72 research outputs found
Architectures for dependable modern microprocessors
Η εξέλιξη των ολοκληρωμένων κυκλωμάτων σε συνδυασμό με τους αυστηρούς χρονικούς
περιορισμούς καθιστούν την επαλήθευση της ορθής λειτουργίας των επεξεργαστών
μία εξαιρετικά απαιτητική διαδικασία. Με κριτήριο το στάδιο του κύκλου ζωής
ενός επεξεργαστή, από την στιγμή κατασκευής των πρωτοτύπων και έπειτα, οι
τεχνικές ελέγχου ορθής λειτουργίας διακρίνονται στις ακόλουθες κατηγορίες: (1)
Silicon Debug: Τα πρωτότυπα ολοκληρωμένα κυκλώματα ελέγχονται εξονυχιστικά, (2)
Manufacturing Testing: ο τελικό ποιοτικός έλεγχος και (3) In-field
verification: Περιλαμβάνει τεχνικές, οι οποίες διασφαλίζουν την λειτουργία του
επεξεργαστή σύμφωνα με τις προδιαγραφές του. Η διδακτορική διατριβή προτείνει
τα ακόλουθα: (1) Silicon Debug: Η εργασία αποσκοπεί στην επιτάχυνση της
διαδικασίας ανίχνευσης σφαλμάτων και στον αυτόματο εντοπισμό τυχαίων
προγραμμάτων που δεν περιέχουν νέα -χρήσιμη- πληροφορία σχετικά με την αίτια
ενός σφάλματος. Η κεντρική ιδέα αυτής της μεθόδου έγκειται στην αξιοποίηση της
έμφυτης ποικιλομορφίας των αρχιτεκτονικών συνόλου εντολών και στην δυνατότητα
από-διαμόρφωσης τμημάτων του κυκλώματος, (2) Manufacturing Testing: προτείνεται
μία μέθοδο για την βελτιστοποίηση του έλεγχου ορθής λειτουργίας των
πολυνηματικών και πολυπύρηνων επεξεργαστών μέσω της χρήση λογισμικού
αυτοδοκιμής, (3) Ιn-field verification: Αναλύθηκε σε βάθος η επίδραση που έχουν
τα μόνιμα σφάλματα σε μηχανισμούς αύξησης της απόδοσης. Επιπρόσθετα, προτάθηκαν
τεχνικές για την ανίχνευση και ανοχή μόνιμων σφαλμάτων υλικού σε μηχανισμούς
πρόβλεψης διακλάδωσης.Technology scaling, extreme chip integration and the compelling requirement to
diminish the time-to-market window, has rendered microprocessors more prone to
design bugs and hardware faults. Microprocessor validation is grouped into the
following categories, based on where they intervene in a microprocessor’s
lifecycle: (a) Silicon debug: the first hardware prototypes are exhaustively
validated, (b) Μanufacturing testing: the final quality control during massive
production, and (c) In-field verification: runtime error detection techniques
to guarantee correct operation. The contributions of this thesis are the
following: (1) Silicon debug: We propose the employment of deconfigurable
microprocessor architectures along with a technique to generate self-checking
random test programs to avoid the simulation step and triage the redundant
debug sessions, (2) Manufacturing testing: We propose a self-test optimization
strategy for multithreaded, multicore microprocessors to speedup test program
execution time and enhance the fault coverage of hard errors; and (3) In-field
verification: We measure the effect of permanent faults performance components.
Then, we propose a set of low-cost mechanisms for the detection, diagnosis and
performance recovery in the front-end speculative structures. This thesis
introduces various novel methodologies to address the validation challenges
posed throughout the life-cycle of a chip
When a Patch is Not Enough - HardFails: Software-Exploitable Hardware Bugs
In this paper, we take a deep dive into microarchitectural security from a
hardware designer's perspective by reviewing the existing approaches to detect
hardware vulnerabilities during the design phase. We show that a protection gap
currently exists in practice that leaves chip designs vulnerable to
software-based attacks. In particular, existing verification approaches fail to
detect specific classes of vulnerabilities, which we call HardFails: these bugs
evade detection by current verification techniques while being exploitable from
software. We demonstrate such vulnerabilities in real-world SoCs using RISC-V
to showcase and analyze concrete instantiations of HardFails. Patching these
hardware bugs may not always be possible and can potentially result in a
product recall. We base our findings on two extensive case studies: the recent
Hack@DAC 2018 hardware security competition, where 54 independent teams of
researchers competed world-wide over a period of 12 weeks to catch inserted
security bugs in SoC RTL designs, and an in-depth systematic evaluation of
state-of-the-art verification approaches. Our findings indicate that even
combinations of techniques will miss high-impact bugs due to the large number
of modules with complex interdependencies and fundamental limitations of
current detection approaches. We also craft a real-world software attack that
exploits one of the RTL bugs from Hack@DAC that evaded detection and discuss
novel approaches to mitigate the growing problem of cross-layer bugs at design
time
Methodologies and Toolflows for the Predictable Design of Reliable and Low-Power NoCs
There is today the unmistakable need to evolve design methodologies and
tool
ows for Network-on-Chip based embedded systems. In particular, the
quest for low-power requirements is nowadays a more-than-ever urgent dilemma.
Modern circuits feature billion of transistors, and neither power management
techniques nor batteries capacity are able to endure the increasingly higher
integration capability of digital devices. Besides, power concerns come together
with modern nanoscale silicon technology design issues.
On one hand, system failure rates are expected to increase exponentially at
every technology node when integrated circuit wear-out failure mechanisms
are not compensated for. However, error detection and/or correction mechanisms
have a non-negligible impact on the network power.
On the other hand, to meet the stringent time-to-market deadlines, the design
cycle of such a distributed and heterogeneous architecture must not be
prolonged by unnecessary design iterations.
Overall, there is a clear need to better discriminate reliability strategies and
interconnect topology solutions upfront, by ranking designs based on power
metric. In this thesis, we tackle this challenge by proposing power-aware
design technologies.
Finally, we take into account the most aggressive and disruptive methodology
for embedded systems with ultra-low power constraints, by migrating
NoC basic building blocks to asynchronous (or clockless) design style. We
deal with this challenge delivering a standard cell design methodology and
mainstream CAD tool
ows, in this way partially relaxing the requirement
of using asynchronous blocks only as hard macros
Flexible Hardware-based Security-aware Mechanisms and Architectures
For decades, software security has been the primary focus in securing our computing platforms. Hardware was always assumed trusted, and inherently served as the foundation, and thus the root of trust, of our systems. This has been further leveraged in developing hardware-based dedicated security extensions and architectures to protect software from attacks exploiting software vulnerabilities such as memory corruption. However, the recent outbreak of microarchitectural attacks has shaken these long-established trust assumptions in hardware entirely, thereby threatening the security of all of our computing platforms and bringing hardware and microarchitectural security under scrutiny. These attacks have undeniably revealed the grave consequences of hardware/microarchitecture security flaws to the entire platform security, and how they can even subvert the security guarantees promised by dedicated security architectures. Furthermore, they shed light on the sophisticated challenges particular to hardware/microarchitectural security; it is more critical (and more challenging) to extensively analyze the hardware for security flaws prior to production, since hardware, unlike software, cannot be patched/updated once fabricated.
Hardware cannot reliably serve as the root of trust anymore, unless we develop and adopt new design paradigms where security is proactively addressed and scrutinized across the full stack of our computing platforms, at all hardware design and implementation layers. Furthermore, novel flexible security-aware design mechanisms are required to be incorporated in processor microarchitecture and hardware-assisted security architectures, that can practically address the inherent conflict between performance and security by allowing that the trade-off is configured to adapt to the desired requirements.
In this thesis, we investigate the prospects and implications at the intersection of hardware and security that emerge across the full stack of our computing platforms and System-on-Chips (SoCs). On one front, we investigate how we can leverage hardware and its advantages, in contrast to software, to build more efficient and effective security extensions that serve security architectures, e.g., by providing execution attestation and enforcement, to protect the software from attacks exploiting software vulnerabilities. We further propose that they are microarchitecturally configured at runtime to provide different types of security services, thus adapting flexibly to different deployment requirements. On another front, we investigate how we can protect these hardware-assisted security architectures and extensions themselves from microarchitectural and software attacks that exploit design flaws that originate in the hardware, e.g., insecure resource sharing in SoCs. More particularly, we focus in this thesis on cache-based side-channel attacks, where we propose sophisticated cache designs, that fundamentally mitigate these attacks, while still preserving performance by enabling that the performance security trade-off is configured by design. We also investigate how these can be incorporated into flexible and customizable security architectures, thus complementing them to further support a wide spectrum of emerging applications with different performance/security requirements. Lastly, we inspect our computing platforms further beneath the design layer, by scrutinizing how the actual implementation of these mechanisms is yet another potential attack surface. We explore how the security of hardware designs and implementations is currently analyzed prior to fabrication, while shedding light on how state-of-the-art hardware security analysis techniques are fundamentally limited, and the potential for improved and scalable approaches
OS-level Attacks and Defenses: from Software to Hardware-based Exploits
Run-time attacks have plagued computer systems for more than three decades, with control-flow hijacking attacks such as return-oriented programming representing the long-standing state-of-the-art in memory-corruption based exploits. These attacks exploit memory-corruption vulnerabilities in widely deployed software, e.g., through malicious inputs, to gain full control over the platform remotely at run time, and many defenses have been proposed and thoroughly studied in the past. Among those defenses, control-flow integrity emerged as a powerful and effective protection against code-reuse attacks in practice. As a result, we now start to see attackers shifting their focus towards novel techniques through a number of increasingly sophisticated attacks that combine software and hardware vulnerabilities to construct successful exploits. These emerging attacks have a high impact on computer security, since they completely bypass existing defenses that assume either hardware or software adversaries. For instance, they leverage physical effects to provoke hardware faults or force the system into transient micro-architectural states. This enables adversaries to exploit hardware vulnerabilities from software without requiring physical presence or software bugs.
In this dissertation, we explore the real-world threat of hardware and software-based run-time attacks against operating systems. While memory-corruption-based exploits have been studied for more than three decades, we show that data-only attacks can completely bypass state-of-the-art defenses such as Control-Flow Integrity which are also deployed in practice. Additionally, hardware vulnerabilities such as Rowhammer, CLKScrew, and Meltdown enable sophisticated adversaries to exploit the system remotely at run time without requiring any memory-corruption vulnerabilities in the system’s software. We develop novel design strategies to defend the OS against hardware-based attacks such as Rowhammer and Meltdown to tackle the limitations of existing defenses. First, we present two novel data-only attacks that completely break current code-reuse defenses deployed in real-world software and propose a randomization-based defense against such data-only attacks in the kernel. Second, we introduce a compiler-based framework to automatically uncover memory-corruption vulnerabilities in real-world kernel code. Third, we demonstrate the threat of Rowhammer-based attacks in security-sensitive applications and how to enable a partitioning policy in the system’s physical memory allocator to effectively and efficiently defend against such attacks. We demonstrate feasibility and real-world performance through our prototype for the popular and widely used Linux kernel. Finally, we develop a side-channel defense to eliminate Meltdown-style cache attacks by strictly isolating the address space of kernel and user memory
Nova combinação de hardware e de software para veículos de desporto automóvel baseada no processamento directo de funções gráficas
Doutoramento em Engenharia EletrónicaThe main motivation for the work presented here began with previously
conducted experiments with a programming concept at the time named
"Macro". These experiments led to the conviction that it would be possible to
build a system of engine control from scratch, which could eliminate many of
the current problems of engine management systems in a direct and intrinsic
way. It was also hoped that it would minimize the full range of software and
hardware needed to make a final and fully functional system.
Initially, this paper proposes to make a comprehensive survey of the state of
the art in the specific area of software and corresponding hardware of
automotive tools and automotive ECUs. Problems arising from such software
will be identified, and it will be clear that practically all of these problems stem
directly or indirectly from the fact that we continue to make comprehensive use
of extremely long and complex "tool chains". Similarly, in the hardware, it will
be argued that the problems stem from the extreme complexity and
inter-dependency inside processor architectures. The conclusions are
presented through an extensive list of "pitfalls" which will be thoroughly
enumerated, identified and characterized.
Solutions will also be proposed for the various current issues and for the
implementation of these same solutions. All this final work will be part of a
"proof-of-concept" system called "ECU2010". The central element of this
system is the before mentioned "Macro" concept, which is an graphical block
representing one of many operations required in a automotive system having
arithmetic, logic, filtering, integration, multiplexing functions among others. The
end result of the proposed work is a single tool, fully integrated, enabling the
development and management of the entire system in one simple visual
interface. Part of the presented result relies on a hardware platform fully
adapted to the software, as well as enabling high flexibility and scalability in
addition to using exactly the same technology for ECU, data logger and
peripherals alike.
Current systems rely on a mostly evolutionary path, only allowing online
calibration of parameters, but never the online alteration of their own
automotive functionality algorithms. By contrast, the system developed and
described in this thesis had the advantage of following a "clean-slate"
approach, whereby everything could be rethought globally. In the end, out of all
the system characteristics, "LIVE-Prototyping" is the most relevant feature,
allowing the adjustment of automotive algorithms (eg. Injection, ignition,
lambda control, etc.) 100% online, keeping the engine constantly working,
without ever having to stop or reboot to make such changes. This consequently
eliminates any "turnaround delay" typically present in current automotive
systems, thereby enhancing the efficiency and handling of such systems.A principal motivação para o trabalho que conduziu a esta tese residiu na
constatação de que os actuais métodos de modelação de centralinas
automóveis conduzem a significativos problemas de desenvolvimento e
manutenção. Como resultado dessa constatação, o objectivo deste trabalho
centrou-se no desenvolvimento de um conceito de arquitectura que rompe
radicalmente com os modelos state-of-the-art e que assenta num conjunto de
conceitos que vieram a ser designados de "Macro" e "Celular ECU". Com este
modelo pretendeu-se simultaneamente minimizar a panóplia de software e de
hardware necessários à obtenção de uma sistema funcional final.
Inicialmente, esta tese propõem-se fazer um levantamento exaustivo do
estado da arte na área específica do software e correspondente hardware das
ferramentas e centralinas automóveis. Os problemas decorrentes de tal
software serão identificados e, dessa identificação deverá ficar claro, que
praticamente todos esses problemas têm origem directa ou indirecta no facto
de se continuar a fazer um uso exaustivo de "tool chains" extremamente
compridas e complexas. De forma semelhante, no hardware, os problemas
têm origem na extrema complexidade e inter-dependência das arquitecturas
dos processadores. As consequências distribuem-se por uma extensa lista de
"pitfalls" que também serão exaustivamente enumeradas, identificadas e
caracterizadas.
São ainda propostas soluções para os diversos problemas actuais e
correspondentes implementações dessas mesmas soluções. Todo este
trabalho final faz parte de um sistema "proof-of-concept" designado
"ECU2010". O elemento central deste sistema é o já referido conceito de
“Macro”, que consiste num bloco gráfico que representa uma de muitas
operações necessárias num sistema automóvel, como sejam funções
aritméticas, lógicas, de filtragem, de integração, de multiplexagem, entre
outras. O resultado final do trabalho proposto assenta numa única ferramenta,
totalmente integrada que permite o desenvolvimento e gestão de todo o
sistema de forma simples numa única interface visual. Parte do resultado
apresentado assenta numa plataforma hardware totalmente adaptada ao
software, bem como na elevada flexibilidade e escalabilidade, para além de
permitir a utilização de exactamente a mesma tecnologia quer para a
centralina, como para o datalogger e para os periféricos.
Os sistemas actuais assentam num percurso maioritariamente evolutivo,
apenas permitindo a calibração online de parâmetros, mas nunca a alteração
online dos próprios algoritmos das funcionalidades automóveis. Pelo contrário,
o sistema desenvolvido e descrito nesta tese apresenta a vantagem de seguir
um "clean-slate approach", pelo que tudo pode ser globalmente repensado. No
final e para além de todas as restantes características, o
“LIVE-PROTOTYPING” é a funcionalidade mais relevante, ao permitir alterar
algoritmos automóveis (ex: injecção, ignição, controlo lambda, etc.) de forma
100% online, mantendo o motor constantemente a trabalhar e sem nunca ter
de o parar ou re-arrancar para efectuar tais alterações. Isto elimina
consequentemente qualquer "turnaround delay" tipicamente presente em
qualquer sistema automóvel actual, aumentando de forma significativa a
eficiência global do sistema e da sua utilização
Doctor of Philosophy
dissertationCompilers are indispensable tools to developers. We expect them to be correct. However, compiler correctness is very hard to be reasoned about. This can be partly explained by the daunting complexity of compilers. In this dissertation, I will explain how we constructed a random program generator, Csmith, and used it to find hundreds of bugs in strong open source compilers such as the GNU Compiler Collection (GCC) and the LLVM Compiler Infrastructure (LLVM). The success of Csmith depends on its ability of being expressive and unambiguous at the same time. Csmith is composed of a code generator and a GTAV (Generation-Time Analysis and Validation) engine. They work interactively to produce expressive yet unambiguous random programs. The expressiveness of Csmith is attributed to the code generator, while the unambiguity is assured by GTAV. GTAV performs program analyses, such as points-to analysis and effect analysis, efficiently to avoid ambiguities caused by undefined behaviors or unspecifed behaviors. During our 4.25 years of testing, Csmith has found over 450 bugs in the GNU Compiler Collection (GCC) and the LLVM Compiler Infrastructure (LLVM). We analyzed the bugs by putting them into different categories, studying the root causes, finding their locations in compilers' source code, and evaluating their importance. We believe analysis results are useful to future random testers, as well as compiler writers/users
- …