Lightweight reconfiguration security services for AXI-based MPSoCs

International audienceNowadays, security is a key constraint in MPSoC development as many critical and secret information can be stored and manipulated within these systems. Addressing the protection issue in an efficient way is challenging as information can leak from many points. However one strategic component of a bus-based MPSoC is the communication architecture as all information that an attacker could try to extract or modify would be visible on the bus. Thus monitoring and controlling communications allows an efficient protection of the whole system. Attacks can be detected and discarded before system corruption. In this work, we propose a lightweight solution to dynamically update hardware firewall enhancements which secure data exchanges in a bus-based MPSoC. It provides a standalone security solution for AXI-based embedded systems where no user intervention is required for security mechanisms update. An FPGA implementation demonstrates an area overhead of around 11% for the adaptive version of the hardware firewall compared to the static one

Design and Programming Methods for Reconfigurable Multi-Core Architectures using a Network-on-Chip-Centric Approach

A current trend in the semiconductor industry is the use of Multi-Processor Systems-on-Chip (MPSoCs) for a wide variety of applications such as image processing, automotive, multimedia, and robotic systems. Most applications gain performance advantages by executing parallel tasks on multiple processors due to the inherent parallelism. Moreover, heterogeneous structures provide high performance/energy efficiency, since application-specific processing elements (PEs) can be exploited. The increasing number of heterogeneous PEs leads to challenging communication requirements. To overcome this challenge, Networks-on-Chip (NoCs) have emerged as scalable on-chip interconnect. Nevertheless, NoCs have to deal with many design parameters such as virtual channels, routing algorithms and buffering techniques to fulfill the system requirements. This thesis highly contributes to the state-of-the-art of FPGA-based MPSoCs and NoCs. In the following, the three major contributions are introduced. As a first major contribution, a novel router concept is presented that efficiently utilizes communication times by performing sequences of arithmetic operations on the data that is transferred. The internal input buffers of the routers are exchanged with processing units that are capable of executing operations. Two different architectures of such processing units are presented. The first architecture provides multiply and accumulate operations which are often used in signal processing applications. The second architecture introduced as Application-Specific Instruction Set Routers (ASIRs) contains a processing unit capable of executing any operation and hence, it is not limited to multiply and accumulate operations. An internal processing core located in ASIRs can be developed in C/C++ using high-level synthesis. The second major contribution comprises application and performance explorations of the novel router concept. Models that approximate the achievable speedup and the end-to-end latency of ASIRs are derived and discussed to show the benefits in terms of performance. Furthermore, two applications using an ASIR-based MPSoC are implemented and evaluated on a Xilinx Zynq SoC. The first application is an image processing algorithm consisting of a Sobel filter, an RGB-to-Grayscale conversion, and a threshold operation. The second application is a system that helps visually impaired people by navigating them through unknown indoor environments. A Light Detection and Ranging (LIDAR) sensor scans the environment, while Inertial Measurement Units (IMUs) measure the orientation of the user to generate an audio signal that makes the distance as well as the orientation of obstacles audible. This application consists of multiple parallel tasks that are mapped to an ASIR-based MPSoC. Both applications show the performance advantages of ASIRs compared to a conventional NoC-based MPSoC. Furthermore, dynamic partial reconfiguration in terms of relocation and security aspects are investigated. The third major contribution refers to development and programming methodologies of NoC-based MPSoCs. A software-defined approach is presented that combines the design and programming of heterogeneous MPSoCs. In addition, a Kahn-Process-Network (KPN) –based model is designed to describe parallel applications for MPSoCs using ASIRs. The KPN-based model is extended to support not only the mapping of tasks to NoC-based MPSoCs but also the mapping to ASIR-based MPSoCs. A static mapping methodology is presented that assigns tasks to ASIRs and processors for a given KPN-model. The impact of external hardware components such as sensors, actuators and accelerators connected to the processors is also discussed which makes the approach of high interest for embedded systems

Architectural Support for Hypervisor-Level Intrusion Tolerance in MPSoCs

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation and resource allocation. Currently, solutions to protect low-level software often rely on a simpler, underlying trusted layer which is often a SPoF itself and/or exhibits downgraded performance. Architectural hybridization allows for the introduction of trusted-trustworthy components, which combined with fault and intrusion tolerance (FIT) techniques leveraging replication, are capable of safely handling critical operations, thus eliminating SPoFs. Performing quorum-based consensus on all critical operations, in particular privilege management, ensures no compromised low-level software can single handedly manipulate privilege escalation or resource allocation to negatively affect other system resources by propagating faults or further extend an adversary’s control. However, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive in the context of MPSoCs due to the high costs of cryptographic operations and the quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in such platforms. There is so far no solution completely and efficiently addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting all software layers, specifically at low level, by performing critical operations only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. It then becomes possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting tiles into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level

Architectural Support for Hypervisor-Level Intrusion Tolerance in MPSoCs

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation and resource allocation. Currently, solutions to protect low-level software often rely on a simpler, underlying trusted layer which is often a SPoF itself and/or exhibits downgraded performance. Architectural hybridization allows for the introduction of trusted-trustworthy components, which combined with fault and intrusion tolerance (FIT) techniques leveraging replication, are capable of safely handling critical operations, thus eliminating SPoFs. Performing quorum-based consensus on all critical operations, in particular privilege management, ensures no compromised low-level software can single handedly manipulate privilege escalation or resource allocation to negatively affect other system resources by propagating faults or further extend an adversary’s control. However, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive in the context of MPSoCs due to the high costs of cryptographic operations and the quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in such platforms. There is so far no solution completely and efficiently addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting all software layers, specifically at low level, by performing critical operations only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. It then becomes possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting tiles into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level

FPGA based technical solutions for high throughput data processing and encryption for 5G communication: A review

The field programmable gate array (FPGA) devices are ideal solutions for high-speed processing applications, given their flexibility, parallel processing capability, and power efficiency. In this review paper, at first, an overview of the key applications of FPGA-based platforms in 5G networks/systems is presented, exploiting the improved performances offered by such devices. FPGA-based implementations of cloud radio access network (C-RAN) accelerators, network function virtualization (NFV)-based network slicers, cognitive radio systems, and multiple input multiple output (MIMO) channel characterizers are the main considered applications that can benefit from the high processing rate, power efficiency and flexibility of FPGAs. Furthermore, the implementations of encryption/decryption algorithms by employing the Xilinx Zynq Ultrascale+MPSoC ZCU102 FPGA platform are discussed, and then we introduce our high-speed and lightweight implementation of the well-known AES-128 algorithm, developed on the same FPGA platform, and comparing it with similar solutions already published in the literature. The comparison results indicate that our AES-128 implementation enables efficient hardware usage for a given data-rate (up to 28.16 Gbit/s), resulting in higher efficiency (8.64 Mbps/slice) than other considered solutions. Finally, the applications of the ZCU102 platform for high-speed processing are explored, such as image and signal processing, visual recognition, and hardware resource management

Protection des architectures hétérogènes multiprocesseurs dans les systèmes embarqués : Une approche décentralisée basée sur des pare-feux matériels

Embedded systems are used in several domains and are parts of our daily life : we use them when we use our smartphones or when we drive our modern cars embeddingGPS, light/rain sensors and other electronic assistance mechanisms. These systems process sensitive data (such as credit card numbers, critical information about the host system and so on) which must be protected against external attacks as these data are transmitted through a communication link where the attacker can connect to extract sensitive information or inject malicious code within the system. Unfortunately, embedded systems containmore andmore components which make more and more security breaches that can be exploited to provoke attacks. One of the goals of this thesis is to propose a method to protect communications and memories in a multiprocessor architecture implemented in a FPGA reconfigurable chip. The method is based on the implementation of hardware mechanisms offering monitoring and cryptographic features in order to give a secured execution environment according to a given threat model. The main goal of the solution proposed in this work is to minimize perturbations in the data traffic ; it is considered that it can be accomplished by focusing on the latency impact of our security mechanisms. Our solution is also sensible to attack events : as soon as an attack is detected, an update process of security policies can be enabled. Following an analysis of implementation results, two extensions of the basic solution are described : a fully-secured flow for startup/maintenance of FPGA-based multiprocessor systems and a method to improve attacks detection in order to take into account software parameters in multitasks applications.Les systèmes embarqués sont présents dans de nombreux domaines et font même partie de notre quotidien à travers les smartphones ou l'électronique embarquée dans les voitures par exemple. Ces systèmes manipulent des données sensibles (codes de carte bleue, informations techniques sur le système hôte. . . ) qui doivent être protégées contre les attaques extérieures d'autant plus que ces données sont transmises sur un canal de communication sur lequel l'attaquant peut se greffer pour extraire des données ou injecter du code malveillant. Le fait que ces systèmes contiennent de plus en plus de composants dans une seule et même puce augmente le nombre de failles qui peuvent être exploitées pour provoquer des attaques. Les travaux menés dans cemanuscrit s'attachent à proposer une méthode de sécurisation des communications et des mémoires dans une architecture multiprocesseur embarquée dans un composant reconfigurable FPGA par l'implantation de mécanismes matériels qui proposent des fonctions de surveillance et de cryptographie afin de protéger le système contre un modèle de menaces prédéfini tout en minimisant l'impact en latence pour éviter de perturber le trafic des données dans le système. Afin de répondre au mieux aux tentatives d'attaques, le protocole demise à jour est également défini. Après une analyse des résultats obtenus par différentes implémentations, deux extensions sont proposées : un flot de sécurité complet dédié à la mise en route et la maintenance d'un système multiprocesseur sur FPGA ainsi qu'une amélioration des techniques de détection afin de prendre en compte des paramètres logiciels dans les applications multi-tâches

Fault-tolerant satellite computing with modern semiconductors

Miniaturized satellites enable a variety space missions which were in the past infeasible, impractical or uneconomical with traditionally-designed heavier spacecraft. Especially CubeSats can be launched and manufactured rapidly at low cost from commercial components, even in academic environments. However, due to their low reliability and brief lifetime, they are usually not considered suitable for life- and safety-critical services, complex multi-phased solar-system-exploration missions, and missions with a longer duration. Commercial electronics are key to satellite miniaturization, but also responsible for their low reliability: Until 2019, there existed no reliable or fault-tolerant computer architectures suitable for very small satellites. To overcome this deficit, a novel on-board-computer architecture is described in this thesis.Robustness is assured without resorting to radiation hardening, but through software measures implemented within a robust-by-design multiprocessor-system-on-chip. This fault-tolerant architecture is component-wise simple and can dynamically adapt to changing performance requirements throughout a mission. It can support graceful aging by exploiting FPGA-reconfiguration and mixed-criticality.  Experimentally, we achieve 1.94W power consumption at 300Mhz with a Xilinx Kintex Ultrascale+ proof-of-concept, which is well within the powerbudget range of current 2U CubeSats. To our knowledge, this is the first COTS-based, reproducible on-board-computer architecture that can offer strong fault coverage even for small CubeSats.European Space AgencyComputer Systems, Imagery and Medi

Build framework and runtime abstraction for partial reconfiguration on FPGA SoCs

Growth in edge computing has increased the requirement for edge systems to process larger volumes of real-time data, such as with image processing and machine learning; which are increasingly demanding of computing resources. Offloading tasks to the cloud provides some relief but is network dependant, high latency and expensive. Alternative architectures such as GPUs provide higher performance acceleration for this type of data processing but trade processing performance for an increase in power consumption. Another option is the Field Programmable Gate Array; a flexible matrix of logic that can be configured by a designer to provide a highly optimised computation path for incoming data. There are drawbacks; the FPGA design process is complex, the domain is dissimilar to software and the tools require bespoke expertise. A designer must manage the hardware to software paradigm introduced when tightly-coupled with general purpose processor. Advanced features, such as the ability to partially reconfigure (PR) specific regions of the FPGA, further increase this complexity. This thesis presents theory and demonstration of custom frameworks and tools for increasing abstraction and simplifying control over PR applications. We present mechanisms for networked PR; a mechanism for bypassing the traditional software networking stack to trigger PR with reduced latency and increased determinism. We developed a build framework for automating the end-to-end PR design process for Linux based systems as well as an abstracted runtime for managing the resulting applications. Finally, we take expand on this work and present a high level abstraction for PR on cyber physical systems, with a demonstration using the Robot Operating System. This work is released as open source contributions, designed to enable future PR research

Arm TrustZone: evaluating the diversity of the memory subsystem

Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresThe diversification of the embedded market has led the once single-purpose built embedded device to become a broader concept that can accommodate more general-purpose solutions, by widening its hardware and software resources. A huge diversity in system resources and requirements has boosted the investigation around virtualization technology, which is becoming prevalent in the embedded systems domain, allowing timing and spatial sharing of hardware and software resources between specialized subsystems. As strict timing demands imposed in realtime virtualized systems must be met, coupled with a small margin for the penalties incurred by conventional software-based virtualization, resort to hardware-assisted solutions has become indispensable. Although not a virtualization but security-oriented technology, Arm TrustZone is seen by many as a reliable hardware-based virtualization alternative, with the low cost and high spread of TrustZone-enabled processors standing as strong arguments for its acceptance. But, since Trust- Zone only dictates the hardware infrastructure foundations, providing SoC designers with a range of components that can fulfil specific functions, several key-components and subsystems of this technology are implementation defined. This approach may hinder a system designer’s work, as it may impair and make the portability of system software a lot more complicated. As such, this thesis proposes to examine how different manufacturers choose to work with the TrustZone architecture, and how the changes introduced by this technology may affect the security and performance of TrustZone-assisted virtualization solutions, in order to scale back those major constraints. It identifies the main properties that impact the creation and execution of system software and points into what may be the most beneficial approaches for developing and using TrustZone-assisted hardware and software.A recente metamorfose na área dos sistemas embebidos transformou estes dispositivos, outrora concebidos com um único e simples propósito, num aglomerado de subsistemas prontos para integrar soluções mais flexíveis. Este aumento de recursos e de requisitos dos sistemas potenciou a investigação em soluções de virtualização dos mesmos, permitindo uma partilha simultânea de recursos de hardware e software entre os vários subsistemas. A proliferação destas soluções neste domínio, onde os tempos de execução têm de ser respeitados e a segurança é um ponto-chave, tem levado à adoção de técnicas de virtualização assistidas por hardware. Uma tecnologia que tem vindo a ser utilizada para este fim é a Arm TrustZone, apesar de inicialmente ter sido desenvolvida como uma tecnologia de proteção, dado a sua maior presença em placas de médio e baixo custo quando comparada a outras tecnologias. Infelizmente, dado que a TrustZone apenas fornece diretrizes base sobre as quais os fabricantes podem contruir os seus sistemas, as especificações da tecnologia divergem de fabricante para fabricante, ou até entre produtos com a mesma origem. Aliada à geral escassez de informação sobre esta tecnologia, esta característica pode trazer problemas para a criação e portabilidade de software de sistema dependente desta tecnologia. Como tal, a presente tese propõe examinar, de uma forma sistematizada, de que forma diferentes fabricantes escolhem implementar sistemas baseados na arquitetura TrustZone e em que medida as mudanças introduzidas por esta tecnologia podem afetar a segurança e desempenho de soluções de virtualização baseadas na mesma. São identificadas as principais características que podem influenciar a criação e execução de software de sistema e potenciais medidas para diminuir o seu impacto, assim como boas práticas a seguir no desenvolvimento na utilização de software e hardware baseados na TrustZone