Analyzing and Predicting Processor Vulnerability to Soft Errors Using Statistical Techniques

The shrinking processor feature size, lower threshold voltage and increasing on-chip transistor density make current processors highly vulnerable to soft errors. Architectural Vulnerability Factor (AVF) reflects the probability that a raw soft error eventually causes a visible error in the program output, indicating the processor’s susceptibility to soft errors at architectural level. The awareness of the AVF, both at the early design stage and during program runtime, is greatly useful for designing reliable processors. However, measuring the AVF is extremely costly, resulting in large overheads in hardware, computation, and power. The situation is further exacerbated in a multi-threaded processor environment where resource contention and data sharing exist among different threads. Consequently, predicting the AVF from other easily-measured metrics becomes extraordinarily attractive to computer designers. We propose a series of AVF modeling and prediction works via using advanced statistical techniques. First, we utilize the Boosted Regression Trees (BRT) scheme to dynamically predict the AVF during program execution from a variety of performance metrics. This correlation is generalized to be across different workloads, program phases, and processor configurations on a single-threaded superscalar processor. Second, the AVF prediction is extended to multi-threaded processors where the inter-thread resource contention shows significant and non-uniform impacts on different programs; we propose a two-level predictive mechanism using BRT as building blocks to characterize the contention behavior. Finally, we employ a rule search strategy named Patient Rule Induction Method (PRIM) to explore a large processor design space at the early design stage. We are capable of generating selective rules on important configuration parameters. These rules quantify the design space subregion yielding lowest values of the response, thereby providing useful guidelines for designing reliable processors while achieving high performance

FIMSIM: A fault injection infrastructure for microarchitectural simulators

Fault injection is a widely used approach for experiment-based dependability evaluation in which faults can be injected to the hardware, to the simulator or to the software. Simulation based fault injection is more appealing for researchers, since it can be utilized at the early design stage of the processor. As such, it enables a preliminary analysis of the correlation between the criticality of circuit level faults and their impact on applications. However, the lack of publicly available fault injectors for microarchitecture level simulators brings extra burden of designing and implementing fault injectors to the researchers who evaluate microarchitecture dependability. In this study, we present FIMSIM, to the best of our knowledge, the first publicly available fault injection simulator at the microarchitecture level. FIMSIM is a compact tool which is capable of injecting transient, permanent, intermittent and multi-bit faults. Therefore, FIMSIM provides the opportunity to comprehensively evaluate the vulnerability of different microarchitectural structures against different fault models.Postprint (published version

Analysis and RTL Correlation of Instruction Set Simulators for Automotive Microcontroller Robustness Verification

© ACM 2015 This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in ACM, In Proceedings of the 52nd Annual Design Automation Conference (p. 40). http://dx.doi.org/10.1145/2744769.2744798.Increasingly complex microcontroller designs for safety-relevant automotive systems require the adoption of new methods and tools to enable a cost-effective verification of their robustness. In particular, costs associated to the certification against the IS026262 safety standard must be kept low for economical reasons. In this context, simulation-based verification using instruction set simulators (ISS) arises as a promising approach to partially cope with the increasing cost of the verification process as it allows taking design decisions in early design stages when modifications can be performed quickly and with low cost. However, it remains to be proven that verification in those stages provides accurate enough information to be used in the context of automotive microcontrollers. In this paper we analyze the existing correlation between fault injection experiments in an RTL microcontroller description and the information available at the ISS to enable accurate ISS-based fault injection.The research leading to these results has received funding from the ARTEMIS Joint Undertaking VeTeSS project under grant agreement number 295311. This work has also been funded by the Ministry of Science and Technology of Spain under contract TIN2012-34557 and HiPEAC. Jaume Abella is partially supported by the Ministry of Economy and Competitiveness under Ramon y Cajal postdoctoral fellowship number RYC-2013-14717.Espinosa García, J.; Hernández Luz, C.; Abella, J.; Andrés Martínez, DD.; Ruiz García, JC. (2015). Analysis and RTL Correlation of Instruction Set Simulators for Automotive Microcontroller Robustness Verification. ACM. https://doi.org/10.1145/2744769.2744798SARTEMIS Joint Undertaking.VeTeSS project:www.vetess.eu.J.-C. Baraza, et al. Enhancement of fault injection techniques based on the modification of vhdl code.IEEE Transactions on VLSI, 16(6):693--706, June 2008.Alfredo Benso et al.Fault Injection Techniques and Tools for Embedded Systems Reliability Evaluation.Kluwer Academic Publishers, 2003.D. Borodin et al. Protective redundancy overhead reduction using instruction vulnerability factor. InCF, 2010.R. N. Charette. This car runs on code. InIEEE Spectrum online, 2009.Pedro Gil, et al. Fault representativeness. Technical report, DBench project, IST 2000-25425 [Online]. Available: http://www.laas.fr/DBench, 2002.C. Hernandez et al. Live: Timely error detection in light-lockstep safety critical systems. InDAC, 2014.Infineon. AURIX - TriCore datasheet. highly integrated and performance optimized 32-bit microcontrollers for automotive and industrial applications, 2012. http://www.infineon.com/.International Organization for Standardization.ISO/DIS 26262. Road Vehicles--Functional Safety, 2009.E. Jenn, et al. Fault injection into VHDL models: the mefisto tool. InFTCS, 1994.G. Leen et al. Expanding automotive electronic systems.IEEE Computer, 35(1), 2002.Man-Lap Li, et al. Accurate microarchitecture-level fault modeling for studying hardware faults. InHPCA, 2009.Michail Maniatakos, et al. Instruction-level impact analysis of low-level faults in a modern microprocessor controller.IEEE Transactions on Computers, 60(9):1260--1273, 2011.S. S. Mukherjee, et al. A systematic methodology to compute the architectural vulnerability factors for a high-performance microprocessor. InMICRO, 2003.J.-H. Oetjens, et al. Safety evaluation of automotive electronics using virtual prototypes: State of the art and research challenges. InDAC, 2014.J. Poovey.Characterization of the EEMBC Benchmark Suite.North Carolina State University, 2007.M. Psarakis, et al. Microprocessor software-based self-testing.Design Test of Computers, IEEE, 27(3):4--19, May 2010.S. Rehman, et al. Reliable software for unreliable hardware: Embedded code generation aiming at reliability. InCODES+ISSS, 2011.S. Rohr, et al. An integrated approach to automotive safety systems.SAE Automotive Engineering International magazine, September 2000.B. Sangchoolie, et al. A study of the impact of bit-flip errors on programs compiled with different optimization levels. InEDCC, 2014.STMicroelectronics.32-bit Power Architecture microcontroller for automotive SIL3/ASILD chassis and safety applications, 2014.http://www.gaisler.com/cms/index.php?option=com_content&task=view&id=13&Itemid=53.Leon3 Processor.Areroflex Gaisler

UI-SPEED: Uniquely Identifiable Self-Contained Pass-Through Enhanced Encryption Device

USB encryption is an effective method for securing data. Current available solutions are limited to host-side, drive-side, and neither-side encryption. Host-side encryption must be downloaded on every host, and drive-side encryption is expensive. Current neither-side implementations either provide weak protection or provide it at the cost of unneeded multi-step processes. For USB encryption to be portable, inexpensive, and secure, it must have a straightforward locking mechanism, be able to encrypt any drive, and be distinguishable from the encryption of every other drive. The solution proposed here adds an identifiable aspect to each drive that is encrypted, isolates the encryption from the host and the drive, and adds an on-board locking mechanism

PSOFuzz: Fuzzing Processors with Particle Swarm Optimization

Hardware security vulnerabilities in computing systems compromise the security defenses of not only the hardware but also the software running on it. Recent research has shown that hardware fuzzing is a promising technique to efficiently detect such vulnerabilities in large-scale designs such as modern processors. However, the current fuzzing techniques do not adjust their strategies dynamically toward faster and higher design space exploration, resulting in slow vulnerability detection, evident through their low design coverage. To address this problem, we propose PSOFuzz, which uses particle swarm optimization (PSO) to schedule the mutation operators and to generate initial input programs dynamically with the objective of detecting vulnerabilities quickly. Unlike traditional PSO, which finds a single optimal solution, we use a modified PSO that dynamically computes the optimal solution for selecting mutation operators required to explore new design regions in hardware. We also address the challenge of inefficient initial seed generation by employing PSO-based seed generation. Including these optimizations, our final formulation outperforms fuzzers without PSO. Experiments show that PSOFuzz achieves up to 15.25$\times$ speedup for vulnerability detection and up to 2.22$\times$ speedup for coverage compared to the state-of-the-art simulation-based hardware fuzzer.Comment: To be published in the proceedings of the ICCAD, 202

GhostMinion: A Strictness-Ordered Cache System for Spectre Mitigation

Out-of-order speculation, a technique ubiquitous since the early 1990s, remains a fundamental security flaw. Via attacks such as Spectre and Meltdown, an attacker can trick a victim, in an otherwise entirely correct program, into leaking its secrets through the effects of misspeculated execution, in a way that is entirely invisible to the programmer's model. This has serious implications for application sandboxing and inter-process communication. Designing efficient mitigations, that preserve the performance of out-of-order execution, has been a challenge. The speculation-hiding techniques in the literature have been shown to not close such channels comprehensively, allowing adversaries to redesign attacks. Strong, precise guarantees are necessary, but at the same time mitigations must achieve high performance to be adopted. We present Strictness Ordering, a new constraint system that shows how we can comprehensively eliminate transient side channel attacks, while still allowing complex speculation and data forwarding between speculative instructions. We then present GhostMinion, a cache modification built using a variety of new techniques designed to provide Strictness Order at only 2.5% overhead

SafeBet: Secure, Simple, and Fast Speculative Execution

Spectre attacks exploit microprocessor speculative execution to read and transmit forbidden data outside the attacker's trust domain and sandbox. Recent hardware schemes allow potentially-unsafe speculative accesses but prevent the secret's transmission by delaying most access-dependent instructions even in the predominantly-common, no-attack case, which incurs performance loss and hardware complexity. Instead, we propose SafeBet which allows only, and does not delay most, safe accesses, achieving both security and high performance. SafeBet is based on the key observation that speculatively accessing a destination location is safe if the location's access by the same static trust domain has been committed previously; and potentially unsafe, otherwise. We extend this observation to handle inter trust-domain code and data interactions. SafeBet employs the Speculative Memory Access Control Table (SMACT) to track non-speculative trust domain code region-destination pairs. Disallowed accesses wait until reaching commit to trigger well-known replay, with virtually no change to the pipeline. Software simulations using SpecCPU benchmarks show that SafeBet uses an 8.3-KB SMACT per core to perform within 6% on average (63% at worst) of the unsafe baseline behind which NDA-restrictive, a previous scheme of security and hardware complexity comparable to SafeBet's, lags by 83% on average