A Formal Model for the Automatic Configuration of Access Protection Units in MPSoC-Based Embedded Systems by Dörr, Tobias et al.
This is the accepted version of 10.1109/DSD51259.2020.00098. © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all
other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale
or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
A Formal Model for the Automatic Configuration
of Access Protection Units in MPSoC-Based
Embedded Systems
Tobias Dörr, Timo Sandmann, and Jürgen Becker
Karlsruhe Institute of Technology (KIT), Karlsruhe, Germany
Email: {tobias.doerr, sandmann, becker}@kit.edu
Abstract—Heterogeneous system-on-chip platforms with multi-
ple processing cores are becoming increasingly common in safety-
and security-critical embedded systems. To facilitate a logical
isolation of physically connected on-chip components, internal
communication links of such platforms are often equipped
with dedicated access protection units. When performed man-
ually, however, the configuration of these units can be both
time-consuming and error-prone. To resolve this issue, we present
a formal model and a corresponding design methodology that
allows developers to specify access permissions and informa-
tion flow requirements for embedded systems in a mostly
platform-independent manner. As part of the methodology, the
consistency between the permissions and the requirements is
automatically verified and an extensible generation framework is
used to transform the abstract permission declarations into con-
figuration code for individual access protection units. We present
a prototypical implementation of this approach and validate it
by generating configuration code for the access protection unit
of a commercially available multiprocessor system-on-chip.
Index Terms—Multiprocessor system-on-chip, on-chip isola-
tion, system-level isolation, access protection, model-based design,
information flow tracking, code generation, safety, security.
I. INTRODUCTION
In order to fulfill their steadily increasing performance
demands, modern embedded systems increasingly rely on
multicore processors. A popular manifestation of such devices
are multiprocessor system-on-chip (MPSoC) platforms. They
integrate multiple processing cores along with memory hier-
archies, input/output (I/O) controllers, and similar peripherals
on a single chip. Especially heterogeneous MPSoCs, which
comprise diverse processing cores, are promising platforms
for the cost-, area-, and power-efficient implementation of
applications with high performance requirements [1]. Due to
the tight integration and the fact that their cores share many
of the on-chip resources, however, their use in safety- and
security-critical systems is a challenging endeavor.
From a dependability perspective, safety is the property
that a system is free of catastrophic consequences on users
or the environment, while security describes the property
that unauthorized actions do not result in the disclosure or
alteration of information [2]. In this paper, we refer to a
system whose malfunction can result in it becoming unsafe
as a safety-critical system and to one whose malfunction may
result in it becoming insecure as a security-critical system.
Two specific issues associated with the use of MPSoCs in
safety- and security-critical environments can be understood
by considering the field of autonomous driving: Here, increas-
ing communication bandwidth and performance requirements
facilitate a trend towards centralized electrical/electronic (E/E)
architectures, in which powerful components such as heteroge-
neous MPSoCs host a variety of functions, often with different
real-time requirements and safety criticalities [3]. Despite the
fact that these functions are connected to the same on-chip
resources, they must be designed in such a way that they
meet their respective real-time requirements and are unaffected
by possible failures of less critical functions. Therefore, a
sufficient degree of logic-level isolation as well as measures
against timing interferences are mandatory [4]. Furthermore,
vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I)
communication are an essential part of an autonomous vehi-
cle’s functionality. This means that additional, often wireless,
external interfaces are present and closely connected to the
same components that execute the safety-critical functions
described above. This can result in attack surfaces that must
be counteracted by the application of suitable security mech-
anisms such as the isolation of individual subsystems [5].
Therefore, commercially available MPSoC platforms such
as the Zynq UltraScale+ MPSoC (ZynqMP) from XILINX [6]
comprise dedicated hardware units that control how the indi-
vidual bus masters, which are most importantly the processing
cores, access shared resources. These units are configured
at runtime with information on which transactions are legal
and which are illegal. After their configuration, they monitor
the global interconnect and prevent illegal transactions from
reaching their respective destinations. In the specific case of
the ZynqMP, there are two such units [7]: the Xilinx memory
protection unit (XMPU) and the Xilinx peripheral protection
unit (XPPU). They operate on addresses from the global
address space and together cover the majority of the platform’s
memory-mapped resources. In their behavior, they are com-
parable to memory protection units (MPUs). However, their
scope is not limited to transactions from a specific bus master.
It extends to all transactions on the global interconnect.
For the purposes of this paper, we refer to a hardware unit
that acts on the logical level of some communication link
and enforces a fixed or configurable set of access protection
rules on this link as an access protection unit (APU). During
the design of MPSoC-based embedded systems with safety or
security requirements, the proper configuration of APUs is of
vital importance. However, determining such a configuration
is often complicated by the following aspects:
1) Each type of APU requires its configuration data in
a particular form. For runtime-configurable units on
commercially available MPSoCs, for instance, it is
usually necessary to determine the values of a plat-
form-specific set of configuration registers. Perform-
ing this process manually is both time-consuming and
error-prone. Software tools to generate these values are
provided by some semiconductor vendors, but they are
still highly MPSoC-specific and often not well suited for
integration into existing development toolchains.
2) The task that an APU performs is a low-level mechanism
with the goal of enforcing certain information flow
policies. These policies usually originate from some
functional, safety-related, or security-related require-
ments. Therefore, considering the APU configuration in
isolation makes it difficult to verify that it successfully
leads to the desired information flow policies.
3) MPSoCs in embedded systems are often integrated into
a network of different components. As a consequence,
resource isolation at the level of an MPSoC can have
a significant impact on the information flow at system
level. These system-level implications of an APU con-
figuration must therefore be considered.
To tackle these issues, we present a formal model to describe
both information flow requirements and access protection set-
tings of a system in an abstract manner, i.e., without the need
to consider the characteristics of specific APUs. Furthermore,
we describe an approach to check instances of this model for
their consistency and present a framework to map them to
concrete platform architectures with a particular set of APUs.
Based on the model instance and this mapping, the framework
performs a feasibility check and, if possible, derives a suitable
configuration for each of the utilized APUs automatically.
II. RELATED WORK
There is a large volume of published approaches to achieve
resource isolation on MPSoCs. Some of them isolate process-
ing cores as much as possible from each other. The architecture
proposed in [8], for instance, is based on “local systems”
that comprise resources to which the corresponding processing
cores have exclusive access. In this approach, physically
shared memory is protected by a memory controller that
arbitrates transactions from the local systems in a deterministic
manner and forwards them to disjoint memory partitions.
Many processing platforms map shared resources into the
global address space. It is then possible to employ MPU-like
structures to protect the resources from specific masters. The
approach presented in [9] targets system-on-chip (SoC) plat-
forms with a single processor whose tasks need to be isolated
from certain memory regions and I/O controllers. Similar
approaches that are targeted at multi-master platforms are
described in [10] and [11]. These approaches are comparable
to the APU mechanism described above. Note that such an
isolation operates mainly on a logical level and is less effective
against timing interferences [4]. In practice, additional mea-
sures to ensure that the interferences do not cause a violation
of real-time requirements might be necessary [12].
To isolate parts of a system from each other, the concept
of information flow tracking (IFT) can be seen as an alternative
to strict physical isolation or APU-based approaches [13].
Its underlying idea is to statically or dynamically determine
where information flows to. An important advantage of these
approaches over access protection schemes is that they capture
not only how information is released from a source or intro-
duced into a sink but also its propagation through the overall
system [14]. Many such schemes, such as the one proposed
in [15], focus on information flows within or between software
programs. However, IFT has also been applied on the level
of logic gates to analyze and prohibit unintended information
flow over I2C and USB links [16]. Due to the fact that this
approach captures interactions on the granularity of individual
bits, it is able to detect implicit information flow, such as
through timing behavior. The approach that we propose is
similar to the IFT concept in the sense that it does not consider
access protection units in isolation. Instead, it captures how
they affect the propagation of information. However, our work
is limited to the explicit flow of information. The consideration
of implicit flows is beyond the scope of this paper.
In order to deal with the steadily increasing complexity of
embedded systems, various model-based approaches with the
goal to automatically analyze or validate system properties,
particularly at early stages in the design process, have been
proposed. The goal of the Architecture Analysis & Design
Language (AADL), an SAE standard [17], is to capture the
architecture of hardware/software systems in a single model,
which then serves as the basis for automated analyses and
transformations. Conceptually similar to our approach is the
AADL-based design methodology presented in [18]. Like our
work, this model-based approach enforces isolation policies
between SoC partitions at run-time. However, the authors
limit the scope of their work to safety considerations on a
single SoC and explicitly consider real-time aspects and timing
interferences. While they base their model on AADL and
generate hardware wrappers for individual processors, we use
a custom model and provide a flexible framework to generate
configuration code for existing APUs.
III. CONCEPT AND METHODOLOGY
At the core of the proposed concept is a model capturing
both the information flow requirements of and the envisaged
transactions within a considered system. It can be applied to
any environment in which execution units (= units), which are
hardware components to execute functions, are connected via
so-called communication links (CLs). A communication link
describes a transmission channel to which one or more units
are attached. It is logically shared between all its units and
realizes the read and write transactions that they exchange. A
transaction is initiated by its master unit and targeted at an
III. Information flow implementation
(Forwarding features and transactions on communication links)
II. Functional implementation
(Terminal features and their information flow requirements)
I. Platform architecture
(Execution units and communication links)
Fig. 1. Model layers and the information they capture
explicitly addressed slave unit. The model assumes that all
units are equal in the sense that they can both initiate and
be addressed by a transaction. A slave unit that receives a
read transaction returns its response as part of this transac-
tion, i.e., does not initiate another transaction to do so. The
definition is deliberately broad to accommodate various types
of transmission channels, including off-chip and system-level
interconnects such as I2C or CAN buses. In the following,
we assume that APUs base the decision of whether a specific
transaction is legal or illegal on its master unit, its slave unit,
and its type (read or write). An example of such an APU is one
of the above-mentioned system isolation units of the ZynqMP.
Note that in practice, a slave unit will usually dispatch a
received transaction to a specific function. We assume that
an APU is entirely unaware of such unit-internal aspects.
A. Overview of the Model and its Layers
This section gives a fist overview of the model, while Sec-
tion IV describes it in a formal manner. Fig. 1 shows the three
layers of the proposed model. They capture the dependencies
between model fragments in the sense that each layer depends
on and extends the layers that are depicted below it.
The starting point of every model instance is an existing
platform architecture and an existing functional specification.
The platform architecture is a particular hardware setup, while
the functional specification describes the functionalities that
the corresponding platform architecture shall deliver.
The platform architecture forms layer I of the model. It
consists of a set of units, a set of CLs, and their connections. If
applicable, it also describes the execution environments (oper-
ating systems, . . . ) that the units provide. APU-specific aspects
are not captured at this layer. Instead, certain portions of the
platform architecture (a specific MPSoC, . . . ) can be linked
to a platform-specific generator. Such a generator is invisible
to the higher model layers and translates the model parts that
are relevant to this portion to APU configurations.
Instead of the functional specification per se, layer II
contains terminal features that describe how the developer
intends to implement the required functionality on the platform
architecture. Each of them is mapped to exactly one unit and
represents a specific function. An example of such a terminal
feature is a task of an operating system. They serve as sources
and sinks of so-called information flow. Furthermore, layer II
Central gateway
PROC1 PROC2











Fig. 2. Mapping of terminal features to a platform architecture
captures the information flow requirements that the developer
defines between terminal features. They describe
1) which information flows are required for the set of
terminal features to fulfill their functionalities and
2) which information flows can be accepted from an isola-
tion perspective beyond the required ones.
Layer III of the model then captures how these information
flows are planned to be implemented. In order to implement
information flows over a chain of units, it is possible to
introduce so-called forwarding features as part of this layer.
Each forwarding feature is mapped to and executed by exactly
one unit, but its sole purpose is to forward every piece of
information that it receives. An example of such a forwarding
feature is the functionality fulfilled by an I2C controller of
an MPSoC that forwards data from an MPSoC-internal link to
an I2C bus. To implement the flows, the developer defines write
and read transactions that originate from a feature, propagate
over a specific CL, and lead to another feature. Depending on
the type of transaction, information will flow either from the
master feature to the slave feature or the over way around.
Note that information flow requirements can only be speci-
fied between terminal features. Forwarding features are merely
a mechanism to help fulfill these requirements.
As a concrete example, consider the guidance and naviga-
tion tasks that according to [19] are essential functions in the
field of autonomous driving. Assume that an autonomous ve-
hicle shall deliver a navigation functionality, which determines
a route to travel, and a guidance functionality, whose goal is
to derive suitable maneuvers from this route. Via an external
interface, a user shall be able to influence the navigation.
Furthermore, the route that the navigation generates needs to
be validated and passed to the subsystem implementing the
guidance functionality over a dependable, strictly controlled
interface. For safety reasons, no other functionality shall have
an impact on the guidance subsystem. Based on a specific plat-
form architecture, the developer translates these requirements
into the terminal features navigation, route_interface,
guidance, and user_intervention. Furthermore, the fol-
lowing three required information flows are defined:
• navigation → route_interface,
• route_interface → guidance, and

















Fig. 3. Proposed design methodology
The layer-II mapping of these terminal features to a sample
platform architecture is shown in Fig. 2. PROC blocks in the
figure are processor subsystems with private memories that
communicate directly over their communication links, while
the two IOC blocks represent I/O controllers attached to CL3.
Assume that all shown CLs are protected by an APU.
Layer III of the model now requires the developer to
specify how these flow requirements are fulfilled: The first
two required flows are satisfied, for instance, if navigation
uses CL2 to write to route_interface, while guidance
uses CL2 to read from route_interface. To fulfill the
third requirement, forwarding features on IOC1 and IOC2
are required. If user_intervention uses CL1 to write to
the feature on IOC1, IOC1 uses CL3 to write to the feature
on IOC2, and PROC3 uses CL2 to read from the feature
mapped to IOC2, the required flows are satisfied. The transac-
tion specifications can be used to derive APU configurations
for CL1, CL2, and CL3. During runtime, these configurations
enforce that no other flows can occur over the shared CLs.
Note that if guidance could read from the forwarding feature
on IOC2, for instance, this would enable an unaccepted flow
from user_intervention to guidance.
B. Model-Based Design Methodology
The overall design methodology that we propose as part
of this work is shown in Fig. 3. It depends on a given
functional specification (1a) and knowledge of the platform
architecture (1b) on which this specification shall be realized.
Based on these inputs, the developer derives a particular model
instance (2). This derivation involves taking certain design
decisions such as the definition of terminal features. The model
instance is then used as the basis for an automated information
flow analysis (3). In particular, this step verifies whether
the transactions specified in layer III enable all required
flows to occur and prevent any flow that is neither required
nor accepted from taking place. If these two conditions are
satisfied, model portions that are linked to a platform-specific
generator are passed to this generator. It will check if it is
able to translate all transactions on links for which an APU
protection is requested into suitable APU configurations (4)
and, if this is the case, derive them automatically (5).
It is possible to run through these process steps in an
iterative manner, i.e., to start with a partial model instance and
extend it incrementally. In such an approach, the developer is
guided by the model and its verification capabilities through
the process of finding an appropriate isolation setting.
Recall that the definition of a communication link is deliber-
ately broad. In practice, a typical CL will therefore exhibit only
a subset of the aspects that the model is able to capture. Units
that are attached to a memory-mapped AXI4 interconnect, for
instance, can act either as a master or as slave unit, i.e., are
not equal. In such a case, the platform-specific generation step
should additionally ensure that the envisaged transactions are
feasible before generating an APU configuration.
C. Dependability and Protocol Transactions
In safety- and security-critical systems, failure of system
elements to deliver their intended functionalities must be
anticipated. With respect to our model, we must therefore
consider the possibility that a terminal feature unintentionally
forwards information from its input to its output. Furthermore,
one has to consider that any feature might misbehave and
initiate a transaction that is targeted at the wrong destination.
Another aspect that a suitable model must be able to capture
are systematic or random faults of unit: If a unit is affected
by a fault, all the features that are mapped to it might behave
incorrectly. A unit that normally isolates the features that
it executes from each other, such as a processor running
an operating system that isolates its processes, might fail to
enforce this isolation if it is affected by a fault itself.
Therefore, the model that we propose considers all fea-
tures and units to be undependable by default. In safety-
and security-critical systems, however, one can assume that
suitable mechanisms are applied in order to make individual
features or units dependable. For these entities, the above
assumption is overly pessimistic. In the model, both terminal
and forwarding features as well as units can therefore be
declared as dependable. During the information flow analysis,
these entities are then treated accordingly.
Dependable entities are particularly important in combina-
tion with protocol transactions, the last fundamental aspect
of the model. In practice, some transactions on CLs carry
only protocol data. Consider again the architecture shown in
Fig. 2, for instance. In order for PROC2 to transfer payload
data over CL3, payload data must flow from PROC2 to IOC1,
but protocol data such as ready or error flags will usually flow
from IOC1 to PROC2 as well. In our model, such transactions
are captured as protocol transactions. If all the features and
units that are involved in such a transaction are dependable, it
is often justified to assume that it will not allow for information
flow in a strict sense. This aspect is again taken into account





Fig. 4. Platform architecture comprising three units and two links
IV. FORMAL DEFINITION OF THE MODEL
In the following paragraphs, each of the three model layers
is formally defined as a tuple of sets, relations, and functions.
Definition 1: A platform architecture is a tuple
MP = (U, L, C, c0, ϕC , ϕL, δU ),
where U , L, and C are sets of units, links, and containers,
respectively. c0 ∈ C is the root container, which shall serve
as the direct or indirect parent of all units, links, and other
containers. These model entities will be referred to as
E := U ∪ L ∪ (C \ {c0})
in the following. ϕC : E → C maps each such entity to its
enclosing container, while ϕL : L → P(U) maps each link
to the units that it is connected to. δU : U → {0, 1} maps
every unit to its dependability, where a value of 0 signifies
an undependable and a value of 1 a dependable unit.
Containers represent hierarchy aspects of the platform archi-
tecture and can be arbitrarily nested. Their main purpose is to
serve as the formal basis of the platform-specific generation. A
particular MPSoC with several units and links can for example
be modeled as a container. For convenience, we define the
function ϕ̂ : E×C → {0, 1} such that ϕ̂(e, c) = 1 if and only
if e is directly or indirectly contained in c.
Definition 2: A platform architecture MP is valid if and
only if the following conditions are satisfied:
∀e ∈ E : ϕ̂(e, c0) = 1
∀c ∈ C \ {c0} : ϕ̂(c, c) = 0
∀` ∈ L ∀u ∈ ϕL(`) : ϕ̂ (u, ϕC(`)) = 1
In other words, a platform architecture is valid if and only if
all units, links, and containers except for the root are contained
in the root, no container is contained in itself, and no link is
connected to a unit “outside” of its own container.
To model the platform architecture in Fig. 4, for instance,
we define U = {u1, u2, u3}, L = {`1, `2}, C = {c0, c1},
and choose c0 as the root of the architecture. Setting
ϕC(u1) = ϕC(u2) = ϕC(`1) = c1,
ϕC(u3) = ϕC(`2) = ϕC(c1) = c0,
as well as ϕL(`1) = {u1, u2} and ϕL(`2) = {u2, u3} leads
to a valid MP that describes the given architecture accurately.
Definition 3: A functional implementation is a tuple
MF = (T, IR, IA, σT , δT )
that is based upon a specific MP . T is the set of terminal
features, while IR, IA ⊆ T×T with IR∩IA = ∅ are relations
representing required information flows and flows that are not
required but still accepted, respectively. σT : T → U maps
every terminal feature to a unit of the platform architecture,
while the function δT : T → {0, 1} is comparable to δU and
maps every terminal feature to its dependability.
The first element of an IR or IA tuple represents the
source and the second element the sink of a flow. Note that
the purpose of IA is to capture information flows that are
entirely optional. All required flows will be implicitly treated
as accepted and are therefore not contained in IA.
Definition 4: An information flow implementation is a tuple
MI = (F, σF , δF , XW , XR, XL, ωP , ωL)
that is based on a specific MF . F is a set of forwarding
features for which F ∩ T = ∅ is satisfied. σF : F → U
and δF : F → {0, 1} are defined analogously to σT and δT .
The relations XW , XR ⊆ (T ∪ F ) × L × (T ∪ F ) represent
the write and read transactions on the links, respectively.
Furthermore, the relation XL ⊆ (T ∪ F ) × (T ∪ F ) captures
all information flows that occur within of a particular unit. For
every transaction in XW or XR, ωP : (XW ∪XR) → {0, 1}
is 1 if and only if the transaction is a protocol-only one.
Finally, the function ωL : L → {0, 1} defines whether or not
transactions on a specific link shall be protected by an APU,
where a value of 1 represents the APU-protected case.
Note that for XW and XR, the first value of a 3-tuple rep-
resents the feature initiating the transaction (master feature),
while the third value is the feature that receives it or responds
to it (slave feature). Which of these features is the source
and which is the sink of information flow depends on the
transaction type. If the transaction is a protocol transaction,
it might even be possible that it will not be associated with
any information flow. It is important to understand that the
local information flows captured by XL need to be interpreted
differently: Here, the first value of the tuple represents the flow
source, while the second one represents the flow sink.
For brevity, we define the function σ : F ∪ T → U such
that σ(x) = σT (x) if x ∈ T and σ(x) = σF (x) otherwise.
Analogously, we define δ : F ∪ T → {0, 1} in such a way
that δ(x) = δT (x) if x ∈ T and δ(x) = δF (x) otherwise.
Definition 5: An information flow implementation MI is
valid if and only if the following conditions are satisfied:
∀(m, `, s) ∈ (XW ∪XR) :
(
{σ(m), σ(s)} ⊆ ϕL(`)
∧ σ(m) 6= σ(s)
)
∀(j, k) ∈ XL : σ(j) = σ(k)
In other words, it is valid if and only if every transaction
from a master to a slave feature takes place over a link that
is connected to the distinct units of these features and the
endpoints of local flows are mapped to the same unit.
Definition 6: A model instance is a 3-tuple
M = (MP ,MF ,MI)
in which MI is based on MF and MF is based on MP . It is
















Fig. 5. Gα constructed from a sample model instance
V. INFORMATION FLOW ANALYSIS
The starting point for an information flow analysis is a valid
model instance M . In layer III of this instance, the developer
has captured how the required information flows (IR) from
layer II are intended to be realized from a technical perspec-
tive. The analysis checks if this realization
1) allows all required information flows (IR) to occur and
2) ensures that all the information flows that are potentially
feasible are either required or accepted (IR or IA).
Regarding the generation of APU configurations, it is impor-
tant to understand that the transactions that are defined on links
for which ωL returns 1 can be seen as concrete requirements
for the APU of this link. For the second analysis, we assume
that all the involved APUs are able to fulfill their requirements
exactly and do not fail to enforce them during runtime.
In order to check the first condition, we are interested in
a function α : T → P(T ) that maps each terminal feature to
all the terminal features to which information that it outputs
normally flows, i.e., under strict consideration of F , XW , XR,
and XL. For the second condition, we are interested in a
function β : T → P(T ) that maps each terminal feature to
all the terminal features to which information that it outputs
may potentially flow, either nominally or if any undependable
unit or feature of the system misbehaves.
Definition 7: A model instance M satisfies its information
flow requirements if and only if the following conditions hold:
∀(j, k) ∈ IR : k ∈ α(j)
∀j ∈ T ∀k ∈ β(j) : (j, k) ∈ IR ∪ IA
To determine α for a given model instance, we transform
this instance into a directed graph Gα. In this graph, every
feature x ∈ T ∪ F is represented by two nodes: an input
node xin and an output node xout. For every forwarding
feature f ∈ F , a directed edge from f in to f out is added.
The remaining edges are constructed from the XW , XR, and
XL values. More specifically, edges are added
• from mout to sin for every w := (m, `, s) ∈ XW that is
not a protocol transaction, i.e., for which ωP (w) = 0,
• from sout to min for every r := (m, `, s) ∈ XR that is not
a protocol transaction, i.e., for which ωP (r) = 0, and
• from jout to kin for every (j, k) ∈ XL.
With this, α is constructed by considering every t ∈ T and
mapping it to all the τ ∈ T \ {t} for which Gα contains
a directed path from tout to τ in. As an example, consider
a system with U = {u1, u2, u3}, T = {t1, t2, t3, t4},
Algorithm 1: Gβ construction from a model instance M
1: Gβ ← (V,E), V ← ∅, E ← ∅
2: for each ` ∈ L : ωL(`) = 0 do
3: if ∃u ∈ ϕL(`) : δU (u) = 0 then
4: V ← V ∪ {π`} . Add link sharing node
5: for each u ∈ U : δU (u) = 1 do
6: for each ` ∈ ϕL(u) do
7: V ← V ∪ {pin`,u, pout`,u} . Add port nodes
8: if π` ∈ V then
9: E ← E ∪ {(pout`,u, π`), (π`, pin`,u)}
10: for each u ∈ U : δU (u) = 0 do
11: V ← V ∪ {πu} . Add unit sharing node
12: for each ` ∈ ϕL(u) : ωL(`) = 0 do
13: E ← E ∪ {(πu, π`), (π`, πu)}
14: for each x ∈ F ∪ T do
15: V ← V ∪ {xin, xout} . Add feature nodes
16: if x ∈ F ∨ δ(x) = 0 ∨ δU (σ(x)) = 0 then
17: E ← E ∪ {(xin, xout)}
18: if δU (σ(x)) = 0 then
19: E ← E ∪ {(πσ(x), xin), (xout, πσ(x))}
20: for each ν ∈ XW do HANDLEWRITE(ν)
21: for each ν ∈ XR do HANDLEREAD(ν)
22: for each (j, k) ∈ XL do E ← E ∪ {(jout, kin)}
Algorithm 2: Procedure to handle write transactions
1: procedure HANDLEWRITE(ν)
2: (m, `, s)← ν . Extract values from the 3-tuple
3: masterUnitDep← δU (σ(m)) = 1
4: slaveUnitDep← δU (σ(s)) = 1
5: if slaveUnitDep then
6: E ← E ∪ {(pin`,σ(s), s
in)} . Add the listening edge
7: if masterUnitDep ∧ slaveUnitDep then
8: if ωP (ν) = 0 ∨ δ(m) = 0 ∨ δ(s) = 0 then
9: E ← E ∪ {(mout, sin)}
10: if masterUnitDep ∧ ¬slaveUnitDep then
11: E ← E ∪ {(mout, πσ(s))}
12: if ¬masterUnitDep ∧ slaveUnitDep then
13: E ← E ∪ {(πσ(m), pin`,σ(s))}
14: if ¬masterUnitDep ∧ ¬slaveUnitDep then
15: E ← E ∪ {(πσ(m), πσ(s))}
and F = ∅, where t1 is mapped to u1, both t2 and t3 are
mapped to u2, and t4 is mapped to u3. Under the assumption
that all these units are connected to ` ∈ L and that none of the
specified transactions is declared as protocol-only, the speci-
fications XW = {(t1, `, t2), (t4, `, t3)}, XR = {(t4, `, t3)},
as well as XL = {(t2, t3)} lead to the Gα shown in Fig. 5.
From this graph, one can derive the values α(t1) = {t2},
α(t2) = α(t4) = {t3}, and α(t3) = {t4}.
The derivation of β is a more intricate problem. In order
to determine the potentially feasible information flows, the
possibility that every single entity might fail or misbehave
must be taken into consideration. Recall, for instance, that a





















Fig. 6. Gβ constructed from a sample model instance
that it receives. However, it is possible that the unit executing
the feature becomes affected by a random fault or that the
implementation of the feature is affected by a systematic
fault. In such a case, one must assume that this feature
unintentionally forwards information that it receives.
In order to derive β, we once again transform the model
instance into a graph Gβ . During this transformation, we
assume that a feature x ∈ F ∪ T unintentionally forwards
information and fails to recognize protocol transactions as
such if and only if δ(x) = 0 or δU (σ(x)) = 0 are satisfied.
Furthermore, we assume that a unit u ∈ U with δU (u) = 0
does not isolate the features that are mapped to it from each
other and has no control over the transactions that its features
respond to or initiate. In contrast, a unit u ∈ U with δ(u) = 1
is assumed to enforce a strict isolation between its features,
permit features to initiate only those transactions that are
explicitly specified, and ensure that features receive or respond
to only those transactions that originate from links to which
they have to listen to according to the specification. Finally,
we assume that a link ` ∈ L for which ωL(`) = 0 does not
perform any access protection. A link ` ∈ L with ωL(`) = 1 is
assumed to be protected by an APU that is configured in such
a way that it permits only those transactions that are necessary
to implement XW and XR. The procedure to derive Gβ from a
model instance M is shown in Algorithm 1, while Algorithm 2
shows the subprogram to add the edges for a particular write
transaction. The corresponding subprogram to handle a read
transaction is defined in an analogous manner but not shown
for brevity. The function β is again constructed by considering
every t ∈ T and mapping it to all the τ ∈ T \ {t} for which
the graph Gβ contains a directed path from tout to τ in.
Continuing the example from above, assume that the link `
is APU-protected, that all features as well as u2 are depend-
able, while both u1 and u3 are undependable. The correspond-
ing Gβ for this extended example is shown in Fig. 6. From this
graph, we deduce β(t1) = β(t4) = {t2, t3}, β(t2) = {t3},
and β(t3) = {t2, t4}. Note that the APU of ` must allow
both u1 and u3 to write to u2. Since both t2 and t3 must listen
to write transactions from ` and u2 is unable to determine the
origin of such a transaction, information might in reality also
flow from t1 to t3 and from t4 to t2. β is able to capture this
circumstance accurately. Another aspect that β captures is that
although an unreliable unit, u1, is connected to u2, on which
the feature t3 responds to any read transaction that originates
from `, no information will flow from t3 to t1. This is due
to the fact that ` is APU-protected and there is no specified
transaction that requires read access from u1 to u2. Note that
in the ωL(`) = 0 case, the algorithm would introduce the link
sharing node π` to Gβ . This node would then reflect among
others the potential information flow from t3 to t1.
As part of our work, we have implemented the formal model
using the Eclipse Modeling Framework (EMF) and created a
domain-specific language using Xtext that allows developers
to describe a model instance in a textual form. The validity
of model instances and, in case they are valid, the fulfillment
of the information flow requirements from Definition 7 are
automatically checked by this implementation.
VI. GENERATION FRAMEWORK
During the creation of a model instance, several require-
ments towards the capabilities of system entities are formu-
lated: Both features and units can be declared as dependable,
but it remains the developer’s responsibility to implement them
in a way that they satisfy the assumptions that are associated
with this dependability. Furthermore, links can be declared
as APU-protected. Other than in the previous case, however,
it is the goal of the proposed methodology to derive the
corresponding APU configurations automatically.
More specifically, an APU of a protected link needs to be
configured in such a way that the attached units are able to
exchange transactions according to XW and XR, while all
other interactions are prevented. Recall that in order to deliver
its access protection, an APU considers only the master unit
and the slave unit of a transaction. It has no knowledge of the
individual features that are involved in transactions.
As part of this work, we implemented a framework for the
platform-specific generation of APU configurations. It is ex-
tensible in the sense that new platform-specific generators can
be implemented in Java. Using the domain-specific language,
every c ∈ C of a model instance can then be mapped to such a
generator. Every link for which an APU protection is desired,
i.e., for which ωL(·) = 1, needs to be directly or indirectly
included in exactly one container with such a generator. For
every such link in a valid model that fulfills its information
flow requirements, the framework derives the respective APU
configuration requirements from XW and XR and passes them
to the corresponding generator. The task of this generator is
then to decide whether or not the APUs that it is responsible
for are able to fulfill all of these requirements and, if this is
the case, generate appropriate configuration code.
In this manner, the APU-specific aspects of the isolation
are delegated to pieces of software that are designed to deal
with low-level details of a platform. Note that in some cases,
a generator will need to be provided with additional inputs.
Therefore, the domain-specific language allows developers to
specify input parameters that are not considered by the model
itself. Instead, they are forwarded to the generator.
As an example, we have implemented a generator for the
i.MX 8M from NXP, which is comparable to the ZynqMP.
It comprises a so-called Resource Domain Controller (RDC)
to protect on-chip components from illegal accesses. The
generator expects the MPSoC itself to be modeled as a
container and every unit that is part of this container to be
either an on-chip master or an on-chip resource that is mapped
to a particular memory region. It uses its MPSoC-specific
knowledge to generate APU configuration code. More specif-
ically, the generator will output C code that—when being
executed on a specific core of the i.MX 8M—will write
suitable values to the RDC configuration registers. Note that in
order to generate this configuration code, the generator must be
aware of the so-called domain that the developer assigns every
on-chip master to. This is achieved using the input parameter
forwarding described above. Due to the strict separation of
these platform-specific aspects, the model itself can be kept as
generic as possible and does not have to deal with low-level
details such as the domain of an on-chip master.
To validate the overall concept, we applied the implemen-
tation to a sample architecture based on the i.MX 8M, were
able to generate suitable configuration code, and ensured that
the resulting RDC configuration leads to a policy that meets
all specified information flow requirements.
VII. CONCLUSION AND FUTURE WORK
As part of this work, we targeted access protection units that
are available as part of many commercially available, hetero-
geneous MPSoCs. Our primary goal was to develop a method
for the automatic generation of their configuration data from a
platform-independent description of legal and illegal accesses.
Therefore, we formulated a model-based design methodology
that uses these platform-independent descriptions and asso-
ciates them with system-level information flow requirements.
In this methodology, the specified access descriptions are first
verified with respect to the requirements and then forwarded to
an extensible framework that handles platform-specific aspects
of the configuration by delegating them to suitable generators.
As a proof of concept, we implemented the formal model,
the information flow analysis, and the generation framework
using Java, the Eclipse Modeling Framework, and Xtext.
While our implementation demonstrates basic feasibility of
the approach, it is limited to systems that the formal model
can capture. An aspect that it cannot currently capture is, e.g.,
a unit that is dependable in the sense that it strictly isolates the
features that it executes from each other and undependable in
the sense that it does not protect a feature from failures caused
by random faults. To extend the model in such a way that it can
represent more complex scenarios is an area for future work.
Another limitation of the current concept is that it requires
developers to specify exactly one set of transactions and does
not allow them to formulate a certain degree of flexibility
that platform-specific generators are be able exploit during
the search for feasible or optimal configurations. The removal
of this limitation is another fruitful area for future work. For
certain types of units, it is further conceivable to extend the
platform-specific generation process in such a way that it
produces unit-internal configuration code (such as for an MPU
of a specific processor) in addition to the APU configurations
that the current framework generates. This is another possible
starting point for further research.
ACKNOWLEDGMENT
This work was funded by the German Federal Min-
istry of Education and Research (BMBF) under grant num-
ber 16KIS0886 (DEFEnD). The responsibility for the content
of this publication lies with the authors.
REFERENCES
[1] M. Hassan, “Heterogeneous MPSoCs for Mixed-Criticality Systems:
Challenges and Opportunities,” IEEE Design & Test, vol. 35, no. 4,
pp. 47–55, 2018.
[2] A. Avizienis, J.-C. Laprie, B. Randell, and C. Landwehr, “Basic concepts
and taxonomy of dependable and secure computing,” IEEE Transactions
on Dependable and Secure Computing, vol. 1, no. 1, pp. 11–33, 2004.
[3] S. Saidi, S. Steinhorst, A. Hamann, D. Ziegenbein, and M. Wolf,
“Special Session: Future Automotive Systems Design: Research Chal-
lenges and Opportunities,” in 2018 International Conference on Hard-
ware/Software Codesign and System Synthesis (CODES+ISSS), Turin,
2018, pp. 1–7.
[4] R. Ernst, “Automated Driving: The Cyber-Physical Perspective,” Com-
puter, vol. 51, no. 9, pp. 76–79, 2018.
[5] SAE International, “J3061: Cybersecurity Guidebook for Cyber-Physical
Vehicle Systems,” Standard, 2016.
[6] V. Boppana, S. Ahmad, I. Ganusov, V. Kathail, V. Rajagopalan, and
R. Wittig, “UltraScale+ MPSoC and FPGA families,” in 2015 IEEE
Hot Chips 27 Symposium (HCS), Cupertino, California, 2015, pp. 1–37.
[7] S. McNeil, P. Schillinger, A. Kolarkar, E. Puillet, and U. Gertheinrich,
“Isolation Methods in Zynq UltraScale+ MPSoCs,” 2019, Xilinx Appli-
cation Note, XAPP1320.
[8] D. Kliem and S.-O. Voigt, “Scalability evaluation of an FPGA-based
multi-core architecture with hardware-enforced domain partitioning,”
Microprocessors and Microsystems, vol. 38, no. 8, pp. 845–859, 2014.
[9] L. Lopriore, “Memory protection in embedded systems,” Journal of
Systems Architecture, vol. 63, pp. 61–69, 2016.
[10] T. Nojiri, Y. Kondo, N. Irie, M. Ito, H. Sasaki, and H. Maejima, “Domain
Partitioning Technology for Embedded Multicore Processors,” IEEE
Micro, vol. 29, no. 6, pp. 7–17, 2009.
[11] B. Tan, M. Biglari-Abhari, and Z. Salcic, “Towards decentralized
system-level security for MPSoC-based embedded applications,” Journal
of Systems Architecture, vol. 80, pp. 41–55, 2017.
[12] J. Nowotsch, M. Paulitsch, D. Buhler, H. Theiling, S. Wegener, and
M. Schmidt, “Multi-core Interference-Sensitive WCET Analysis Lever-
aging Runtime Resource Capacity Enforcement,” in 2014 26th Euromi-
cro Conference on Real-Time Systems, Madrid, 2014, pp. 109–118.
[13] W. Hu, J. Oberg, A. Irturk, M. Tiwari, T. Sherwood, D. Mu, and
R. Kastner, “Theoretical Fundamentals of Gate Level Information Flow
Tracking,” IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems, vol. 30, no. 8, pp. 1128–1140, 2011.
[14] A. Sabelfeld and A. Myers, “Language-based information-flow security,”
IEEE Journal on Selected Areas in Communications, vol. 21, no. 1, pp.
5–19, 2003.
[15] G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas, “Secure Program
Execution via Dynamic Information Flow Tracking,” SIGPLAN Not.,
vol. 39, no. 11, pp. 85–96, Oct. 2004.
[16] J. Oberg, W. Hu, A. Irturk, M. Tiwari, T. Sherwood, and R. Kastner,
“Information flow isolation in I2C and USB,” in Proceedings of the 48th
Design Automation Conference, San Diego, California, 2011, p. 254.
[17] SAE International, “AS5506C: Architecture Analysis & Design Lan-
guage (AADL),” Standard, 2017.
[18] R. Pellizzoni, P. Meredith, M.-Y. Nam, M. Sun, M. Caccamo, and
L. Sha, “Handling mixed-criticality in SoC-based real-time embedded
systems,” in Proceedings of the seventh ACM international conference
on Embedded software, Grenoble, 2009, pp. 235–244.
[19] M. Maurer, J. C. Gerdes, B. Lenz, and H. Winner, Eds., Autonomous
Driving: Technical, Legal and Social Aspects. Springer, 2016.
