Architectural Support for Hypervisor-Level Intrusion Tolerance in MPSoCs

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation and resource allocation. Currently, solutions to protect low-level software often rely on a simpler, underlying trusted layer which is often a SPoF itself and/or exhibits downgraded performance. Architectural hybridization allows for the introduction of trusted-trustworthy components, which combined with fault and intrusion tolerance (FIT) techniques leveraging replication, are capable of safely handling critical operations, thus eliminating SPoFs. Performing quorum-based consensus on all critical operations, in particular privilege management, ensures no compromised low-level software can single handedly manipulate privilege escalation or resource allocation to negatively affect other system resources by propagating faults or further extend an adversary’s control. However, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive in the context of MPSoCs due to the high costs of cryptographic operations and the quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in such platforms. There is so far no solution completely and efficiently addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting all software layers, specifically at low level, by performing critical operations only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. It then becomes possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting tiles into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level

Behind the Last Line of Defense -- Surviving SoC Faults and Intrusions

Today, leveraging the enormous modular power, diversity and flexibility of manycore systems-on-a-chip (SoCs) requires careful orchestration of complex resources, a task left to low-level software, e.g. hypervisors. In current architectures, this software forms a single point of failure and worthwhile target for attacks: once compromised, adversaries gain access to all information and full control over the platform and the environment it controls. This paper proposes Midir, an enhanced manycore architecture, effecting a paradigm shift from SoCs to distributed SoCs. Midir changes the way platform resources are controlled, by retrofitting tile-based fault containment through well known mechanisms, while securing low-overhead quorum-based consensus on all critical operations, in particular privilege management and, thus, management of containment domains. Allowing versatile redundancy management, Midir promotes resilience for all software levels, including at low level. We explain this architecture, its associated algorithms and hardware mechanisms and show, for the example of a Byzantine fault tolerant microhypervisor, that it outperforms the highly efficient MinBFT by one order of magnitude

Behind the last line of defense: Surviving SoC faults and intrusions

Today, leveraging the enormous modular power, diversity and flexibility of manycore systems-on-a-chip (SoCs) requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure and worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls. This article proposes Midir, an enhanced manycore architecture, effecting a paradigm shift from SoCs to distributed SoCs. Midir changes the way platform resources are controlled, by retrofitting tile-based fault containment through well known mechanisms, while securing low-overhead quorum-based consensus on all critical operations, in particular privilege management and, thus, management of containment domains. Allowing versatile redundancy management, Midir promotes resilience for all software levels, including at low level. We explain this architecture, its associated algorithms and hardware mechanisms and show, for the example of a Byzantine fault tolerant microhypervisor, that it outperforms the highly efficient MinBFT by one order of magnitude

To verify or tolerate, that’s the question

Formal verification carries the promise of absolute correctness, guaranteed at the highest level of assurance known today. However, inherent to many verification attempts is the assumption that the underlying hardware, the code-generation toolchain and the verification tools are correct, all of the time. While this assumption creates interesting recursive verification challenges, which already have been executed successfully for all three of these elements, the coverage of this assumption remains incomplete, in particular for hardware. Accidental faults, such as single-event upsets, transistor aging and latchups keep causing hardware to behave arbitrarily in situations where such events occur and require other means (e.g., tolerance) to safely operate through them. Targeted attacks, especially physical ones, have a similar potential to cause havoc. Moreover, faults of the above kind may well manifest in such a way that their effects extend to all software layers, causing incorrect behavior, even in proven correct ones. In this position paper, we take a holistic system-architectural point of view on the role of trusted-execution environments (TEEs), their implementation complexity and the guarantees they can convey and that we want to be preserved in the presence of faults. We find that if absolute correctness should remain our visionary goal, TEEs can and should be constructed differently with tolerance embedded at the lowest levels and with verification playing an essential role. Verification should both assure the correctness of the TEE construction protocols and mechanisms as well as help protecting the applications executing inside the TEEs

Bridging the space systems performance-reliability gap for future deep space resources exploration and exploitation.

In building equipment for space exploitation, one has to trade system robustness for the high processing capabilities and low energy consumption. The high performance, low robustness approach, is acceptable, especially in Earths’ vicinity. However, in more demanding (especially high-radiation) environments, attempts had disappointing outcomes. The processing-reliability gap, between highly reliable and highly performant systems, spans 2-3 orders of magnitude. This gap brings hope, that some of this excess processing power can be utilized, in building a combination of hardware and software mechanisms that is capable of increasing robustness and resilience of otherwise susceptible semiconductor devices, while allowing to harness the remaining processing power to build affordable space systems with large degrees of autonomy, rich functionality and high bandwidth. At the CritiX research group, we aim to bridge this performance-reliability gap, by researching the enabling building blocks for constructing more reliable and more secure System-on-Chips

Analysis of a bone metastasis gene expression signature in patients with bone metastasis from solid tumors

© Springer Science+Business Media B.V. 2011Bone is a major target for metastases in the most frequent solid tumors, which result in severe complications and are a major cause of pain. A bone metastasis gene expression signature was identified using human breast cancer cells in a mouse model. The bone metastasis-related genes encode secretory and cell surface proteins implicated in bone-homing (CXCR4), angiogenesis (CTGF and FGF5), invasion (MMP-1 and ADAMTS1), and osteoclast recruitment (IL11). This signature superimposes on the 70-gene poor prognosis gene expression signature for breast cancer, and only ADAMTS1, CTGF and IL11 were found to be overexpressed in human primary breast cancers with bone relapse. We analyzed the expression of the six bone metastasis-related genes in bone metastases from patients with different types of solid tumors, to assess its relevance in human clinical samples. MMP-1, CXCR4, FGF5 and CTGF were found to be overexpressed in tumor cells of human bone metastases when compared to a human normal epithelial cell line. All the analyzed genes were overexpressed in the tumor cells of breast cancer bone metastases when compared to normal breast tissue. We did not detect any differences between the expression of these genes in bone metastases from breast cancer or from other types of solid tumors. Importantly, there was a significant correlation between the expressions of IL11/CTGF, IL11/ADAMTS1, CTGF/CXCR4, CTGF/ADAMTS1, and MMP-1/ADAMTS1, supporting the cooperative function of these proteins in the bone microenvironment, and the potential functional role of these genes in the establishment of bone metastases in vivo.Authors want to acknowledge the Terry Fox Foundation and the Liga Portuguesa Contra o Cancro (NRS) for funding. S. Casimiro is supported by a Post-Doctoral Fellowship from FCT (SFRH/BPD/34801/2007)info:eu-repo/semantics/publishedVersio