Hardening development environment for embedded systems by Restrepo Calle, Felipe et al.
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Hardening Development Environment for
Embedded Systems
F.Restrepo-Calle1 A.Martínez-Alvarez1 F.R.Palomo2
S.Cuenca-Asensi1 M.A.Aguirre2
1Computer Technology Department, University of Alicante, 03690 Alicante, Spain
2Department of Electrical Engineering, University of Sevilla, 41092 Sevilla, Spain
Workshop on Design for Reability (DFR)
HiPEAC 2010, Pisa
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Outline
1 Introduction
2 Hardening Development Environment
3 Case Study
4 Experiments and Results
5 Conclusions and Future Work
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Introduction
Reliability issues ?
Context RENASER project (Radiation Effects on
Semiconductors for Aerospace Systems)
Typically, reliability issues in mission critical embedded
systems have been mitigated using redundant hardware.
This method have become difficult:
development of a custom hardened microprocessor can be
very costly!
electronic components more sensitive to Single or Multiple
Event Effects induced by radiation
During recent years. . .
Several proposals based on redundant software have been
developed, providing detection and error correction
capabilities
Need of low cost COTS reliable hardware become more
evident
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Introduction
Outline on SIHFT without recovery
Software implemented hardware fault tolerance (SIHFT)
techniques, based on redundancy of instructions achieve better
fault detection/correction results
Rebaudengo et al. proposed a high level instruction
redundancy reporting detection of 63% to the program data
Oh et al. presented the EDDI technique (Error Detection
by Duplicated Instructions)→ better detection and
overhead . . .
and CFCSS (Control-Flow Checking by Software
Signatures)→ faults on program flow
Reis et al. SWIFT (Software Implemented Fault Tolerance).
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Introduction
Outline on SIHFT with recovery
Rebaudengo et al. made an approach based on high level
instruction redundancy→ 99.50%
Reis et al. proposed SWIFT-R a technique based on
triplication of low level instructions
Results from studied techniques show that low level instruction
redundancy offers lower code and data overheads→ a critical
characteristic for embedded systems!!!
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Introduction
So in this paper, we present. . .
A hardening environment able to handle multiple
microprocessors made up of . . .
An extensible multi–target hardening compiler
An Instruction Set Simulator (ISS) to calculate overheads of
time/memory and validate the hardened code
As a case of study, we have developed a Picoblaze
back-end to test the environment.
This enviroment will allow the exploration of hybrid
hardware/software solutions to obtain fault tolerant
systems.
Our environment + co–design techniques→ the
calculation of several trade-offs between reliability,
performance and device area
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Hardening Development Environment
According to the studied SIHFT techniques . . .
. . . what are the main funcionalities a HDE must supply?
Insertion of code transformations
Control flow analysis
Management of architecture’s resources
Use of Low Level Redundancy
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
We propose . . .
. . . a generic architecture to implement hardening tasks:
Uniform hardening core
Compatible with many microprocessors of interest
Able to transform the code (at assembler level)
Retargetable output
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Our Hardening Development Environment
...
Compilers for specific 
architectures
Generic 
Instruction Flow
Hardened code
Arch. 2
Arch. 1
Arch. n-1
Arch. n
...
Generic Architecture
Hardener
Simulator
...
Object or assembler code for 
specific architectures
Arch. 2
Arch. 1
Arch. n-1
Arch. n
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Generic Architecture in detail
Three main topics:
Generic Instruction interoperability at ISA level
Memory Management different set of memories
Control Flow Management Powerful redundancy
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Generic Architecture in detail
Generic Instruction (GI) 1/2
Address Mnemonic
Generic 
Operator List
Affected Generic 
Flag List
Instruction 
Type
Tool 
message
Address address given by the back-end compiler
Mnemonic original nnemonic
Generic Operator List
Type Register, Literal, Address, Flag
Addressing Mode: Absolute, PC-Relative, Register Indirect,
Immediate, . . .
Operator actual name
Affected Generic Flag List
Flag type Z, not Z, C, not C, S, not S, . . .
Flag actual name
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Generic Architecture in detail
Generic Instruction (GI) 2/2
Address Mnemonic
Generic 
Operator List
Affected Generic 
Flag List
Instruction 
Type
Tool 
message
Instruction Type
Interrupt
Directive
Control flow
Scalar arithmetic
Scalar logic
Scalar Input/Output
. . .
Tool Message to save a hardening log
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Memory Management
Memory Management
Due to code insertions it is necessary to:
Identify the memory map to change
Insert the changes
Perform a memory update
so the HDE offers these three possibilities:
Dilation
Displacement
Reallocation
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Memory Management
Dilation
0
MAX
Original memory map
Memory 
Section #1
Instruction 1
...
...
...
...
Memory 
Section #2
...
...
...
Memory 
Section #3
...
...
...
Memory 
Section #n
...
...
...
...
...
0
MAX
New memory map
Memory 
Section #1
Instruction 1
...
...
...
...
Memory 
Section #2
...
...
...
Memory 
Section #3
...
...
...
Memory 
Section #n
...
...
...
...
...
...
...
...
Original instructions
Inserted instructions
Updated instructions
Dilation
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Memory Management
Displacement
Memory 
Section #1
Memory 
Section #2
Memory 
Section #n
Memory 
Section #3
0
MAX
Instruction 1
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
0
MAX
Memory
 Section #1
Instruction 1
...
...
...
...
Memory
Section #2
...
...
...
Memory 
Section #n
...
...
...Displacement
...
...
...
Memory
 Section #3
...
...
...
...
...
...
Original memory map New memory map
Original instructions
Inserted instructions
Updated instructions
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Memory Management
Reallocation
0
MAX
Memory
Section #1
Instruction 1
...
...
...
...
Memory
Section #2
...
...
...
Memory
Section #3
...
...
...
Memory
Section #n
...
...
...
...
...
0
MAX
Memory
Section #1
Instruction 1
...
...
...
...
Memory
Section #2
...
...
...
Memory
Section #n
...
...
...
...
...
...
Memory
Section #3
...
...
...
...
...
...
...
...
...
...
Memory
Section #n
0
Memory
Section #1
Instruction 1
...
...
...
...
Memory
Section #2
...
...
...
...
...
...
...
...
...
Memory
Section #3
...
...
...
...
...
...
...
...
...
...
MAX
Original memory map New memory map
Original instructions
Inserted instructions
Updated instructions
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Flow Control
Flow Control Graph
Generic Architecture flow control of a given Generic
Instruction Flow (GIF).
Our Flow Control Graph consists of a set of interconnected
blocks conforming a directed graph:
A basic block: set of instructions sequentially executed
without any jump instruction nor function call (except the
last instruction)
without any instruction being the destionation of a call or
jump instruction except the first one.
Each one represents a node in the graph
Every node is subdivided in a subnode if a store instruction
is present.
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Architecture
Flow Control
Flow Control Graph and Subnodes
Node 1
Node 4
Node 3Node 2
Node 5
Node 1: {I1, I2, I3, I4, I5}
Node 2: {I6, I7, I8}
Node 3: {I9, I10}
Node 4: {I11, I12, I13}
Node 5: {I14}
Node 1
I1: ______
I2: ______
I3: STORE
I4: ______
I5: ______
Node 1
I1: ______
I2: ______
I3: STORE
I4: ______
I5: ______
Subnode 1
Subnode 2
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Hardening Core
Hardening Generic Core
Hardening Generic Core
Consists of a:
Hardening compiler providing hardening methods:
-method: What FT technique?
-mcpu : What CPU
-replicationRegisterLevel : Redundancy level 
add S0, S1
-replicationTimes : Number of copies of each
redundant instruction
-voter : Select the voter to be used
-NOlookAheadAvailableRegs : Enable/Disable
advanced register search
. . .
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Hardening Core
Hardening Generic Core
Hardening Generic Core
Instruction Set Simulator (ISS)
Simulates the GIF
Outputs interesting information (time/memory overheads,
statistics, . . . )
Checks and validates original and hardened code 
custom pragmas with the expected results
Can simulate Single Event Upsets (SEUs) faults during the
simulation controlled via custom pragmas and/or
command line options. Effects are classified as:
Correct results
Incorrect results
Hanged
Preliminary calculation of the fault coverage FC
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Hardening Core
checking the hardening. . .
...Original Program
>>> Simulation file: '../../rtests_hardening/01_bubbleSort.asm'
Check succeeded - Instructions simulated: 228
Instructions in original code: 46
Single simulation result: PASSED
>>> Simulation Hardened file: '../../rtests_hardening/01_bubbleSort.asm.Hardened
Check succeeded - Instructions simulated: 400
Instructions in hardened code: 95
Hardened simulation result: PASSED
Overhead code segment    = x 2.07
Overhead time execution  = x 1.75
Dual simulation (original & hardened) result: PASSED
load s0, sa
load s1, sb
return
; Output [0]: 1,2,3,4,5
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Generic Hardening Core
Output from compiler and simulator. . .
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Case study. Picoblaze
Case study
A compiler back-end for Picoblaze generating GIF as output.
(KCPSM3 syntax, lexical, syntactical, semantical analisys).
Two different Triple Modular Redundancy fault tolerant
techniques implemented:
TMR1
Identification of nodes and subnodes from the GIF
Build of the flow control graph
Triplication
Insertion of majority voters and recovery procedures on:
nodes
subnodes
before an instruction beeing the destination of a jump/call
Dynamic insertion of majority voters and recovery
procedures if needed.
TMR2 Detect and correct faults by computing values twice,
and recomputing if discrepancy.
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Case study. Picoblaze
How looks hardened program with TMR1 and TMR2. . .
add   s0, 3F
store s0, 10
load S1, s0 ; Register copy
load S2, s0 ; Register copy
add s0, 3F
add S1, 3F ; Redundant inst
add S2, 3F ; Redundant inst
compare S0, S1 ; Voter
jump Z,  00A ; Voter
compare S0, S2 ; Voter
jump Z,  00A ; Voter
load S0, S1 ; Recovery
store s0, 10
load S1, s0 ; Register copy
load S2, s0 ; Register copy
add s0, 3F
add S1, 3F ; Redundant inst
compare S6, S2 ; Voter 
jump Z,  008 ; Voter
add S2, 3F ; Redundant inst
load S0, S2 ; Recovery
store s0, 10
TMR1 TMR2
Original version
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Experiments and Results
Experiments and Results
Verification of the HDE:
Correctness of the compiler back-end extensive
regression test (477 programs)
Validation of correct funcionality via a
-check-hardening simulator option
Evaluation of the implemented hardening technique
(overheads and FC) custom benchmark using TMR1
and TMR2
bubble sort (bubble)
scalar division (div)
scalar multiplication (mult) and Matrix Multiplication (mmult)
Fibonacci (fib)
Greatest Common Divisor (gcd)
Matrix addition (madd)
Exponentiation (pow)
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Experiments and Results
ISS results of code and time overheads
1
2
3
4
5
6
bub div fib gcd madd mmult mult pow
arithTMR1 arithTMR2 logicTMR1 logicTMR2 arithTMR1+logicTMR1 arithTMR2+logicTMR2
N
o
rm
a
liz
e
d
 C
o
d
e
 O
v
e
rh
e
a
d
1
2
3
4
5
bub div fib gcd madd mmult mult pow
arithTMR1 arithTMR2 logicTMR1 logicTMR2 arithTMR1+logicTMR1 arithTMR2+logicTMR2
N
o
rm
a
liz
e
d
 E
x
e
c
u
ti
o
n
 T
im
e
 O
v
e
rh
e
a
d
Figure: Execution and time overhead
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Experiments and Results
ISS results of Fault Coverage
Figure: FC results for original version(N), arithTMR1(A),
arithTMR2(B), logicTMR1(C), logicTMR2(D),
arithTMR1+logicTMR1(E), arithTMR2+logicTMR2(F)
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Conclusions and Future Work
Conclusions and Future Work
We have presented a Hardening Development
Environment for embedded systems.
A revisión of the main FT techniques was been done
A Generic Architecture and a Generic Hardening Core has
been introduced
A case study for Picoblaze with 2 implemented hardening
strategies has been developed to test the HDE
The overall system provides a low cost automatic solution
to incorporate fault tolerant techniques in embedded
systems
The HDE will be extended to support Microblaze and
Leon3
We will use the FTU emulation tool to achieve more
realistic statistics on FC
Introduction Hardening Development Environment Case Study Experiments and Results Conclusions and Future Work
Conclusions and Future Work
Thank you for your attention!
Molte Grazie! Domande?
