7 research outputs found
Proving the Absence of Microarchitectural Timing Channels
Microarchitectural timing channels are a major threat to computer security. A
set of OS mechanisms called time protection was recently proposed as a
principled way of preventing information leakage through such channels and
prototyped in the seL4 microkernel. We formalise time protection and the
underlying hardware mechanisms in a way that allows linking them to the
information-flow proofs that showed the absence of storage channels in seL4.Comment: Scott Buckley and Robert Sison were joint lead author
Towards a RISC-V Open Platform for Next-generation Automotive ECUs
The complexity of automotive systems is increasing quickly due to the
integration of novel functionalities such as assisted or autonomous driving.
However, increasing complexity poses considerable challenges to the automotive
supply chain since the continuous addition of new hardware and network cabling
is not considered tenable. The availability of modern heterogeneous
multi-processor chips represents a unique opportunity to reduce vehicle costs
by integrating multiple functionalities into fewer Electronic Control Units
(ECUs). In addition, the recent improvements in open-hardware technology allow
to further reduce costs by avoiding lock-in solutions.
This paper presents a mixed-criticality multi-OS architecture for automotive
ECUs based on open hardware and open-source technologies. Safety-critical
functionalities are executed by an AUTOSAR OS running on a RISC-V processor,
while the Linux OS executes more advanced functionalities on a multi-core ARM
CPU. Besides presenting the implemented stack and the communication
infrastructure, this paper provides a quantitative gap analysis between an
HW/SW optimized version of the RISC-V processor and a COTS Arm Cortex-R in
terms of real-time features, confirming that RISC-V is a valuable candidate for
running AUTOSAR Classic stacks of next-generation automotive MCUs.Comment: 8 pages, 2023 12th Mediterranean Conference on Embedded Computing
(MECO
On-Demand Redundancy Grouping: Selectable Soft-Error Tolerance for a Multicore Cluster
With the shrinking of technology nodes and the use of parallel processor
clusters in hostile and critical environments, such as space, run-time faults
caused by radiation are a serious cross-cutting concern, also impacting
architectural design. This paper introduces an architectural approach to
run-time configurable soft-error tolerance at the core level, augmenting a
six-core open-source RISC-V cluster with a novel On-Demand Redundancy Grouping
(ODRG) scheme. ODRG allows the cluster to operate either as two fault-tolerant
cores, or six individual cores for high-performance, with limited overhead to
switch between these modes during run-time. The ODRG unit adds less than 11% of
a core's area for a three-core group, or a total of 1% of the cluster area, and
shows negligible timing increase, which compares favorably to a commercial
state-of-the-art implementation, and is 2.5 faster in fault recovery
re-synchronization. Furthermore, unlike other implementations, when redundancy
is not necessary, the ODRG approach allows the redundant cores to be used for
independent computation, allowing up to 2.96 increase in performance
for selected applications
On-Demand Redundancy Grouping: Selectable Soft-Error Tolerance for a Multicore Cluster
With the shrinking of technology nodes and the use of parallel processor clusters in hostile and critical environments, such as space, run-time faults caused by radiation are a serious cross-cutting concern, also impacting architectural design. This paper introduces an architectural approach to run-time configurable soft-error tolerance at the core level, augmenting a six-core open-source RISC-V cluster with a novel On-Demand Redundancy Grouping (ODRG) scheme. ODRG allows the cluster to operate either as two fault-tolerant cores, or six individual cores for high-performance, with limited overhead to switch between these modes during run-time. The ODRG unit adds less than 11% of a core's area for a three-core group, or a total of 1% of the cluster area, and shows negligible timing increase, which compares favorably to a commercial state-of-the-art implementation, and is 2.5× faster in fault recovery re-synchronization. Furthermore, when redundancy is not necessary, the ODRG approach allows the redundant cores to be used for independent computation, allowing up to 2.96× increase in performance for selected applications
Systematic Prevention of On-Core Timing Channels by Full Temporal Partitioning
Microarchitectural timing channels enable unwanted information flow across security boundaries, violating fundamental security assumptions. They leverage timing variations of several state-holding microarchitectural components and have been demonstrated across instruction set architectures and hardware implementations. Analogously to memory protection, Ge et al [1] have proposed time protection for preventing information leakage via timing channels. They also showed that time protection calls for hardware support. This work leverages the open and extensible RISC-V instruction set architecture (ISA) to introduce the temporal fence instruction fence.t , which provides the required mechanisms by clearing vulnerable microarchitectural state and guaranteeing a history-independent context-switch latency. We propose and discuss three different implementations of fence.t and implement them on an experimental version of the seL4 microkernel [2] and CVA6, an open-source, in-order, application class, 64-bit RISC-V core [3]. We find that a complete, systematic, ISA-supported erasure of all non-architectural core components is the most effective implementation while featuring a low implementation effort, a minimal performance overhead of less than 1%, and negligible hardware costs.ISSN:0018-9340ISSN:1557-995