Runtime Mitigation of Packet Drop Attacks in Fault-tolerant
  Networks-on-Chip by Prasad, N et al.
1Runtime Mitigation of Packet Drop Aacks in Fault-tolerant
Networks-on-Chip
N. PRASAD, NAVONIL CHATTERJEE, SANTANU CHATTOPADHYAY, and INDRAJIT
CHAKRABARTI, Indian Institute of Technology Kharagpur
Fault-tolerant routing (FTR) in Networks-on-Chip (NoCs) has become a common practice to sustain the
performance of multi-core systems with an increasing number of faults on a chip. On the other hand, usage of
third-party intellectual property blocks has made security a primary concern in modern day designs. is
article presents a mechanism to mitigate a denial-of-service aack, namely packet drop aack, which may
arise due to the hardware Trojans (HTs) in NoCs that adopt FTR algorithms. HTs, associated with external kill
switches, are conditionally triggered to enable the aack scenario. Security modules, such as authentication
unit, buer shuer, and control unit, have been proposed to thwart the aack in runtime and restore secure
packet ow in the NoC. ese units work together as a shield to safeguard the packets from proceeding towards
the output ports with faulty links. Synthesis results show that the proposed secure FT router, when compared
with a baseline FT router, has area and power overheads of at most 4.04% and 0.90%, respectively. Performance
evaluation shows that SeFaR has acceptable overheads in the execution time, energy consumption, average
packet latency, and power-latency product metrics when compared with a baseline FT router while running
real benchmarks, as well as synthetic trac. Further, a possible design of a comprehensive secure router has
been presented with a view to addressing and mitigating multiple aacks that can arise in the NoC routers.
Additional Key Words and Phrases: Packet drop aack, hardware Trojans, link faults, Network-on-Chip,
security
ACM Reference format:
N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti. 2016. Runtime Mitigation of
Packet Drop Aacks in Fault-tolerant Networks-on-Chip. 1, 1, Article 1 (January 2016), 23 pages.
DOI: 10.1145/nnnnnnn.nnnnnnn
1 INTRODUCTION
Network-on-Chip (NoC) has emerged as a promising and scalable medium for interconnecting
various cores in a multi-core system [21]. However, with aggressive technology scaling, as well
as an increase in the transistor density, multi-core systems are subjected to faults that may occur
either during the manufacturing time or runtime. NoCs, being part of such multi-core systems,
are also susceptible to these faults. Several fault-tolerant techniques have been developed over the
years to overcome the consequences that may arise due to the occurrence of faults in NoCs [26, 31].
As mentioned in [26], the adopted fault-tolerant techniques dier with dierent layers of the
NoC-based multi-core system, such as transport, network, and data-link. Further, in the network
layer, which consists of components such as routers and links, fault-tolerant mechanisms are
realized through spatial and temporal redundancy techniques. ese techniques include redundant
modules inside the routers, as well as fault-tolerant routing algorithms in the NoC.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and
the full citation on the rst page. Copyrights for components of this work owned by others than ACM must be honored.
Abstracting with credit is permied. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specic permission and/or a fee. Request permissions from permissions@acm.org.
© 2016 ACM. XXXX-XXXX/2016/1-ART1 $15.00
DOI: 10.1145/nnnnnnn.nnnnnnn
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
ar
X
iv
:1
90
8.
00
28
9v
1 
 [c
s.A
R]
  1
 A
ug
 20
19
1:2 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
On the other hand, with the ever-increasing complexity of multi-core systems to process diverse
tasks, the role of third-party intellectual property (3PIP) cores is increasingly becoming prominent
in such systems. With so many 3PIP cores at hand during the system integration, there exists a
barrier of security and trust among the 3PIP vendors that tempts the adversaries to adopt unfair
means to disrupt the functionality of the other 3PIP cores. One way of achieving such an unsought
disruption is through the insertion of hardware Trojans (HTs) into the chip, by an untrusted foundry
or design house that include untrusted people, design tools, or components. Consequences of such
an uninvited insertion of the HTs include the undesired functional behavior of an integrated circuit
(IC) and provision of covert channels or backdoor that can leak sensitive information [5]. ough
several detection techniques, to detect HTs, have been proposed in the literature [4], they may not
be advantageous for all kinds of HTs present on a chip. us, the proactive security measures at
the hardware level are increasingly being considered, which can improve the detection capability,
as well as mitigate the consequences that arise due to the HTs.
As the NoC forms the backbone of the interconnection architecture of a multi-core system, there
is an immense need in securing its hardware resources, as well as to secure the packet ow in it.
Hardware security in NoCs has been a vibrant research area for over a decade [13, 16]. Traditionally,
research in secure NoCs has focused on the areas like secure memory access, memory protection,
and secure packet ow, in NoC-based multi-core systems [14, 19, 27]. Of late, research in several
aacks on NoC hardware, such as aacks due to HTs on routers [3, 7, 15, 17, 25] and links [8, 9], as
well as timing side-channel aacks [29], are being investigated. All the works mentioned in the
literature assume that the NoC is a fault-free one. Security aware design of FTNoCs has not been
explored to date. With the introduction of faults, many possibilities arise for the adversaries to
take advantage of such scenarios to raise new aacks in the NoC. is article proposes one such
aack called packet drop aack in the context of FTNoCs and presents a mitigation mechanism to
thwart such aacks eectively.
Packet drop aack is similar to a well-known denial-of-service (DoS) aack in a network router,
namely blackhole aack, where the router, instead of relaying the packets to proper output ports,
discards them [2, 30]. Similar aack scenario can be achieved in NoCs with faulty links, where
a router with faulty links, instead of sending packets to ports with healthy links, forwards the
packets to ports with faulty links. is scenario is same as dropping the packets by a router, as
it is unable to relay them to the next router. Since this case would arise in NoCs in the presence
of faulty links, existing mitigation mechanisms for packet drop aacks in the case of wireless or
mobile networks may not be advantageous for NoCs. Existing methods to mitigate the packet drop
aack in wireless ad hoc and mobile networks, such as routing recovery, time-based threshold,
and Bayesian detection, cost a lot concerning area and energy consumption when considered for
NoC routers [12, 30]. us, to mitigate the packet drop aacks in FTNoCs, we endow the routers
with security modules, such as authentication unit (AU), buer shuer (BS), and control unit
(CU). e proposed logic-based mitigation mechanism is advantageous when compared to the
above-mentioned mechanisms while considering the hardware and timing overheads into account.
e main contributions of the present article are as follows. A mechanism to raise packet drop
aacks in the context of fault-tolerant NoCs has been presented. In the current study, we assume
that fault-tolerant routing is the fault-tolerant method adopted in the NoC. A possible threat model,
as well as design of hardware Trojan that has the potential to raise the packet drop aacks, has
been proposed. A secure fault-tolerant NoC router, referred to as SeFaR, has been presented to
thwart the packet drop aacks at runtime. Experimental analysis for establishing the impact of
the proposed aack, as well as for analyzing the performance of the system in the presence of the
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:3
proposed secure router, has been presented. A possible design of a comprehensive secure router
has been presented, which can mitigate multiple aacks that can arise in the NoC routers.
e rest of the article is organized as follows. Section 2 discusses the related work. Section 4
presents motivation behind the packet drop aack, proposes the threat model, and discusses its
relevance. Section 3 briey describes the architecture of the baseline fault-tolerant router. Section
5 describes the security modules including the authentication unit, buer shuer, and the control
unit. Section 6 presents the performance analysis of the mitigation mechanisms. Section 7 presents
the architecture of a comprehensive secure router, which can mitigate multiple aack scenarios
that arise within the NoC routers. Section 8 concludes the article.
2 RELATEDWORK
is Section articles out the related work that has been carried out in the areas of fault-tolerant
routing, as well as hardware aacks on the NoC architecture, particularly within routers and links.
2.1 Fault-tolerant Routing in NoCs
Several fault-tolerant techniques have been extensively reviewed in [31], which also include fault-
tolerant routing algorithms for the NoCs. Majority of the fault-tolerant routing strategies consider
distributed routing, whereas very few strategies consider source routing. Next, we review few
other fault-tolerant routing algorithms for the NoCs that have been proposed recently.
Liu et al. [20] have proposed two novel adaptive routing algorithms, namely coarse and ne-
grained look-ahead routing algorithms, to enhance the fault-tolerant capabilities of 2D mesh/torus
NoC system. ese strategies use fault ag codes from the neighboring nodes to obtain the status
or conditions of real-time trac in a NoC region, then calculate the path weights and choose the
route to forward the packets. Chen et al. [11] have proposed a Path-Diversity-Aware Fault-Tolerant
Routing (PDA-FTR) algorithm, which simultaneously considers path diversity information and
buer information. is strategy achieves fault-resilient packet delivery and trac balancing in
the NoC.
Xie et al. [32] have presented a Preferable Mad-y (PMad-y) turn model and Low-cost Adaptive
and Fault-tolerant Routing (LAFR) method that use one and two virtual channels along the X and Y
dimensions for 2D mesh NoC. Applying PMad-y rules and using the link status of neighbor routers
within 2-hops, LAFR can tolerate multiple faulty links and routers in more complicated faulty
situations and impose the reliability of network without losing the performance of the network.
Zhao et al. [33] have proposed a path-counter method, which labels every node that is helpless to
make up for a fault-tolerant minimal path with low time complexity. is strategy can support
arbitrary fault distribution, check the existence of fault-tolerant minimal paths, and not sacrice
any available fault-tolerant minimal paths.
ough the FT routing algorithms mentioned above adopt dierent techniques in successfully
transmiing the packets to their destinations if there exists a path, a common metric used in many
of these routing algorithms is the knowledge of the status of the links at dierent capacities in the
NoC. Another feature of these routing algorithms is that despite with an increase in the number of
faulty links in the NoC, the throughput degradation, as well as the increase in the average packet
latency, is kept limited to a considerable value.
2.2 HT Aacks on NoCs
Fig. 1 shows the locations considered in inserting HTs as well as employing security units (encircled
numbers) in NoC-based systems. e following survey primarily considers the aacks on NoC
hardware due to HTs.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:4 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
Source
Core Router Link Router
Receiver NI
Receiver 
Core
Input Buffer/
FIFO
Route 
Computation 
Unit
VC Allocator + 
Switch 
Allocator
Crossbar
Output Buffer/
FIFO
Source NI
8
1
2
3
4 4* 5
5*
6
7
9* 9
10
Locations 
of HTs:
2
Locations of 
Security Units:
4
Biswas et al., 
Proposed
9 Boraten and Kodi6 Frey and Yu
1 Frey and Yu 3 6
Frey and Yu
Ancajas et al., Frey and Yu,
Prasad et al.,
JayashankaraShridevi et al.
8 Ancajas et al.,Proposed
Biswas et al., 10 9* Biswas et al.Boraten and Kodi,
Boraten and Kodi2
Boraten and Kodi,
Prasad et al.,
Proposed
5*
7 5 Prasad et al.,
Jayashankara
Shridevi et al.
Fig. 1. Locations considered in inserting HTs as well as employing security units in NoC based systems.
Ancajas et al. [3] have demonstrated a range of security aacks, which include information
leaking aacks, that could arise in a compromised NoC (C-NoC) that has an accomplice soware
component. A series of techniques have been proposed to counter the demonstrated aacks by
hardening security on systems with a C-NoC, which consists of data scrambling, packet certication,
and node obfuscation. e aack scenario and security measures addressed mainly concentrate
on data duplication. No control over the packet ow has been enforced. Biswas et al. [7] have
investigated a new aack scenario, namely router aack, targeted towards routing tables in routers.
ese aacks include unauthorized access aack and misrouting aack. e authors have proposed
several monitoring-based countermeasures to thwart these aacks. However, this article does not
consider aacks on logic-based route computation units.
Boraten and Kodi [9] have proposed a packet validation technique, namely packet-security (P-
Sec), merged with two robust error detection schemes, to protect C-NoCs from fault injection
side-channel aacks and covert HT communication. P-Sec is a security measure incorporated at
NI, which primarily deals with packet encryption and decryption. However, the technique has
no control over aacks that arise within a router. ey [8] have also proposed a target-activated
sequential payload (TASP) HT model that injects faults into the packets, by inspecting them. e
faults injected by the HT trigger the error correction code schemes employed for re-transmiing the
packets unnecessarily, which could create network congestion and even deadlocks. To circumvent
these threats, the authors have proposed a heuristic threat detection model to classify faults and to
discover the HTs within compromised links. In addition to this model, several switch-to-switch link
obfuscation methods have been proposed to utilize the compromised links instead of rerouting the
packets. ough the work covers transient and permanent fault scenarios associated with links in
detecting HTs within links, no measure has been considered for threats that arise within a router.
Frey and Yu [15] have proposed a collaborative dynamic permutation and it integrity check
method to mitigate the consequences caused by the HTs located in the NoC routers. ough the
mentioned security hardening mechanism eciently thwarts the specic role of the HTs, it has
no impact on aacks arising in the locations of a router, other than buers. Prasad et al. [25]
have proposed a DoS aack, namely illegal packet request aack (IPRA), and have addressed the
measures to mitigate the same. e IPRAs are raised by the HTs located within routers, which are
triggered when a core aached to the router goes idle. A security unit has been proposed to detect
these aacks and mitigate the consequent loss by guiding the control units of the corresponding
buers to either isolate or mask the aacked buers at runtime. ough the work considers the
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:5
location of the HTs inside routers, the NoC is assumed as a fault-free one. JayashankaraShridevi et
al. [17] have proposed a runtime latency auditor to counter the threat posed by a rogue NoC (rNoC)
that can selectively disrupt the perceived availability of on-chip resources. e proposed mechanism
to thwart the bandwidth denial aack enables an MPSoC integrator to monitor the trustworthiness
of the deployed NoC throughout the chip lifetime. However, the presented mechanism does not
consider the HT aacks arising in the control module of a router, such as a routing unit. A summary
of the HT mitigation mechanisms in NoC considered so far has been mentioned in Table 1.
Table 1. Comparison of HT Mitigation Mechanisms in NoCs
Work
Trojan
Location
in NoC
Aack(s) Considered Fault-tolerantRouter
Protection Mechanism
Location
Ancajas et al. [3] Router Information leaking No Network Interface
Biswas et al. [7] Router Unauthorized access,mis-routing No NoC
Boraten and Kodi [9] Link Fault injection side-channels,covert HT communication No Network Interface
Frey and Yu [15] Router Packet corruption No NoC/Router
Prasad et al. [25] Router Illegal packet requests No NoC/Router
JayashankaraShridevi et al. [17] Router Bandwidth denial No SoC Firmware
Boraten and Kodi [8] Link fault injection side channels Yes NoC/Router
Present Work Router Packet drop Yes NoC/Router
Many of the works mentioned above take into account aacks on NoC within routers and links,
assuming that the NoC is fault free. However, in the presence of faults, mainly permanent link
faults, there is vast scope for aackers to aack routers, while taking advantage of the knowledge
of faulty links. Several strategies exist in the literature that subsume the operation of NoC in the
presence of faulty links [26, 31]. Although identication of faulty links has been considered in
[8], no security mechanism has been proposed thus far for aacks arising within the routers that
are adjacent to the faulty links. One of such aacks may well be created with the motivation
of forwarding packets towards the output ports associated with the faulty links. is work has
addressed one such aack situation and has proposed a secure router to circumvent those aacks.
3 BASELINE SYSTEMMODEL
is section describes the baseline system model by detailing the architectural and functional
properties of the NoC-based MPSoC, which has been considered for the present study.
An MPSoC in the present study is a tile-based system, where each tile consists of a processing
element (PE) or core, a set of level-one private instruction and data caches, a memory controller,
and a router along with the network interface. A shared level-two cache has also been considered
to be present in the system. e communication infrastructure that interconnects all the tiles in
the system has been realized using a two-dimensional mesh NoC. Traditional input-queue based
buered routers have been considered, which adopt round-robin arbitration mechanism for switch
allocation and logic-based fault-tolerant distributing routing units. An application in the MPSoC
has been assumed to be mapped onto multiple cores using the mapping algorithm mentioned in
[28]. e nature of the applications considered is generic. Also, the kind of the MPSoC can be either
homogeneous or heterogeneous. e communication between the cores is deemed to happen via
the NoC, through network interface units and routers in the network.
Fig. 2a shows a baseline FT router microarchitecture, which consists of a link status analyzer
(LSA) with each routing unit (RU), for forwarding packets to fault-free output ports, in the presence
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:6 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
of faulty links. e remaining inputs and outputs of the router are as follows. I1, . . ., I5 and O1, . . .,
O5 are the data input and output (IO) ports. Credits (C), which record the occupancy of buers of
adjacent routers, deal with buer and virtual channel management, and status signals (SS) record
the health of the links associated with the ports of the router. All routers in the NoC are assumed
to have ve-stage pipeline: input buer and route computation, virtual channel allocation, switch
allocation, switch traversal, and link traversal. Regarding the fault-tolerant routing algorithm, we
assume that the routing algorithm maintains the status of all the links that are associated with the
current router. A current router, concerning a packet, is dened as the router in which the packet
currently resides.
Input 
Buffer 
(IB5)
Input 
Buffer 
(IB4)
Input 
Buffer 
(IB3)
Input 
Buffer 
(IB2)
Input 
Buffer 
(IB1)
RU
LSA
RU
LSA
RU
LSA
RU
LSA
RU
LSA
H
Cross-
bar 
(XB)
Switch Allocator (SA)
VC Allocator (VA)
C
SS
I1
I2
I3
I4
I5
O1
O2
O3
O4
O5
VCn VCu
(a)
0 1 2 3
4 5 6 7
8 9 10 11
12 13 14 15
Active link Faulty link
(b)
Fig. 2. (a) Microarchitecture of a fault-tolerant NoC router with a hardware Trojan. (b) A 4×4 NoC with
faulty links.
e routing algorithm considered in the baseline fault-tolerant router is similar to the one
mentioned in [20], where each router maintains a register, named as LSR, in which the status of
the links connected to the router is stored. In the current analysis, the state of those links, which
are up to two hops away from the current router, has been considered.
4 MOTIVATION AND THREAT RELEVANCE
is section presents the motivation for considering the packet drop aack and describes the threat
relevance in the context of NoCs with faulty links.
4.1 Motivation and Aack Scenario
Analysis of works surveyed in [26, 31], as well as the ones mentioned in Section 2.1, shows that the
measures taken to forward packets in a NoC with faulty links are mostly enforced either at the RU
or input buers. However, the intended inclusion of HTs makes even these units vulnerable from
the security perspective. us, any aack within the FT router created aer the RC pipeline stage
goes undiscovered. is drawback motivates the aacker to choose an appropriate aack point to
disrupt the functionality of the NoC endowed with FT routers.
Consider a 4×4 mesh based two-dimensional NoC as shown in Fig. 2b. e links in black are
healthy links, and those in red are faulty. Faults associated with the links are considered to be
permanent faults. e mechanism given in [8] for identifying permanent faults can be applied here
as well to detect the faults. Further, the current study considers that the NoC has not been divided
into secure and non-secure zones. Consider routers nine and ten in Fig. 2b. e link connecting
from router nine to router ten is a faulty one. Once this link becomes faulty, router nine informs its
neighbors regarding the faulty link and sends the updated link status information to them. Consider
a case where a packet needs to travel from router 8 to router 11, via routers 9 and 10. Had the link
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:7
that connects from router 9 to router 10 been healthy, the packet would have traveled through
router 9. Since the link is faulty in this case, router 8 will now have the updated link status and the
packet from router 8 to router 11 will nd another path for its traversal, for instance through the
routers 8, 4, 5, 6, 10, and 11. is path avoids router 9 in the network. Consider another scenario
where another packet needs to travel from router 8 to router 5, with the path through the routers 8,
9, and 5, being the primary path and the path through the routers 8, 4, and 5, being a secondary
path. ough router 8 knows the information of the faulty link at the east output port of router
9, it would still send the packet to router 5 through router 9, as the path connecting routers 8, 9,
and 5, does not have any faulty link. us, this path does not avoid router 9. Assume now that
there is an HT present in router nine at the routing unit associated with its le input port, with
a motivation to drop the packets that arrive at this port, by forwarding them to the east output
port, which has the faulty link. ough the packets from router 8 to router 10 or router 11 avoid
router 9, those other packets, which have to take a turn at router 8, such as the ones from router 8
to router 5, are dropped at router 9, because of the presence of the HT in router 9.
Aack situations as mentioned above, though not common, can be easily created in NoCs, since
most of the FTR also consider network congestion information to route the packets in the network
[24] adaptively. Further, though there exist techniques, such as packet retransmission, to reduce
the loss of packets in traditional FT NoCs, they will not be successful in a scenario as mentioned
above. e reason for such techniques for not being successful is because even if the packets are
retransmied, they would still follow the same path, which makes them inevitable from geing
lost again. is kind of packet dropping can be done by manipulating the port select signals of
the XB, which come from the RU. Had there not been any aack in the scenario mentioned above,
and with the link associated with the east port of router nine is faulty, the RU associated with the
le input port of router 9 would have adapted its routing algorithm such that no packet would go
towards its east output port. Owing to the FT operation of a router, if an aack is created aer the
RU, it is always possible to forward the packets to the east output port, which has the faulty link.
is kind of misrouting and its subsequent packet dropping process ends up in data loss and can be
disruptive if deployed in critical systems.
4.2 Threat Model
An aacker in the current study can be either a rogue employee who knows a part of the design, a
computer-aided design (CAD) tool, an untrusted foundry, or any combination of the above [5, 15].
e aacker can infect HTs into the design only during the design time. Once the chip is fabricated,
the aacker cannot further modify the functionality of the design. Fig. 2a shows an aack point of
the proposed aack in a router, which is marked as H.
An aacker can infect the system in one of the following ways. A rogue employee of the design
house can leak the design information to the foundry, which can replace the correct masks with the
ones infected with the HTs [15]. Otherwise, a CAD tool can hide particular details of the design
from the designer while generating the layout of the design. Similarly, an untrusted foundry may
reverse engineer the obtained masks to infect the HTs. However, for the present study, we assume
that the addition of the security modules to the design is done at the last phase of the design, similar
to [8].
Similar to all HTs, the proposed HT is assumed to go undetected either during the design
verication phase or the chip testing phase. An HT in the proposed design remains dormant in a
router until one of the links associated with the output ports of the router becomes faulty. Once a
link associated with an infected router becomes faulty, the HT wakes up and waits until the trigger
condition is met to raise the packet drop aack. Once the HT is triggered, it starts to divert the
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:8 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
packets in the router to the output ports with faulty links, which is the threat in the case of a packet
drop aack. However, unlike in packet drop aacks of other networks, where multiple malicious
nodes cooperate, we assume that the aack scope of the proposed HTs is limited to those routers
in which they are injected.
An infected router in the proposed design is a baseline fault-tolerant router with an HT. However,
a dierence between an infected and a non-infected router is that a non-infected router always tries
to divert the packets towards the output ports that do not have faulty links. Whereas, an infected
router is a router that always tries to divert the packets at an input port towards the output ports
that have faulty links.
Since an aacker does not have provision to modify the design once fabricated, placement of
HTs in the NoC is essential to increase the chance of triggering the HTs, as well as making the
aack a signicant one. In the present design, selection of routers in the NoC to place the HTs has
been made considering the trac observed while running real benchmark circuits on a NoC-based
MPSoC platform. Further details on the same have been mentioned in Section 4.3.
4.3 Aack Significance
e aack scenario to raise the packet-drop aacks, as mentioned in Section 4.1, requires a NoC
to have at lease one faulty link. e reason to have one or more faulty links is that of the specic
behavior of the proposed HT, which remains dormant till a link in the NoC becomes faulty. is
specic behavior of the proposed HT limits its signicance to create a potential aack scenario.
However, with the knowledge of the design footprint of the proposed HT, which will be mentioned
in Section 4.4, one may use a combination of the proposed HT with any other HT to increase the
scope of the aack scenario in the NoC, and still hide the HTs during the design verication or
chip testing phase, to carry out the desired aack.
On the other hand, a NoC architecture can be considered as a truly fault-tolerant one, only if the
fault tolerance mechanism addresses all its hardware resources, such as links and routers. Several
such architectures, as reviewed in [26, 31], either focus on links alone or focus on both routers and
links, to endow the fault tolerance property to the NoC. us the scope of the proposed HT, which
requires a NoC to be embedded with a fault-tolerant routing mechanism, can be extended to many
fault-tolerant NoC architectures mentioned in [26, 31].
Since there exist many RUs in a router, each associated with an input port, any RU can be chosen
for inserting the HT. However, selecting a particular port for inserting the HTs is essential, as
dierent ports in dierent routers have dierent probabilities of packet transmission. For instance,
inserting the HTs at the RU associated with the local input port of a router is more ecient than
placing them at other RUs, if the data transmission at the local port is higher than that of other
ports. Further, due to the look-ahead routing mechanism adopted in some FT NoCs [22], where the
packets may not reach the routers that are associated with the faulty links, the selection of routers,
and corresponding ports, becomes more critical to increase the severity of the aack.
To establish the signicance of the packet drop aack in the present context, trac distributions
of PARSEC [6] benchmark applications have been obtained in the forms of traces, link utilization
ratios, router utilization ratios, as well as inter-core communication volumes. SniperSim [10]
full-system simulator has been used to obtain all of the information mentioned above, with the
parameters mentioned in Table 2. Fig. 3 shows the link utilization ratios of the directional links of
routers while running the blackscholes application in an 8×8 mesh NoC. ese ratios are obtained
for a fault-free scenario by employing the fault-tolerant routing technique mentioned in [20]. Even
the other benchmark applications exhibit similar trends in the link utilization ratios. ese statistics
aid the adversary in locating the links to place the HTs in the NoC. For instance, the aacker may
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:9
Table 2. Parameters to Carry out Full System Simulation
Parameter Value
System architecture Xeon X5550 Gainestown
Core frequency 2.66 GHz
Number of cores 64
Shared cache
Data access time 30 cycles
Tags access time 10 cycles
Cache size 8 MB
Cache block size 64 KB
DRAM
Latency 45 cycles
Network
Link bandwidth 128 bits
Hop latency 1
dimensions 2
Concentration 1
insert the HTs inside router 35 or router 36, as the number of packets utilizing the links associated
with these routers exceeds 9% of the total number of packets in the NoC. us, if an HT present in
any of the router mentioned above triggers, it can drop 9% of the total packets in the NoC, which
can be disruptive in critical systems.
0 5 10 15 20 25 30 35 40 45 50 55 60
0
2
4
Router Index
Li
nk
Ut
ili
za
tio
n
(%
) North
South
West
East
Fig. 3. Link utilization of directional links in an 8×8 mesh NoC when running blackscholes benchmark.
e link utilization ratios shown in Fig. 3 are for a fault-free case of the NoC. When a link
in the NoC becomes faulty, these values deviate from the ones shown in the gure. Further, the
routing algorithm considered in the current analysis adopts a look-ahead mechanism in deciding
the paths for the packets. is look-ahead mechanism may avoid the routes that contain the
routers associated with the faulty links, through which the packets had traveled when there were
no link faults. us, to still aack with a high disruption rate, the adversary may consider the
router utilization ratios to locate the points of insertions of the HTs. Fig. 4 shows the amount of
injected/ejected trac of each router in an 8×8 NoC when running the blackscholes application.
As these trac values remain constant for a mapped application on the NoC, an aack raised in a
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:10 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
router would drop these packets, if not all packets that pass through the router. For instance, if a
packet drop aack is successfully raised for the shown benchmark in router 35, the minimum and
maximum packet loss will be 1.35% and 9.24% of the total number of packets, respectively.
0 20 40 60
1
2
3
Router Index
Tr
a
cI
nj
ec
tio
n/
Ej
ec
tio
n
(%
)
Fig. 4. Traic injection/ejection ratio of routers in an 8×8 NoC when running blackscholes benchmark.
Further, Fig. 5 shows the packet drop ratio trends of various PARSEC benchmark applications
for an 8×8 mesh NoC when one of the routers is infected with the HTs. From the gure, one may
note that the maximum packet drop ratio of an application can go as high as 34.47%, with only
one infected router in the NoC. ese values, which show the severity of the aack, would further
increase if multiple routers become victims of the packet drop aacks.
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
0
10
20
30
Benchmark Application
Pa
ck
et
D
ro
p
(%
)
Minimum Average Maximum
Fig. 5. Packet drop ratio (%) of PARSEC benchmark applications when run on an 8×8 NoC with SeFaR.
Full-system simulation has been run for the NoC with a maximum of four HTs in the NoC that aects four
out of five input ports of a router.
4.4 Design Features of the HT
For an HT to be eective, its area and power parameters ought to be insignicant, when compared
to those corresponding to the conventional design in which they are placed. Fig. 6a shows a design
of an HT of the proposed aack. e HT consists of a link-to-port decoder (DEC) that decodes
the port index corresponding to the faulty link, and three multiplexers to select the desired port
index once the aack is created. For this HT, the DEC block serves as the trigger, and the three
multiplexers serve as the payload. Inputs to the DEC are status signals of four directional links of a
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:11
router associated with north (LN), east (LE), south (LS), and west (LW) ports, respectively, and an
enable (EN) signal, which activates the DEC. e EN signal is a backdoor kill switch, similar to the
one mentioned in [8]. e EN signal can also be realized using FSM based designs, to make the
activation mechanism more complex to be detected. Other inputs to the HT constitute the input
port index (P2P1P0) that serves as outputs to the RU. e outputs of the HT are the actual port index
(A2A1A0) that serves as inputs to the crossbar and the select signal (S) to the multiplexers. e port
indices of 001, 010, 011, and 100 correspond to the north (N), east (E), west (W), and south (S) ports,
respectively. e purpose of the DEC block is to change the input port index to the compromised
port index (D2D1D0) to trigger the aack, when EN = ‘1’ and any of the link status is ‘1’. Figs. 6b
and 6c show the hardware of the DEC block in a proposed HT and its corresponding truth table.
(a) (b)
EN LN LE LS LW D2 D1 D0 S
0 × × × × 0 0 0 0
1 0 0 0 0 0 0 0 0
1 0 0 0 1 1 0 0 1
1 0 0 1 0 0 1 1 1
1 0 1 0 0 0 1 0 1
1 1 0 0 0 0 0 1 1
(c)
Fig. 6. (a) Logic of considered hardware Trojan (HT). (b) Logic of DEC. (c) Truth table of DEC.
Fig. 7a and 7b show the design foot-print of proposed HT regarding both percentage area
overhead and percentage power overhead when compared to the baseline FT router. e values
have been obtained by synthesizing the modules using Synopsys DC and Faraday 90 nm library, for
an operating voltage of 1 V and an operating frequency of 1 GHz. Area and power overheads are
calculated by considering ve HTs in a router. Each router has ve IO ports, wherein each virtual
channel (VC) is capable of storing four its. Size of the NoC considered is 8×8, and its topology is
mesh. From the gures, it is evident that both area and power overheads of HTs are less than 1.35%
and 1.79%, respectively, for a router with 2 VCs per IO port and it width of 32 bits. As routers
constitute only a small fraction of the area in a NoC based MPSoC, 1.35% area overhead and 1.79%
power overhead are insignicantly low values when compared with those of the entire NoC based
MPSoC. Further, the area and power overheads reduce with an increase in the it width of the NoC.
is comparison with dierent it widths is to show that the design footprint of the HTs does not
depend on the it width of the network. Another observation one can make from the plots is as the
share of the design footprint of the HTs reduces the complexity of their detection in such designs
increases.
5 PROPOSED MITIGATION MECHANISM
To counter the consequences caused because of the proposed HTs, a secure FT router, called
SeFaR, has been proposed. To establish security within SeFaR, security components, namely the
authentication unit (AU), the control unit (CU), and the buer shuer (BS) have been introduced.
Fig. 8 shows the microarchitecture of SeFaR along with the blocks mentioned above. e AU block
connects with the XB and acts as a shield by blocking the port indices, which aempt to force the
packets injected into the router to proceed to the output ports containing faulty links. CU controls
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:12 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
2 VCs 4 VCs 8 VCs
0
0.5
1
No. of VCs per port
A
re
a
O
ve
rh
ea
d
(%
)
32 bits 64 bits 128 bits
(a)
2 VCs 4 VCs 8 VCs
0
0.5
1
1.5
2
No. of VCs per port
Po
w
er
O
ve
rh
ea
d
(%
)
32 bits 64 bits 128 bits
(b)
Fig. 7. (a) Area overhead and (b) Power overhead of the proposed HT with respect to baseline fault-tolerant
NoC router.
the BS block in securing the router, by considering the output signals of the AU. BS shues the
buer locations where the input data needs to occupy.
Input
Buffer
(IB1)
Routing Unit (RU)
Cross-
bar
(XB)
VC Allocator (VA)
Switch Allocator (SA)
Link Status (LSA)
I1
I2
I3
I4
I5
O1
O2
O3
O4
O5
VCn VCu
C
SS
BS
CU
AU
Fig. 8. Microarchitecture of the proposed secure fault-tolerant router (SeFaR).
5.1 Buer Shuler (BS)
e purpose of the BS block, in SeFaR, is to shue the port indices such that the incoming data is
sent into a buer, whose routing unit is not compromised. Design of the BS block is straightforward,
as it conforms to the logic of a crossbar. However, to keep its logic simple, pass transistor based
crossbar can be considered instead of a multiplexer based one. A router with N ports requires an
N × N BS. e select inputs to the BS come from the CUs of respective ports in the router.
5.2 Authentication Unit (AU)
Workow of the logic corresponding to the AU has been summarized next. AU continuously
gathers the link status information from the LSA and keeps on checking for any anomaly in the
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:13
port indices obtained from the routing units. If any anomaly is detected, it raises a warning ag (F)
associated with a particular port to ‘1’. is ag indicates the presence of an HT in the router at
the routing unit (RU) associated with that port and alerts the CU to take further action. Figs. 9a
and 9b show the truth table and logic diagram of the proposed AU.
LN LE LS LW A2 A1 A0 W
0 0 0 0 × × × 0
0 0 0 1 1 0 0 1
0 0 1 0 0 1 1 1
0 1 0 0 0 1 0 1
1 0 0 0 0 0 1 1
(a) (b)
Clk F
B1
B2
B3
B4
B5
Z
CU
BSMod-5 Counter
EN Count Output
(c)
Fig. 9. (a) Truth table of the proposed authentication unit (AU). (b) Logic of the proposed authentication unit
(AU). (c) Logic of the proposed Control Unit (CU).
5.3 Control Unit (CU)
Fig. 9c shows the logic of CU and its association with the BS block. If there are N ports in a router,
there would be N CU blocks, each corresponding to a port of the router. Since CU generates the
state bits to be given to the BS block, an FSM-based modulo-N counter has been employed, with
the initial states being the port indices. Here, B1 to B5 represent the busy status ags of the buers
of all ports. A logic ‘1’ of any of these means that the buer has either been occupied by other
CU. is condition indicates that no two CUs should have same states in their FSMs, else the RU
associated with the corresponding port has been compromised. F is the warning signal coming
from AU, and Z is the output of the FSM, which serves as the input to the BS block.
e functionality of the CU can be explained as follows. Initially, the seed value corresponding
to the port is set, and the FSM outputs the same, which directs the shuer to forward the incoming
packets to their default buers. e same output works as the select signal for the multiplexer
present in CU, which selects the buer status signal corresponding to its port. It then waits for F of
respective port, to enable the FSM to change its output, thus asserting the shuer to redirect the
incoming packets to some other buer locations. e signal F acts as the enable signal to CU. Once
F of a port becomes high, the buer status ag also becomes high, which makes the FSM change
its state, transiting to its next state. en, depending on the availability of the buers of the port
corresponding to its new state, the FSM decides whether to change its state further or to remain in
that state.
An example to illustrate the functionality of the CU is shown in Fig. 10. Here, port I1 is
considered, which is associated with the signals B1 and F1. e initial seed, as well as the output of
the constituent FSM, is 001. From the diagram, as soon as F1 goes high, B1 follows it, cautioning
the CU to change its state. CU changes its state from 001 to 010, which corresponds to P2. Now, the
FSM checks for the availability of associated buer, by checking the B2 ag. Z1 remains in state
010, till B2 remains zero. is condition means that the shuer now allows the packets coming
from I1 to occupy the input buer IB2. As soon as the ag B2 goes high, Z1 changes to its next free
state. is process continues until BS nds a suitable port for the packets to occupy.
e proposed CU can also be designed using look-up tables (LUTs), instead of FSMs, if the
application trac is known beforehand. Also, with the emergence of dynamic VC management
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:14 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
clk
F1
B1
B2
B3
Z1 001 010 011
Fig. 10. Timing diagram showing functionality of the CU.
techniques, as in [23], the proposed CU can be integrated with the VC management unit of such
techniques, to enhance the serviceability of the NoC. However, the dierence between the dynamic
VC management and the functionality of the CU is that the dynamic VC management manages
the allocation of the VCs present inside a buer at an input port, whereas the CU manages the
allocation of the buers itself.
5.4 An Example Scenario
A beer understanding of how the proposed runtime mitigation technique using SeFaR functions
can be obtained using an example. Fig. 11 shows the snapshots of a scenario, wherein the execution
steps of SeFaR are shown. e following steps elaborate the execution of SeFaR in the event of a
packet drop aack. e scenario is that a packet has to travel from the router R1 to the router R5
via the router R3. e input and output ports through which the packet passes through R3 are I1
and O3, respectively. e outbound link associated with the port connecting R3 and R4, namely
O2, has become faulty and there exists an HT that can raise a packet drop aack in R3, near the
routing unit of the input port I1. e default data path of the packet through the central router is
the input port I1, the buer shuer (BS), the input buer IB1, the crossbar, and the output port O3.
It is assumed that there is no contention in R3 for the packets arriving at I1 due to the other ports.
R3 R4
R5
R2
R1
Input 
Buffer 
(IB5)
Input 
Buffer 
(IB4)
Input 
Buffer 
(IB3)
Input 
Buffer 
(IB2)
Input 
Buffer 
(IB1)
RU
LSA
RU
LSA
RU
LSA
RU
LSA
RU
LSA
H
AU
Cross-
bar 
(XB)
BS
CU
Switch Allocator (SA)
VC Allocator (VA)
C
SS
I1
I2
I3
I4
I5
O1
O2
O3
O4
O5
VCn VCu
Snapshot 01
R3 R4
R5
R2
R1
Input 
Buffer 
(IB5)
Input 
Buffer 
(IB4)
Input 
Buffer 
(IB3)
Input 
Buffer 
(IB2)
Input 
Buffer 
(IB1)
RU
LSA
RU
LSA
RU
LSA
RU
LSA
RU
LSA
H
AU
Cross-
bar 
(XB)
BS
CU
Switch Allocator (SA)
VC Allocator (VA)
C
SS
I1
I2
I3
I4
I5
O1
O2
O3
O4
O5
VCn VCu
Snapshot 02
R3 R4
R5
R2
R1
Input 
Buffer 
(IB1)
Input 
Buffer 
(IB5)
Input 
Buffer 
(IB2)
Input 
Buffer 
(IB3)
RU
LSA
RU
LSA
RU
LSA
RU
LSA
H
AU
Cross-
bar 
(XB)
BS
CU
Switch Allocator (SA)
VC Allocator (VA)
Input 
Buffer 
(IB2)
RU
LSA
C
SS
I1
I2
I3
I4
I5
O1
O2
O3
O4
O5
VCn VCu
Snapshot 03
H Dormant HT H Active HT H Neutralized HT Faulty Link Active Link Input/Output Link
Fig. 11. Snapshots of a scenario showing the execution steps of SeFaR in the event of a packet drop aack.
• Snapshot 01 At this instance, the HT present at the routing unit of the input port I1 is not
triggered. us the packet follows the default path and occupies the input buer B1. With
the knowledge of the faulty link associated with the output port O2, the routing unit of
input port I1 does not forward any packet through this output port.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:15
• Snapshot 02 At this instance, the HT present at the routing unit of the input port I1
triggers, and manipulates the output port indices obtained from the routing unit, so that
the packet is forced to go through the output port O2, instead of O3. is situation makes
the router R3 a packet drop router, with respect to the input port I1. AU, present at the
crossbar, nds that the packet from the input port I1 is being forced to the output port O2,
and raises a warning ag and communicates with the CU, located at the input buer IB1.
• Snapshot 03 At this instance, the CU associated with the input buers applies the per-
mutation and shues the buer index such that the packets arriving at the input port I1,
which had to occupy B1, now occupy B2. Simultaneously, the CU instructs the switch
allocator not to consider further packet requests from the input buer IB1. Since the RU
associated with the input buer IB2 is not aected by the existing Trojan, it forwards the
packets to their legitimate output ports, which is O3 in this case.
SeFaR thus restores the communication ow by preventing the network from losing the packets
at the router R3. e new path for the packets from the router R1 to the router R5 through the
router R3 will be the input port I1, the input buer IB2, the crossbar, and the output port O3.
6 PERFORMANCE EVALUATION
Performance metrics such as area, power, and performance overheads of SeFaR have been compared
with the baseline FT router. Architectures of both baseline and secure FT routers have been coded
in VHDL. Synopsys Design Compiler [1] and Faraday 90 nm technology library have been used in
implementing the designs. An operating frequency of 1 GHz has been set for the routers. e size
of the network considered is 8×8, and the topology is mesh. Each router has ve input/output (IO)
ports, and each VC in a buer can store four its.
6.1 Area and Power Overhead Evaluation
Fig. 12a shows the area overhead (in %) of SeFaR when compared with the baseline FT router. To
evaluate the metric over a wide range, we considered routers with two, four, and eight virtual
channels (VCs) per IO port. For each of these congurations, the it width has been varied from 32
bits to 128 bits. We have synthesized the SeFaR with ve AUs in each router. From the gure, it is
evident that for a 32-bit it in a router with 2 VCs per IO port, the area overhead of SeFaR is found
to be 2.02%. is overhead is further reduced when higher congurations of routers are considered.
Fig. 12b shows the power overhead (in %) of SeFaR when compared with the baseline FT router.
Since the additional logic associated with SeFaR is very lile, the power overhead achieved by it is
also very less. From the gure, for SeFaR with 32-bit wide its and 2 VCs per IO port, the power
overhead is 0.90 %. is overhead is further reduced when higher congurations of routers are
considered. When this power overhead is measured with respect to the power consumption of
NoC based MPSoC, it becomes insignicantly low, which makes SeFaR a promising alternative to
baseline FT routers, with an additional security layer.
6.2 Performance Overhead Evaluation
To evaluate the performance overhead of SeFaR and compare it with that of the baseline FT router,
we have obtained the trac distributions of applications from the PARSEC benchmark suite using
the SniperSim [10] full-system simulator. Further, to analyze the performance of SeFaR for synthetic
trac, paerns such as shue, transpose, and uniform-random (uniform) have been considered.
e network evaluation for all real, as well as synthetic, trac distributions, has been done using
the BookSim [18] network simulator. Performance overhead evaluation has been done for the
metrics such as execution time and energy consumption overheads for real benchmark applications.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:16 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
2 VCs 4 VCs 8 VCs
0
0.5
1
1.5
2
No. of VCs per port
A
re
a
O
ve
rh
ea
d
(%
)
32 bits 64 bits 128 bits
(a)
2 VCs 4 VCs 8 VCs
0
0.2
0.4
0.6
0.8
1
No. of VCs per port
Po
w
er
O
ve
rh
ea
d
(%
)
32 bits 64 bits 128 bits
(b)
Fig. 12. (a) Area overhead and (b) Power overhead of secure fault-tolerant router (SeFaR) compared to baseline
fault-tolerant router.
For synthetic trac, parameters such as average packet latency (APL) and power-latency product
(PLP) have been analyzed for SeFaR and compared with that of the baseline FT router. An advantage
of analyzing the performance of SeFaR for synthetic trac is that one can estimate the overheads
of the mitigation mechanism for a range of packet injection rates (PIRs).
6.2.1 Real Benchmarks. For the current evaluation with real benchmark trac paerns, we
considered one packet drop router in the network at a time. Further, to observe the system
performance for dierent routers acting as packet drop routers, results have been obtained for
all the cases one aer the other. A packet drop router in the current scenario is analyzed for two
cases—one with a single HT that aects one input port, the other with four HTs that aect four
input ports.
Figs. 13a and 13b show a comparison of SeFaR with the baseline FT router regarding the overheads
observed in the communication time while running the real benchmarks. Fig. 13a refers to the NoC
with one router that is infected with a single HT that drops the packets arriving at an input port,
whereas Fig. 13b refers to the NoC with one router that is infected with a maximum of four HTs,
which drop the packets arriving at all but one input ports of the router. From the plots, one can nd
that for the case of a router infected with a single HT, the overhead observed in the communication
time can go as high as 10× the baseline value. Similarly, for the case of a router infected with
a maximum of four HTs, the overheads observed in the communication time can go as high as
90× the baseline value. Despite the huge overheads accounted in SeFaR to mitigate the packet
drop aacks while running the PARSEC benchmarks, the application execution time has not been
observed to increase similarly. is increasing trend in the application execution time is because
of the core idle time and the dependence of the spatial and temporal trac distributions of the
application under execution. Details on the same are presented next.
Figs. 14a and 14b show a comparison of SeFaR with the baseline FT router regarding the overheads
observed in the execution time while running the real benchmarks. Fig. 14a refers to the routers
that are infected with a single HT, whereas Fig. 14b refers to the routers that are aected with
four HTs. e links, which are faulty, have been considered to be faulty for the entire application
execution. For the case of a single HT in a packet drop router, the maximum overhead in the
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:17
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
0
5
10
Benchmark Application
N
or
m
.C
om
m
.T
im
e
Minimum Average Maximum
(a)
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
100
101
102
Benchmark Application
N
or
m
.C
om
m
.T
im
e
Minimum Average Maximum
(b)
Fig. 13. Communication time overhead of PARSEC benchmark applications when run on an 8×8 NoC with
SeFaR. Full-system simulation has been run for the NoC with (a) one infected router in the NoC with one HT
and (b) one infected router in the NoC with a maximum of four HTs in the NoC that aects four out of its
five input ports.
execution time has been observed for dedup, which is 4.46%, when compared with the baseline FT
router. However, the average overhead in the execution time for each application does not exceed
0.8% with respect to the baseline FT router, when a packet drop router is infected with a single HT.
Similarly, for the case with four HTs in a packet drop router, the maximum overhead observed for
SeFaR regarding the execution time has been 70.87% for dedup, when compared with the baseline
FT router. Whereas, the average overhead in the execution time for this case does not exceed
12.89%, for the considered real benchmarks. e reason for the dierence seen in the execution
time overheads of these applications is because of the dierence in their trac distributions as well
as trac volumes.
Similarly, Figs. 15a and 15b show a comparison of SeFaR with the baseline FT router regarding
the overheads observed in the energy consumption while running the real benchmarks. e energy
consumption overheads include the consumption overheads of the security blocks endowed in
SeFaR. Fig. 15a refers to the routers that are infected with a single HT, whereas Fig. 15b refers
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:18 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
1
1.02
1.04
Benchmark Application
N
or
m
.E
xe
c.
Ti
m
e
Minimum Average Maximum
(a)
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
1
1.2
1.4
1.6
Benchmark Application
N
or
m
.E
xe
c.
Ti
m
e
Minimum Average Maximum
(b)
Fig. 14. Normalized execution time of PARSEC benchmark applications when run on an 8×8 NoC with SeFaR.
Full-system simulation has been run for the NoC with (a) one infected router in the NoC with one HT and (b)
one infected router in the NoC with a maximum of four HTs in the NoC that aects four out of its five input
ports.
to the routers that are infected with four HTs. For the case of a single HT in a packet drop
router, the maximum overhead in the energy consumption has been observed for canneal, which
is 44.46%, when compared with the baseline FT router. However, the average overhead in the
energy consumption for each application does not exceed 28.36% with respect to the baseline FT
router, when a packet drop router is infected with a single HT. Similarly, for the case with four
HTs in a packet drop router, the maximum overhead observed regarding the energy consumption
for SeFaR has been 82.10% for canneal, when compared with the baseline FT router. Whereas, the
average overhead in the execution time for this case does not exceed 28.58%, for the considered
real benchmarks. For the above set of evaluations, each benchmark application has been executed
entirely, considering a link in the NoC to be faulty for the entire run of the application. However, if
the link becomes defective while the application is being executed, the overheads observed would
decrease depending on the temporal trac distribution of the application under execution.
6.2.2 Synthetic Traic Paerns. Fig. 16 shows the plots of dierent congurations of an 8×8
NoC endowed with SeFaR regarding the average packet latency (APL) and power-latency product
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:19
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
1
1.2
1.4
Benchmark Application
N
or
m
al
iz
ed
En
er
gy
Minimum Average Maximum
(a)
bla
cks
cho
les
can
ne
al
ded
up
fer
ret
u
ida
nim
ate
fre
qm
ine
ray
tra
ce vip
s
x26
4
1
1.2
1.4
1.6
1.8
Benchmark Application
N
or
m
al
iz
ed
En
er
gy
Minimum Average Maximum
(b)
Fig. 15. Energy overhead of PARSEC benchmark applications when run on an 8×8 NoC with SeFaR. Full-
system simulation has been run for the NoC with (a) one infected router in the NoC with one HT and (b) one
infected router in the NoC with a maximum of four HTs in the NoC that aects four out of its five input
ports.
(PLP) with varying packet injection rates (PIRs) while running the synthetic trac paerns. Here,
’Fault-free’ case refers to the NoC without any link fault. ’Faulty5%-No HT’ case refers to the
NoC with 5% link faults, but the HTs, which are infected in the routers that have these links at
their output ports, are not triggered. ’Faulty5%-HT’ case refers to the NoC with 5% link faults
and all routers with those links serving as output links are infected with an HT. Similar is the
convention for the NoC with 10% link faults. From the plots, one may note that the APL and PLP of
the NoC have similar trends for the shue and uniform trac paerns, for all the ve cases. is
similarity is due to the nature of the spatial distribution of the trac in the network. However, for
the transpose trac paern, the NoC with active HTs suers a slight degradation in APL and PLP
when compared to the NoC with link faults, but with dormant HTs. ough the plots in Fig. 16 are
shown for random locations of the faulty links, similar trends have been observed for all the ve
congurations of SeFaR when the locations of the defective links in the network change. From
the plots, one may nd that the overhead introduced in the NoC with faulty links and active HTs,
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:20 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
because of the mitigation mechanism in the form of SeFaR, in the APL and PLP metrics are not so
high when compared with the values observed when the NoC has faulty links, but dormant HTs.
2 · 10−2 4 · 10−2 6 · 10−2 8 · 10−2 0.1
28
30
32
34
PIR (Flit/Cycle/Node)
A
PL
(C
yc
le
)
Fault-free
Faulty5%-No HT
Faulty5%-HT
Faulty10%-No HT
Faulty10%-HT
(a) shule
1 2 3 4 5 6 7
·10−2
35
40
45
50
55
60
PIR (Flit/Cycle/Node)
A
PL
(C
yc
le
)
Fault-free
Faulty5%-No HT
Faulty5%-HT
Faulty10%-No HT
Faulty10%-HT
(b) transpose
2 · 10−2 4 · 10−2 6 · 10−2 8 · 10−2 0.1
34
36
38
40
42
44
PIR (Flit/Cycle/Node)
A
PL
(C
yc
le
)
Fault-free
Faulty5%-No HT
Faulty5%-HT
Faulty10%-No HT
Faulty10%-HT
(c) uniform
2 · 10−2 4 · 10−2 6 · 10−2 8 · 10−2 0.1
1,000
2,000
3,000
4,000
PIR (Flit/Cycle/Node)
PL
P
(W
-C
yc
le
)
Fault-free
Faulty5%-No HT
Faulty5%-HT
Faulty10%-No HT
Faulty10%-HT
(d) shule
1 2 3 4 5 6 7
·10−2
0
0.2
0.4
0.6
0.8
1
·104
PIR (Flit/Cycle/Node)
PL
P
(W
-C
yc
le
)
Fault-free
Faulty5%-No HT
Faulty5%-HT
Faulty10%-No HT
Faulty10%-HT
(e) transpose
2 · 10−2 4 · 10−2 6 · 10−2 8 · 10−2 0.1
1,000
2,000
3,000
4,000
5,000
6,000
PIR (Flit/Cycle/Node)
PL
P
(W
-C
yc
le
)
Fault-free
Faulty5%-No HT
Faulty5%-HT
Faulty10%-No HT
Faulty10%-HT
(f) uniform
Fig. 16. Average packet latency (APL) (a, b, and c) and power-latency product (PLP) (d, e, and f) versus packet
injection rate (PIR) of dierent synthetic traic paerns in an 8×8 mesh NoC.
7 DESIGN OF A COMPREHENSIVE SECURE ROUTER
Several mitigation mechanisms proposed hitherto, which aim in restoring security in NoCs, pri-
marily address one particular aack. is kind of aack-specic mitigation mechanism for NoCs
may not be viable to be considered in practice, as each such architecture can nullify only a specic
aack raised by the HTs. us, more generic mitigation mechanisms, which can mitigate multiple
aacks, are necessary to extend the scope of ality-of-Security Service (QoSS) in the future NoC
architectures. One way of realizing a secure architecture of a router in the NoC is by leveraging
the common properties of several mitigation mechanisms and integrating them into the router.
is kind of hardening mechanism improves the immunity of the routers in the NoCs to resist and
thwart several aacks.
is section presents the architecture of one such router, namely comprehensive secure router
(CSR), which can mitigate multiple aack scenarios that arise within the NoC routers. e archi-
tecture of CSR is a derived architecture, which has been derived from other secure architectures
presented in the literature.
Fig. 17 shows one such CSR, which can mitigate the aacks considered in [15, 25], along with the
proposed packet drop aack. e blocks buer shuer (P), control unit (CU), and authentication
unit (AU) help in mitigating the packet drop aack, whereas, the blocks security unit (SU) and
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:21
Input
Buffer
(IB1)
Routing Unit (RU)
Cross-
bar
(XB)
VC Allocator (VA)
Switch Allocator (SA)
Link Status (LSA)
I1
I2
I3
I4
I5
O1
O2
O3
O4
O5
VCn VCu
C
SS
F
CU
AU
P G
Output
Buffer
(OB1)
B
SU
Fig. 17. Microarchitecture of a secure router capable of mitigating several HT aacks.
buer shuer (P) help in mitigating the illegal packet request aack [25]. Similarly, the blocks F, G,
and B conform to the blocks HTC1, HTC2, and HTC3, mentioned in [15], which help in mitigating
the it sabotage aacks that arise within the router.
e design overhead of the router in Fig. 17 compared to the baseline router mentioned in [15],
which consists of 5 IO ports and 8 VCs/port with a it-width of 32 bits, is found to be about 41% in
terms of area and 18% in terms of power consumption.
8 CONCLUSIONS AND FUTUREWORK
Packet drop aack, a type of denial-of-service aack, has been proposed in the context of NoCs, in
which packets are forced by the HTs to proceed to those output ports of a router that have faulty
links. e HTs that can raise the proposed aack have been inserted inside the routers, which
become active when an output link associated with such routers becomes faulty. Security modules,
namely authentication unit, control unit, and buer shuer have been proposed to mitigate the
anomaly raised because of the aacker HTs. Regarding overheads in performance, SeFaR suers an
average overhead of at most 0.8% and 12.89% in terms of execution time, when one and four active
HTs are considered in the NoC while running real benchmarks. Similarly, regarding the overhead in
energy consumption, SeFaR additionally consumes an average energy of at most 28.36% and 28.58%,
when one and four active HTs are considered in the NoC while running real benchmarks. For
synthetic trac paerns, SeFaR with an active HT suers from slight degradation in the average
packet latency and power-latency product metrics, when compared with SeFaR without any HT.
Area and power overheads of SeFaR, when put next to the baseline FT router, have been found
to be 2.02% and 0.90%, respectively. Further, a comprehensive secure router, with area and power
overheads of 41% and 18% compared to the baseline router, has been designed, which can mitigate
multiple aack scenarios that arise within the routers of a NoC. Future work aims at improving the
mitigation mechanism for the proposed aack.
REFERENCES
[1] 2017. Design Compiler. hps://www.synopsys.com/support/t-raining/rtl-synthesis/design-compiler.html. (2017).
Accessed: 01 July 2017.
[2] Mohammad Al-Shurman, Seong-Moo Yoo, and Seungjin Park. 2004. Black Hole Aack in Mobile Ad Hoc Networks.
In Proceedings of the 42Nd Annual Southeast Regional Conference (ACM-SE 42). ACM, New York, NY, USA, 96–97.
[3] D. M. Ancajas, K. Chakraborty, and S. Roy. 2014. Fort-NoCs: Mitigating the threat of a compromised NoC. In 2014 51st
ACM/EDAC/IEEE Design Automation Conference (DAC). 1–6.
[4] S. Bhasin and F. Regazzoni. 2015. A survey on hardware trojan detection techniques. In 2015 IEEE International
Symposium on Circuits and Systems (ISCAS). 2021–2024.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
1:22 N. Prasad, Navonil Chaerjee, Santanu Chaopadhyay, and Indrajit Chakrabarti
[5] S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan. 2014. Hardware Trojan Aacks: reat Analysis and Counter-
measures. Proc. IEEE 102, 8 (Aug 2014), 1229–1247.
[6] Christian Bienia. 2011. Benchmarking Modern Multiprocessors. Ph.D. Dissertation. Princeton University.
[7] Arnab Kumar Biswas, S. K. Nandy, and Ranjani Narayan. 2015. Router Aack toward NoC-enabled MPSoC and
Monitoring Countermeasures against such reat. Circuits, Systems, and Signal Processing 34, 10 (Oct 2015), 3241–3290.
[8] Travis Boraten and Avinash Kodi. 2018. Mitigation of Hardware Trojan based Denial-of-Service aack for secure
NoCs. J. Parallel and Distrib. Comput. 111, Supplement C (2018), 24 – 38.
[9] T. Boraten and A. K. Kodi. 2016. Packet security with path sensitization for NoCs. In 2016 Design, Automation Test in
Europe Conference Exhibition (DATE). 1136–1139.
[10] T. E. Carlson, W. Heirman, S. Eyerman, I. Hur, and L. Eeckhout. 2014. An Evaluation of High-Level Mechanistic Core
Models. ACM Transactions on Architecture and Code Optimization 11, 3 (Oct. 2014), 23.
[11] Y. Y. Chen, E. J. Chang, H. K. Hsin, K. C. (. Chen, and A. Y. (. Wu. 2017. Path-Diversity-Aware Fault-Tolerant Routing
Algorithm for Network-on-Chip Systems. IEEE Transactions on Parallel and Distributed Systems 28, 3 (March 2017),
838–849.
[12] S. Djahel, F. Nait-abdesselam, and Z. Zhang. 2011. Mitigating Packet Dropping Problem in Mobile Ad Hoc Networks:
Proposals and Challenges. IEEE Communications Surveys Tutorials 13, 4 (Fourth 2011), 658–672. hps://doi.org/10.
1109/SURV.2011.072210.00026
[13] S. Evain and J. P. Diguet. 2005. From NoC security analysis to design solutions. In IEEE Workshop on Signal Processing
Systems Design and Implementation, 2005. 166–171.
[14] L. Fiorin, G. Palermo, S. Lukovic, V. Catalano, and C. Silvano. 2008. Secure Memory Accesses on Networks-on-Chip.
IEEE Trans. Comput. 57, 9 (Sept 2008), 1216–1229.
[15] Jonathan Frey and Qiaoyan Yu. 2017. A hardened network-on-chip design using runtime hardware Trojan mitigation
methods. Integration 56 (2017), 15–31.
[16] C. H. Gebotys and R. J. Gebotys. 2003. A framework for security on NoC technologies. In VLSI, 2003. Proceedings. IEEE
Computer Society Annual Symposium on. 113–117.
[17] Rajesh JayashankaraShridevi, Dean Michael Ancajas, Koushik Chakraborty, and Sanghamitra Roy. 2017. Security
Measures Against a Rogue Network-on-Chip. Journal of Hardware and Systems Security (30 May 2017).
[18] N. Jiang, J. Balfour, D. U. Becker, B. Towles, W. J. Dally, G. Michelogiannakis, and J. Kim. 2013. A detailed and exible
cycle-accurate Network-on-Chip simulator. In 2013 IEEE International Symposium on Performance Analysis of Systems
and Soware (ISPASS). 86–96. hps://doi.org/10.1109/ISPASS.2013.6557149
[19] Hemangee K. Kapoor, G. Bhoopal Rao, Sharique Arshi, and Gaurav Trivedi. 2013. A Security Framework for NoC
Using Authenticated Encryption and Session Keys. Circuits, Systems, and Signal Processing 32, 6 (Dec 2013), 2605–2622.
[20] J. Liu, J. Harkin, Y. Li, and L. P. Maguire. 2016. Fault-Tolerant Networks-on-Chip Routing With Coarse and Fine-Grained
Look-Ahead. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35, 2 (Feb 2016), 260–273.
[21] G. De Micheli and L. Benini. 2017. Networks on Chips: 15 Years Later. Computer 50, 5 (May 2017), 10–11.
[22] C. Nicopoulos, V. Narayanan, and C.R. Das. 2009. Network-on-Chip Architectures: A Holistic Design Exploration. Springer
Netherlands.
[23] M. Oveis-Gharan and G. N. Khan. 2016. Ecient Dynamic Virtual Channel Organization and Architecture for NoC
Systems. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 24, 2 (Feb 2016), 465–478.
[24] Maurizio Palesi and Masoud Daneshtalab (Eds.). 2014. Routing Algorithms in Networks-on-Chip. Springer New York,
New York, NY.
[25] N. Prasad, R. Karmakar, S. Chaopadhyay, and I. Chakrabarti. 2017. Runtime Mitigation of Illegal Packet Request
Aacks in Networks-on-Chip. In IEEE International Symposium on Circuits and Systems (ISCAS). 1472–1475.
[26] Martin Radetzki, Chaochao Feng, Xueqian Zhao, and Axel Jantsch. 2013. Methods for Fault Tolerance in Networks-on-
Chip. Comput. Surveys 46, 1 (Oct 2013), 8:1–8:38.
[27] Ahmed Saeed, Ali Ahmadinia, and Mike Just. 2016. Secure On-Chip Communication Architecture for Recongurable
Multi-Core Systems. Journal of Circuits, Systems and Computers 25, 08 (2016), 1650089.
[28] P. K. Sahu, T. Shah, K. Manna, and S. Chaopadhyay. 2014. Application Mapping Onto Mesh-Based Network-on-Chip
Using Discrete Particle Swarm Optimization. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 22, 2
(Feb 2014), 300–312. hps://doi.org/10.1109/TVLSI.2013.2240708
[29] M. J. Sepu´lveda, J. P. Diguet, M. Strum, and G. Gogniat. 2015. NoC-Based Protection for SoC Time-Driven Aacks.
IEEE Embedded Systems Leers 7, 1 (March 2015), 7–10.
[30] Fan-Hsun Tseng, Li-Der Chou, and Han-Chieh Chao. 2011. A survey of black hole aacks in wireless mobile ad hoc
networks. Human-centric Computing and Information Sciences 1, 1 (22 Nov 2011), 4.
[31] Sebastian Werner, Javier Navaridas, and Mikel Luja´n. 2016. A Survey on Design Approaches to Circumvent Permanent
Faults in Networks-on-Chip. Comput. Surveys 48, 4 (May 2016), 59:1–59:36.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
Runtime Mitigation of Packet Drop Aacks in Fault-tolerant NoCs 1:23
[32] Ruilian XIE, Jueping CAI, Xin XIN, and Bo YANG. 2017. Low-Cost Adaptive and Fault-Tolerant Routing Method for
2D Network-on-Chip. IEICE Transactions on Information and Systems E100.D, 4 (2017), 910–913.
[33] H. Zhao, N. Bagherzadeh, and J. Wu. 2017. A General Fault-Tolerant Minimal Routing for Mesh Architectures. IEEE
Trans. Comput. 66, 7 (July 2017), 1240–1246.
, Vol. 1, No. 1, Article 1. Publication date: January 2016.
