Security of Electrical, Optical and Wireless On-Chip Interconnects: A Survey

The advancement of manufacturing technologies has enabled the integration of more intellectual property (IP) cores on the same system-on-chip (SoC). Scalable and high throughput on-chip communication architecture has become a vital component in today's SoCs. Diverse technologies such as electrical, wireless, optical, and hybrid are available for on-chip communication with different architectures supporting them. Security of the on-chip communication is crucial because exploiting any vulnerability would be a goldmine for an attacker. In this survey, we provide a comprehensive review of threat models, attacks, and countermeasures over diverse on-chip communication technologies as well as sophisticated architectures.Comment: 41 pages, 24 figures, 4 table

Design of secure and trustworthy system-on-chip architectures using hardware-based root-of-trust techniques

Cyber-security is now a critical concern in a wide range of embedded computing modules, communications systems, and connected devices. These devices are used in medical electronics, automotive systems, power grid systems, robotics, and avionics. The general consensus today is that conventional approaches and software-only schemes are not sufficient to provide desired security protections and trustworthiness. Comprehensive hardware-software security solutions so far have remained elusive. One major challenge is that in current system-on-chip (SoCs) designs, processing elements (PEs) and executable codes with varying levels of trust, are all integrated on the same computing platform to share resources. This interdependency of modules creates a fertile attack ground and represents the Achilles’ heel of heterogeneous SoC architectures. The salient research question addressed in this dissertation is “can one design a secure computer system out of non-secure or untrusted computing IP components and cores?”. In response to this question, we establish a generalized, user/designer-centric set of design principles which intend to advance the construction of secure heterogeneous multi-core computing systems. We develop algorithms, models of computation, and hardware security primitives to integrate secure and non-secure processing elements into the same chip design while aiming for: (a) maintaining individual core’s security; (b) preventing data leakage and corruption; (c) promoting data and resource sharing among the cores; and (d) tolerating malicious behaviors from untrusted processing elements and software applications. The key contributions of this thesis are: 1. The introduction of a new architectural model for integrating processing elements with different security and trust levels, i.e., secure and non-secure cores with trusted and untrusted provenances; 2. A generalized process isolation design methodology for the new architecture model that covers both the software and hardware layers to (i) create hardware-assisted virtual logical zones, and (ii) perform both static and runtime security, privilege level and trust authentication checks; 3. A set of secure protocols and hardware root-of-trust (RoT) primitives to support the process isolation design and to provide the following functionalities: (i) hardware immutable identities – using physical unclonable functions, (ii) core hijacking and impersonation resistance – through a blind signature scheme, (iii) threshold-based data access control – with a robust and adaptive secure secret sharing algorithm, (iv) privacy-preserving authorization verification – by proposing a group anonymous authentication algorithm, and (v) denial of resource or denial of service attack avoidance – by developing an interconnect network routing algorithm and a memory access mechanism according to user-defined security policies. 4. An evaluation of the security of the proposed hardware primitives in the post-quantum era, and possible extensions and algorithmic modifications for their post-quantum resistance. In this dissertation, we advance the practicality of secure-by-construction methodologies in SoC architecture design. The methodology allows for the use of unsecured or untrusted processing elements in the construction of these secure architectures and tries to extend their effectiveness into the post-quantum computing era

Cost Effective Routing Implementations for On-chip Networks

Arquitecturas de múltiples núcleos como multiprocesadores (CMP) y soluciones multiprocesador para sistemas dentro del chip (MPSoCs) actuales se basan en la eficacia de las redes dentro del chip (NoC) para la comunicación entre los diversos núcleos. Un diseño eficiente de red dentro del chip debe ser escalable y al mismo tiempo obtener valores ajustados de área, latencia y consumo de energía. Para diseños de red dentro del chip de propósito general se suele usar topologías de malla 2D ya que se ajustan a la distribución del chip. Sin embargo, la aparición de nuevos retos debe ser abordada por los diseñadores. Una mayor probabilidad de defectos de fabricación, la necesidad de un uso optimizado de los recursos para aumentar el paralelismo a nivel de aplicación o la necesidad de técnicas eficaces de ahorro de energía, puede ocasionar patrones de irregularidad en las topologías. Además, el soporte para comunicación colectiva es una característica buscada para abordar con eficacia las necesidades de comunicación de los protocolos de coherencia de caché. En estas condiciones, un encaminamiento eficiente de los mensajes se convierte en un reto a superar. El objetivo de esta tesis es establecer las bases de una nueva arquitectura para encaminamiento distribuido basado en lógica que es capaz de adaptarse a cualquier topología irregular derivada de una estructura de malla 2D, proporcionando así una cobertura total para cualquier caso resultado de soportar los retos mencionados anteriormente. Para conseguirlo, en primer lugar, se parte desde una base, para luego analizar una evolución de varios mecanismos, y finalmente llegar a una implementación, que abarca varios módulos para alcanzar el objetivo mencionado anteriormente. De hecho, esta última implementación tiene por nombre eLBDR (effective Logic-Based Distributed Routing). Este trabajo cubre desde el primer mecanismo, LBDR, hasta el resto de mecanismos que han surgido progresivamente.Rodrigo Mocholí, S. (2010). Cost Effective Routing Implementations for On-chip Networks [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/8962Palanci

Jigsaw: Scalable software-defined caches

Shared last-level caches, widely used in chip-multi-processors (CMPs), face two fundamental limitations. First, the latency and energy of shared caches degrade as the system scales up. Second, when multiple workloads share the CMP, they suffer from interference in shared cache accesses. Unfortunately, prior research addressing one issue either ignores or worsens the other: NUCA techniques reduce access latency but are prone to hotspots and interference, and cache partitioning techniques only provide isolation but do not reduce access latency.United States. Defense Advanced Research Projects Agency (DARPA PERFECT contract HR0011-13-2-0005)Quanta Computer (Firm

Jigsaw: Scalable Software-Defined Caches (Extended Version)

Shared last-level caches, widely used in chip-multiprocessors (CMPs), face two fundamental limitations. First, the latency and energy of shared caches degrade as the system scales up. Second, when multiple workloads share the CMP, they suffer from interference in shared cache accesses. Unfortunately, prior research addressing one issue either ignores or worsens the other: NUCA techniques reduce access latency but are prone to hotspots and interference, and cache partitioning techniques only provide isolation but do not reduce access latency. We present Jigsaw, a technique that jointly addresses the scalability and interference problems of shared caches. Hardware lets software define shares, collections of cache bank partitions that act as virtual caches, and map data to shares. Shares give software full control over both data placement and capacity allocation. Jigsaw implements efficient hardware support for share management, monitoring, and adaptation. We propose novel resource-management algorithms and use them to develop a system-level runtime that leverages Jigsaw to both maximize cache utilization and place data close to where it is used. We evaluate Jigsaw using extensive simulations of 16- and 64-core tiled CMPs. Jigsaw improves performance by up to 2.2x (18% avg) over a conventional shared cache, and significantly outperforms state-of-the-art NUCA and partitioning techniques.This work was supported in part by DARPA PERFECT contract HR0011-13-2-0005 and Quanta Computer

Architectural Support for Hypervisor-Level Intrusion Tolerance in MPSoCs

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation and resource allocation. Currently, solutions to protect low-level software often rely on a simpler, underlying trusted layer which is often a SPoF itself and/or exhibits downgraded performance. Architectural hybridization allows for the introduction of trusted-trustworthy components, which combined with fault and intrusion tolerance (FIT) techniques leveraging replication, are capable of safely handling critical operations, thus eliminating SPoFs. Performing quorum-based consensus on all critical operations, in particular privilege management, ensures no compromised low-level software can single handedly manipulate privilege escalation or resource allocation to negatively affect other system resources by propagating faults or further extend an adversary’s control. However, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive in the context of MPSoCs due to the high costs of cryptographic operations and the quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in such platforms. There is so far no solution completely and efficiently addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting all software layers, specifically at low level, by performing critical operations only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. It then becomes possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting tiles into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level

Architectural Support for Hypervisor-Level Intrusion Tolerance in MPSoCs

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation and resource allocation. Currently, solutions to protect low-level software often rely on a simpler, underlying trusted layer which is often a SPoF itself and/or exhibits downgraded performance. Architectural hybridization allows for the introduction of trusted-trustworthy components, which combined with fault and intrusion tolerance (FIT) techniques leveraging replication, are capable of safely handling critical operations, thus eliminating SPoFs. Performing quorum-based consensus on all critical operations, in particular privilege management, ensures no compromised low-level software can single handedly manipulate privilege escalation or resource allocation to negatively affect other system resources by propagating faults or further extend an adversary’s control. However, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive in the context of MPSoCs due to the high costs of cryptographic operations and the quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in such platforms. There is so far no solution completely and efficiently addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting all software layers, specifically at low level, by performing critical operations only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. It then becomes possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting tiles into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level

Flexible Hardware-based Security-aware Mechanisms and Architectures

For decades, software security has been the primary focus in securing our computing platforms. Hardware was always assumed trusted, and inherently served as the foundation, and thus the root of trust, of our systems. This has been further leveraged in developing hardware-based dedicated security extensions and architectures to protect software from attacks exploiting software vulnerabilities such as memory corruption. However, the recent outbreak of microarchitectural attacks has shaken these long-established trust assumptions in hardware entirely, thereby threatening the security of all of our computing platforms and bringing hardware and microarchitectural security under scrutiny. These attacks have undeniably revealed the grave consequences of hardware/microarchitecture security flaws to the entire platform security, and how they can even subvert the security guarantees promised by dedicated security architectures. Furthermore, they shed light on the sophisticated challenges particular to hardware/microarchitectural security; it is more critical (and more challenging) to extensively analyze the hardware for security flaws prior to production, since hardware, unlike software, cannot be patched/updated once fabricated. Hardware cannot reliably serve as the root of trust anymore, unless we develop and adopt new design paradigms where security is proactively addressed and scrutinized across the full stack of our computing platforms, at all hardware design and implementation layers. Furthermore, novel flexible security-aware design mechanisms are required to be incorporated in processor microarchitecture and hardware-assisted security architectures, that can practically address the inherent conflict between performance and security by allowing that the trade-off is configured to adapt to the desired requirements. In this thesis, we investigate the prospects and implications at the intersection of hardware and security that emerge across the full stack of our computing platforms and System-on-Chips (SoCs). On one front, we investigate how we can leverage hardware and its advantages, in contrast to software, to build more efficient and effective security extensions that serve security architectures, e.g., by providing execution attestation and enforcement, to protect the software from attacks exploiting software vulnerabilities. We further propose that they are microarchitecturally configured at runtime to provide different types of security services, thus adapting flexibly to different deployment requirements. On another front, we investigate how we can protect these hardware-assisted security architectures and extensions themselves from microarchitectural and software attacks that exploit design flaws that originate in the hardware, e.g., insecure resource sharing in SoCs. More particularly, we focus in this thesis on cache-based side-channel attacks, where we propose sophisticated cache designs, that fundamentally mitigate these attacks, while still preserving performance by enabling that the performance security trade-off is configured by design. We also investigate how these can be incorporated into flexible and customizable security architectures, thus complementing them to further support a wide spectrum of emerging applications with different performance/security requirements. Lastly, we inspect our computing platforms further beneath the design layer, by scrutinizing how the actual implementation of these mechanisms is yet another potential attack surface. We explore how the security of hardware designs and implementations is currently analyzed prior to fabrication, while shedding light on how state-of-the-art hardware security analysis techniques are fundamentally limited, and the potential for improved and scalable approaches

A Middleware-centric design methodology for networked embedded systems

Negli ultimi anni \ue8 incrementato considerevolmente l\u2019interesse verso gli \u201dambient intelligence\u201d, sistemi informatici, tipicamente composti da \u201dnetworked embedded systems\u201d (Wirelesse sensor networks, mobile terminal, PDA, etc.) i quali sono integrati nell\u2019ambiente umano con l\u2019obiettivo di migliorare la qualit`a della vita nel modo pi naturale possibile. Una applicazione \u201dNetworked Embedded System\u201d (NES) \ue8 un\u2019applicazione distribuita, eseguita su piattaforme HW/SW eterogenee che interagiscono attraverso differenti canali di comunicazione. Generalmente queste applicazioni per dispositivi NES vengono sviluppate senza il supporto di software di sistema, obbligando il progettista a modellare queste applicazioni utilizzando direttamente le primitive fornite dal sistema operativo embedded o le API dei drivers dei dispositivi HW. Con questa metodologia di progettazione, le applicazioni per sistemi embedded vengono realizzate ad-hoc per la piattaforma HW/SW, risultando essere n\ue9 portabili, n\ue9 scalabili e di conseguenza particolarmente costose. A causa di questi problemi, negli ultimi anni si \ue8 adottato un flusso di progettazione che prevede l\u2019introduzione di un \u201dservice layer\u201d chiamato middleware, il quale astrae le peculiarit del sistema operativo e dei componenti HW, semplificando la progettazione di queste applicazioni embedded. Allo stato dell\u2019arte sono presenti molte implmentazioni di middleware con differenti paradigmi di programmazione, e la scelta di quale utilizzare per progettazione una applicazione NES basata sui seguenti criteri: \u2022 abilit`a/conoscenza/capacit`a di programmazione da parte del progettista; \u2022 piattaforma HW/SW disponinile. Gli svantaggi di questo approccio sono un pi\uf9 complesso flusso di progettazione legato alla mancanza di portabilit\ue0 della stessa applicazione su differenti dispositivi embedded. Questo significa che la presenza del middleware non \ue8 mai stata introdotta nel flusso di progettazione come una esplicita dimensione di progetto. Obiettivo della tesi di dottorato \ue8 lo studio e la realizzazione di un flusso di progettazione per applicazioni per NES, dove il middleware \ue8 una dimensione di progetto, diventando una variabile di progetto come lo sono il software e lo hardware. Questo punto \ue8 ottenuto risolvendo tre problemi: \u2022 Fornire un modello di middleware astratto il quale pu\uf2 essere usato come componente del flusso di progettazione; questo middleware astratto, chiamato Abstract Middleware Services (AMS), fornisce un insieme di servizi astratti basati su differenti paradigmi di programmazione dei middleware reali. Utilizzando questo modello di middleware stratto, il progettista \ue8 facilitato nello sviluppo delle applicazioni per NES. \u2022 Fornire un ambiente di simulazione dove validare e simulare l\u2019intero modello realizzato dal progettista. \u2022 Fornire una metodologia automatica di traduzione da AMS ad un middleware reale, per poter eseguire l\u2019applicazione su una reale piattaforma HW/SW, dotata di un middleware qualsiasi. L\u2019attivit di dototrato ha permesso la definizione di un nuovo approccio di progettazione basato su un modello di middleware astratto che fornisce un ambiente per la modellazione e la validazione di applicazioni per Networked Embedded Systems, risolvendo i tre punti precedenti. Inoltre, al fine di produrre un efficiente ambiente di simulazione e modellazione, sono state analizzate le metodologie di co-simulazione hardware-software-network attualmente presenti in letteratura. L\u2019attivit\ue0 di dottorato inoltre parte integrante del progetto ANGEL finanziato dalla Comunit\ue0 Europea (IST-2005-33506 - Embedded Systems), il cui obiettivo \ue8 lo sviluppo di una piattaforma per la realizzazione di sistemi eterogenei nei quali Wireless Sensor Network (WSN) e tradizionali reti di comunicazioni cooperano per monitorare e migliorare la qualit\ue0 della vita in habitat comuni. Durante questa attivit\ue0 il flusso di progettazione che include anche il middleware come variabile di progetto, oggetto della tesi di dottorato, sar esemplificato su WSN e terminali mobili (per esempio cellulari) per far si che questi possano dialogare tra loro in modo intelligente.Ambient intelligence, pervasive and ubiquitous computing are the center of a great deal of attention because of their promise to bring benefits for end-users, higher revenues for manufacturers and new challenges for researchers. Typical computing technologies (such as telemedicine, manufacturing, crisis management) are part of a broader class of Networked Embedded Systems (NES) in which a large number of nodes are connected together and collaborate to perform a common task under a defined set of constraints. Therefore, the key aspects of these applications are their distributed nature and the presence of very limited HW resources, as in case of WSNs. Their wide adoption requires interoperability across different manufacturers, simplification of application development, simulation tools for functional validation and the fulfilment of tight HW/SW constraints. Interoperability is achieved through the use of standard protocol stacks (e.g., IEEE 802.15.1/Bluetooth and IEEE 802.15.4/Zig- Bee). Simplification of application development can be achieved through a service layer, named middleware, which abstracts from the peculiarities of the operating system and HW components. Traditionally, many NES applications have been developed without support from system software [1] excepts for device drivers and operating systems. State-of-the-art techniques [2] for NES focus on simple data-gathering applications, and in most cases, the design of the application and the system software are usually closely-coupled, or even combined as a monolithic procedure. Such applications are neither flexible nor scalable and they should be re-written if the platform changes. Middleware is emerging as an important architectural component in supporting NES applications able to facilitate the application development. The role of middleware is to present a unified programmingmodel to application designers and to mask out the problems of heterogeneity and distribution providing a basic set of tools and libraries for the low-level handling of technology-specific NES. Several NES middleware have been implemented in the past years each one providing different programming paradigms (e.g., Tuplespace, messageoriented, object-oriented, database, etc.) and differ with respect to ease to use, expressiveness, scalability and overhead. However, their diversity makes the development of high quality middleware-centric software systems complex: software engineering methods and tools should be developed with the use of middleware in mind. In such way, Sensation [xxx] presents a middleware platform solution for pervasive applications inWSN providing a developer-friendly programming interface. This approach is valid just for WSN and does not include a network simulator for an exhaustive network evaluation. Model Driven Architecture (MDA) tries to overcome this problem; MDA is a new way of writing specifications, based on a platform-independent model. A complete MDA specification consists of a platform-independent UML model, one or more platform-specific models, and interface definitions, each describing how the base model is implemented on a different middleware platform. The MDA focuses primarily on the functionality and behaviour of a distributed application or system, not on the technology in which it will be implemented. Furthermore,MDA does not directly provide a simulation environment. Simulation tools are used for validating the application: there is a range of NES simulators available that focus on the network itself. NS-2 is a pure network simulator tool, where the nodes are abstracted and do not run real codes or operating systems, but rather simple behavioral models or statistical traffic generators. The advantage of NS-2 is that scalability is excellent. TOSSIM is a platform-specific simulator environment for sensor networks based on TinyOs operating system. TOSSIM can compile unchanged TinyOS applications directly into its framework, which means that most of the codes written for TOSSIM can be directly used in TinyOS. TOSSIM is a specific simulator for TinyOS and Berkeley motes and cant be used for simulating a generic NES (e.g.,WSN). Finally, SIMICS is a commercial full-system simulator that can be used to simulate heterogenous networked and distributed systems. Complete SW stacks from real system can run on the simulator without any modification. Despite of these punctual contributions, the literature does not report a complete design methodology for NES applications integrating all such three aspects. Therefore, in order to fully support the applications of a great variety of users with different needs, a complete NES application modelling and simulation environment have to include two main components: \u2022 a simulator to validate and explore application functional behaviuor in a network simulated environment supporting interoperability between different implementation platforms and ensure scalability of the NES technology. \u2022 a middleware environemnt providing different programming paradigms. This Layer will serve as an abstraction layer hiding the different NES implementations peculiarities from end-user applications. The goal of this work is to present a middleware-centric design flow for NES, where the middleware plays a decisive role in the design process. The proposed methodology allows programmers to write NES applications by using the system description language named SystemC and the AbstractMiddleware Environment (AME) framework for fast simulation. This proposal has three main advantages: (1) It provides a set of abstract services supporting the programming paradigms of different actual middleware implementations in order to meet the skills of the designer. AME facilitates the NES design flow by providing a unified and developer-common interface concealing the peculiarities of the underlying NES where the simulation environment is modelled in order to simulate the NES applications taking in account hardware and network effects. (2) The application can be simulated at early stage of the design flow for functional validation. (3) automatic mapping of AME applications on the actual platform; this guarantees the correct trade-off between level of abstraction and efficiency of implementation. In the follow we classify the actual middleware approaches according to their programming paradigms; then the AMEcentric design flow is described and finally we report the experimental results