processor is not in the situation in a and b.
Then, level-k active period can be derived by the following where B k is the maximum blocking time that can result from a lower-priority task calculated by and I i is the number of jobs calculated by and FT k (I (x−1) i |τ i ∈ hp(k), 1) is the maximum number of FTs invoked during the execution of a job of τ k in (x−1) k , which is detailed in the next section. Let k be the smallest value for which Then, R i is derived by calculating the response times of all jobs J k,q , with q ∈ [1, Q i ], where Q i is computed by Then, the start time s k,q of a generic job J k,q can be computed considering the blocking time B k , the execution times of (q−1) prior jobs of τ k , interference from higher-priority jobs, and the upper-bounded number of FTs invoked between their executions. The following derives s k,q when s where I (y−1) i is the number of jobs calculated by and FT k (I (y−1) i |τ i ∈ hp(k), q) is the maximum number of FTs invoked during the execution of q jobs of τ k in s (y−1) k,q Once s k,q is derived, the finish time f k,q for J k,q is directly calculated by f k,q = s k,q + C k .
Also, R k for τ k can be calculated by Finally, the given task set is sufficiently schedulable if  Table 2.

B. FT BOUNDS
In the previous section, as the underlying concept of FT-RTA, we examined how it judges the schedulability of τ k through iteration. As the last part of FT-RTA, we examine in this section how to upper-bound the number of flush tasks that can occur while the job of τ k finishes executing. Through some observations, we can replace this problem with the wellknown max-flow problem [9] and present a solution.
Recall that an FT is invoked between two tasks τ a and τ b , and the noleak relation from τ a to τ b is ''T''. This reasoning implies that the number of FTs invoked during the execution τ k in an interval is determined by the (i) the number of job invocations, (ii) execution sequence and (iii) noleak relations associated with the given noleak table. To address the problem considering (i), (ii), and (iii) simultaneously, we transform our problem to a well-known max-flow problem by exploiting a notion of the noleak graph. Noleak graph consists of (i) pairs of nodes and few edges (connected between nodes) associated with (ii) and (iii). The nodes and edges of noleak graph corresponding to FT k (I i ), respectively) are created. N 2. q (or a single) send node(s) (denoted by send k,1 , send k,2 , . . . , send k,q , respectively) and q (or a single) receive nodes (denoted by recv k,1 , recv k,2 , . . . , recv k,q , respectively) are created. Then, the followings specify the constraints of directed and FT edges of a noleak graph. E1. A directed edge from an arbitrary send node send a to an arbitrary send node recv b is created if noleak relation from τ a to τ b is ''T''. VOLUME 10, 2022 E2. A send node send a has at most one FT edge. E3. A receive node recv b has at most one FT edge. We now show that noleak graph corresponding to q)) constructed by the above rules can upper-bound the number of FTs invoked between a blocking job (whose execution is upper-bounded by B k ), I Proof: Assume that there is a valid job sequence under which λ FTs are invoked. We classify jobs in the valid job sequence into the three groups; the first job J f ∈ lp(k) if any, the last job J l , and middle jobs that are the remaining jobs except the first and last jobs. Note that J f does not exist if τ k is the lowest priority task. By N 1 and N 2, a send and a recv node of every job except J f in the valid job sequence are created.
We first consider the following four cases: i) An FT is invoked between J f and the first job J a of middle jobs if noleak relation from τ f to τ a is ''T''. Note that noleak graph does not consider the first job J f and its associated FT, there is no action in noleak graph.
ii) Then, a single FT is invoked between any consecutive two jobs, J a and J b , in middle jobs only when noleak relation from τ a to τ b is ''T''. By E1, a directed edge from send a to recv b is created for every J a that satisfies noleak relation from τ a to τ b is ''T''. By the mechanism of FT invocation, if an FT is invoked between J a and J b (i.e, J a , an FT, and J b are executed consecutively), then another FT is cannot be invoked between J a and J b . Such the constraint is realized by E2 and E3.
iii) For the last job J l , an FT is invoked between the last job J b of middle jobs and J l if noleak relation from τ b to τ l is ''T''. iv) We do not consider an FT after J l , but an FT edge from send l to a certain node recv a is created. This case can happen because noleak graph does not recognize the job sequence of middle and last jobs in a valid job sequence, and thus a send node send l is created.
For i), F does not increase even if an FT is invoked because noleak graph does not consider the first job J f and its associated FT. For ii), F increases by one whenever an FT is invoked. For iii), F also increases by one if an FT is invoked. For iv), F can increase even if an FT after J l is ignored. ii) and iii) occur always while i) and iv) occur selectively. Considering all cases, λ ≤ F + 1 holds; λ ≤ F + 1 happens ii), iii), and iv) occur while i) does not.
Therefore, the lemma hold.   Based on the construction rule and the associated constraints, FT k (L) derives the upper-bounded number of FTs in an interval of length L (as incorporated in Equations (1) and (5), respectively)) as described in Figure 2. Figure 2 presents an example of noleak graph corresponding to Table 2. The dotted lines in Figure 2 represent directed edges, and solid lines means FT edges. Also, a circle drawn with a solid line is a send node, and that with a dotted line is a receive node. Finally, the number in each circle is task index. Figure 2 implies that τ 1 , τ 2 , and τ 3 each invokes (at most) two jobs in an interval of length L. Under the constraints of directed and FT edges of the noleak graph, there can be at most four FT edges, which can be derived by any well-known solution for max-flow problem such as the Ford-Fulkerson algorithm [9].

C. TIME COMPLEXITY
Our proposed FT-bin-packing first re-orders the priorities of the given tasks according to SR-SORT, and then it assigns the tasks into processors based on the considered bin-packing algorithm (e.g., FT-FFD when it comes to the FFD algorithm) by utilizing FT-RTA in conjunction with a mechanism to upper-bound the number of FTs that can be invoked. As shown in Algorithm 2, the time complexity of SR-SORT is O (N 3 ) where N is the number of tasks as it is conducted with a triple loop operation. Then, our considered FT-FFD tests the schedulability via FT-RTA of tasks in a processor whenever a task is inserted to the processor, thereby resulting in O(N * M ) multiplying the time complexity of FT-RTA, where M is the number of processors. As shown in Section IV, FT-RTA first derives the level-k active period k for each τ k , each whose length can be the least comment multiple of all periods of tasks in the worst-case. Then, the response time of all jobs of τ k in k is derived. The response time of each job in k is calculated by adding C k , B k , execution times of its higher-priority jobs, and the upper-bounded number of FTs computed by FT k ().

V. EVALUATION
In this section, we evaluate the effectiveness of FT-binpacking under varying system parameters in our experimental environment. To this end, we randomly generate a number of task sets according to a well-known taskset generation method referred to as UUnifast-discard [22]. To generate a task set, UUnifast-discard basically has three input parameters: (i) the number of processors m (4 and 8), (ii) the number of tasks n (m + 1, 1.5m, 2m, 2.5m, 3m, 3.5m, and 4m) in each task set, and (iii) the task set utilization U (0.1m, 0.2m, 0.3m, 0.4m, 0.5m, and 0.6m) that is defined as τ i ∈τ C i /T i . For a given task utilization for τ i (denoted by u i ) assigned by UUnifast-discard with given choices for (i), (ii) and (iii), T i is randomly selected in [1,1000], C i is computed as u i · T i , and D i is set to T i . We also consider (iv) the flush cost C ft (4,8,12, · · · , 36, 40), defined as the time required to initiate the status of the shared resource. Next, each element of the n-by-n noleak table for each resource λ x ∈ λ is randomly set to either 0 or 1. For each combination of input parameters (i)-(iv), we generate 10,000 task sets, thereby resulting in 2 · 7 · 6 · 11 = 9, 240, 000 task sets in total. As a performance metric, we measure the number of task sets deemed schedulable by the proposed heuristic algorithm 1 utilizing FT-RTA.
As our proposed approach supports any FP scheduling with its corresponding schedulability analysis for each processor, we consider the rate-monotonic (RM) scheduling algorithm (with FT-RTA) because of it is one of the optimal one for uniprocessor platforms. We consider the following heuristic algorithms for the performance comparison.
• FF: The FFD algorithm described in 1, except for Line 3 of 1.
• WF: The WFD algorithm introduced in Section III-B, which is similar to FF.
• FT-WF: The SR-SORT algorithm (i.e., Algorithm 2) incorporated WFD algorithm; that is, SR-SORT is conducted before WFD is done.
• FT-FF+FF: The algorithm that returns ''Success'' if either FT-FF or FF successfully assigns all the tasks of the given task set to the given processors.
• FT-WF+WF: The algorithm that returns ''Success'' if either FT-WF or WF successfully assigns all the tasks of the given task set to the given processors. Note that we do not consider the BFD algorithm for this section because it exhibits a similar performance with the FFD algorithm under our experiment environment.

O2. A larger performance improvement is achieved when
our method is applied to WF rather than the case of FF in most cases (in Figures 3(a)-(f)). O3. The increasing values of U , n, and C ft lower the performance of all the considered algorithms (in Figures 3(a)-(b)). O4. Despite O3, it increases the ratio between the number of schedulable task sets under the FTseries and that of the existing heuristic algorithms, FF and WF in most cases (in Figures 3(c)-(d), and Figures 3(e) vs. (f)). Here, O1 demonstrates the effectiveness of our proposed method in assigning real-time tasks considering security constraints. As introduced in Section III-B, the underlying idea of FT-bin-packing is to re-assign the index of given tasks so that the noleak relation of any consecutive (in terms of task index) tasks is ''F'' by utilizing the security relation graph, and this idea is based on the fact that the number of FTs upperbounded by the method in Section IV-B is proportional to the As explained in Section III-B, WF assigns a given task to a processor with the largest remaining utilization among all the considered processors. This approach does not effectively use the full utilization of the processor because it results in larger fragmentation (i.e., available utilization) after a task is assigned. When the security constraint is considered, such a limitation is more pronounced, resulting in a larger performance gap between FF and WF, as shown in Figures 3(a)-(f).
We can observe in O2 that our proposed methods compensate for the limitation of WF by effectively reordering the tasks by considering the given noleak table.
Increasing the values of U , n, and C x ft lead to O2 for different reasons. As the U value (fixed n) increases, the utilization of each task in the task set increases, indicating that the C i value of each task generally increases. This implies that the interference received from high priority also increases naturally from the standpoint of τ k , which is the target of schedulability determination, and the value of R k increases with high probability. Second, the larger the value of n (using the fixed value U ), the fewer the number of schedulable task sets. This is because when estimating the maximum execution time of τ i ∈ hp(k) in the interval of k length, the schedulability test uses the upper-bound value based on the worst-case scenario, rather than the exact value. Therefore, as the number of tasks in the working set increases, the pessimistic calculation of interference becomes more pronounced. Finally, the increased value of C x ft definitely increases the worst-case response time of each operation when the upper bounded FT number is not changed, reducing the feasibility of just-in-time execution.
Although the increasing values of U , n, and C ft lower the performance of all the considered algorithms (as observed in O3), it increases the ratio between the number of schedulable task sets under the FT series and that of existing heuristic algorithms, as observed in O4. This implies that our proposed technique exhibits a high percentage of performance improvement for a set of tasks that are difficult to schedule. For example, 575 and 1132 task sets are schedulable for m = 4, U = 2.4, n = 5, and C ft = 40 under WF and FT-WF+WF, respectively, thereby resulting in 96.8% performance improvement.

VI. RELATED WORK
Owing to its low runtime overheads and simplicity in scheduling, partitioned scheduling has been widely used in multiprocessor real-time systems and extensively studied [27]- [32]. As optimal task partitioning is known to be NP-hard (even harder when it comes to the problem considering few resources), an integer linear programming (ILP) method for an optimal resource-aware task assignment was proposed although it is computationally intractable [27]. In [28], Baruah has studied the task partitioning problem on a heterogeneous multiprocessor platform and designed a polynomial heuristic algorithm to aim at near-minimizing makespan of task executions. In [29], a well-known semipartitioned method referred to as C = D scheduling was revised to be enabled for dynamic workloads consisting of reservation servers. The proposed method was improved to perform in linear time, and thus the computational complexity is dramatically reduced compared to the existing state-of-theart method. Data inconsistency in shared resources was also addressed by Al-Bayati et al. in [30] as they proposed a new resource-locking protocol called communication affinity and slack with retries (CASA) which outperforms the existing well-known two protocols, the multiprocessor priority ceiling protocol (MPCP) and the multiprocessor stack resource policy (MSRP). Additionally, partitioned scheduling problems in real-time distributed systems and associated load-balancing issues are addressed [31], [32].
Non-preemptive scheduling prevents running tasks from being preempted until the (running) task is completed, and it is suitable for systems where scheduling cost (eg, preemption or migration) is extremely high or preemption is inherently prohibited. Due to its advantages, there were a number of studies to develop non-preemptive scheduling for various real-time systems [33]- [36]. In [33] targeted controller area network (CAN) and proposed a revised response-time analysis by revealing the existing schedulability analysis's flaw in optimality. Nasri and Brandenburg proposed an exact sustainable schedulability test for the fixed-priority non-preemptive scheduling supporting both work-conserving and non-workconserving schedulers in [34]. They also proposed online scheduling policy based on the pre-constructed offline table by addressing the problem of non-preemptive scheduling periodic tasks on resource-constrained platform [35]. This work is motivated by a fact that the existing fully online scheduling methods provide the low performance in schedulability analysis, and the fully offline approach requires too much memory. In [36], parallel task models for partitioned and non-preemptive on multiprocessors are considered, and a new schedulability analysis for DAG (directed acyclic graphs) was proposed.
Recently, as security issues for real-time systems have emerged as a hot topic, many studies considering security in the real-time system field have been conducted. In [23], Volp et al. proposed a new FP real-time scheduler to reduce the probability of information leakage by investigating the time required for attackers to access shared sensitive data. They use idle tasks efficiently to prevent attackers from having sufficient time to access resources shared by real-time tasks. Yoon et al. [24] proposed a scheduling randomization protocol for tasks scheduled by the FP scheduler, which can reduce the possibility of timing inference attacks. In their proposed method, the priority inversion budget that one task can have is calculated for every scheduling decision, and a random task is executed, rather than the highest priority being scheduled by that amount. Then, such random scheduling returns to the original given FP scheduling without a task deadline miss when the given priority inversion budget becomes zero. The FT technique was first incorporated into the FP non-preemptive scheduler for the uniprocessor platform in [21]. The first study assumes that every task has its own security level, which forces FTs to be conditionally invoked, considering the different security levels of tasks. To ensure the schedulability of tasks under the assumption, the idea of transforming the problem of bounding the number of FTs that can occur while each task is running into a max-flow problem has been proposed. Pellizzoni et al. [15] extended this study to a more general model called the noleak model and proposed a new FT method applicable to preemptive scheduling. Baek et al. [16] incorporated the notion of FT into mixed-criticality systems in which tasks have different levels of criticality. In [37], a new security overhead model was proposed to quantify overheads of security tasks such as confidentiality, integrity, and authentication conducted in real-time systems, and a new EDF (earliest deadline first) scheduling considering the overheads was proposed. In [38], an EDF schedulability driven security optimization method for real-time systems was proposed. Unlike the existing approaches, we consider a problem of partitioned and non-preemptive scheduling, and propose a new heuristic bin-packing algorithm and schedulability analysis. Also, the existing studies considering FT mechanisms is limited to the uniprocessor platforms, while our work is applicable to multiprocessor platforms.

VII. CONCLUSION
In this paper, we proposed a new scheduling framework, called FT-bin-packing, that incorporates a security constraint into existing partitioned scheduling, such as FFD and WFD, to address security vulnerabilities caused by the fixed scheduling pattern of real-time systems. FT-bin-packing uses a new notion of the security relation graph and SR-SORT to visualize the security relation of real-time tasks associated with a noleak table and to reduce the number of FTs to the extent possible; then, the FT-bin-packing where FT-RTA is integrated into existing bin-packing algorithms. Based on the experimental results, we analyzed the properties and performance of the FT-bin-packing algorithm. These results indicate that the algorithm can improve the performance of existing heuristic algorithms by up to 96.8% depending on the experimental setting. In future work, we will attempt to incorporate another security mechanism, such as TaskSuffler [24], into identical multiprocessor platforms.