- Introduction
- Use Cases
- Repository Structure
- Target Platform
- Setting up Chronos
- License
- Citation
- Contact
Chronos was developed as a lightweight kernel extension that brings endpoint detection and response (EDR) capabilities to real-time embedded systems. Chronos employs timing-based detection mechanisms to identify abnormal task behavior and enforces memory separation through the Memory Protection Unit (MPU) to isolate EDR and kernel code from untrusted application code. It dynamically adapts to system load, reducing the frequency of security checks during high utilization to maintain responsiveness, and increasing it during low utilization to enhance security coverage. To detect reconnaissance and tampering attempts, Chronos instruments OS kernel APIs, blocking unauthorized modifications to security-critical code and data structures. It also enforces return address integrity for FreeRTOS yield APIs by validating return addresses against a per-task whitelist. When a security event is detected, forensic data is transmitted to a remote server for real-time threat analysis. Chronos is implemented as an extension to FreeRTOS and evaluated on a system that simulates UAV operations. Performance was measured using the CoreMark benchmark. Under the most aggressive security policy configuration, Chronos incurred a runtime overhead of 0.86% and a 45.1% increase in code size.
For the details of Chronos, check the paper - coming soon
Chronos is intended for deployment in real-time embedded systems such as:
- UAV flight controllers
- Automotive braking and steering systems
- Industrial robotics and automation
halcogen/— HAL configuration project for the TI Hercules RM48L952ZWTT microcontroller.workspace/— Contains FreeRTOS-based example projects for performance evaluation, security testing, and UAV simulation.coremark_drone/— Measures performance overhead introduced by Chronos in a UAV workload environment.coremark_scale/— Demonstrates linear scaling of performance overhead as more tasks are added to the system.sec_eval/— Executes configurable security test cases to demonstrate detection and response guarantees.main/— Baseline UAV project serving as a template for deployment and extension.*/gen_edr_config.py- Script to configure security policy and generate the relevant EDR code and header files.
get_yield_ret_addr.py— Script for extracting YIELD API return addresses from compiled firmware to support return address validation.udp_serv/— Python-based server that receives and logs forensic metadata sent by Chronos during security events.ema_sma_spike_plot.py— Visualization script that compares the responsiveness of EMA vs. SMA in detecting execution time anomalies.
Chronos is currently designed for:
- FreeRTOS 10.2.0
- ARM Cortex-R (ARMv7-R) processors
- Systems with an MPU (tested on TI Hercules RM48L952ZWTT)
To get started with Chronos on the TI Hercules RM48L952ZWTT development board:
-
Download and install Code Composer Studio. Ensure support for the RM48 series and XDS100v2 JTAG is enabled during installation.
-
git clone https://github.com/dest-3/chronos.git -
Open CCS, go to File > Import > Code Composer Studio > CCS Projects, and select the
workspace/folder. Then select all example projects. -
Modify the JSON configuration in
gen_edr_config.pyin the selected project folder to configure the security configuration of Chronos. Then runpython3 gen_edr_config.pyto generate the assosciated code and header files. -
If enforcing return address validation for yield APIs:
- Add any relevant task code in
main.c. - Compile the firmware.
- Use
get_yield_ret_addr.pyto obtain the return addresses for each yield function in task bodies. For example, for tasks test1, test2, test3 that utilizevTaskDelayandvTaskDelayUntil, runpython3 get_yield_ret_addr.py firmware.out test1 test2 test3 -- vTaskDelay vTaskDelayUntil - Add addresses in the JSON config of
gen_edr_config.pyand runpython3 gen_edr_config.py. - Compile
- Add any relevant task code in
-
Run a DHCP on your host machine and connect the RM48 via Ethernet. Use the following DHCP server settings:
IP pool start address: 192.168.4.100 Size of Pool: 5 Lease (minutes): 2000 Router: 192.168.4.1 Mask: 255.255.255.0Ensure the server does not enforce pinging an addresses before IP assignment. Also ensure that the Ethernet switch on the RM48 is set to ON. For a quick and easy DHCP setup TFPD64 is recommended.
-
python3 udp_serv.py -
In CCS, build one of the projects (e.g., coremark_drone) and flash it to the board via USB JTAG by navigating to Run > Debug or Run > Load
MIT License. See LICENSE for details.
If you use Chronos in academic work, please cite as:
@phdthesis{
author={Antoniades,Michalis},
year={2025},
title={Chronos: Efficient Time-Based Detection and Response for Safety-Critical Real-Time Embedded Systems},
journal={ProQuest Dissertations and Theses},
pages={67},
note={Copyright - Database copyright ProQuest LLC; ProQuest does not claim copyright in the individual underlying works; Last updated - 2025-05-29},
abstract={This paper presents Chronos, a lightweight kernel extension that enhances real-time embedded systems with endpoint detection and response (EDR) capabilities. Chronos employs timing-based detection mechanisms to identify abnormal task behavior and enforces memory separation through the Memory Protection Unit (MPU) to isolate EDR and kernel code from untrusted application code. It dynamically adapts to system load, reducing the frequency of security checks during high utilization to maintain responsiveness, and increasing it during low utilization to enhance security coverage.To detect reconnaissance and tampering attempts, Chronos instruments OS kernel APIs, blocking unauthorized modifications to security-critical code and data structures. When a security event is detected, forensic data is transmitted to a remote server for real-time threat analysis.Chronos is implemented as an extension to FreeRTOS and evaluated on a system that simulates UAV operations. Performance was measured using the CoreMark benchmark. In the null policy configuration, Chronos incurred a runtime overhead of 0.25% and a 43.6% increase in code size. Under the most aggressive security policy, runtime overhead was 0.86% and code size increase was 45.1%. In both cases, 90% of the total code size increase was introduced by the networking library. These results demonstrate that Chronos is lightweight and suitable for resource-constrained real-time systems.},
keywords={Endpoint detection and response; Memory corruption; Real-time system; Safety-critical system; Memory Protection Unit; Computer engineering; Information technology; Computer science; Information science; 0489:Information Technology; 0723:Information science; 0464:Computer Engineering; 0984:Computer science},
isbn={9798314866436},
language={English},
url={https://www.proquest.com/dissertations-theses/chronos-efficient-time-based-detection-response/docview/3201334377/se-2},
}Michalis Antoniades - mantonia(at)andrew.cmu.edu