We present a hybrid application methodology comprising a design space exploration with a formal performance analysis for individual applications. This results in several resource reservation configurations with verified real-time guarantees. The Pareto-optimal configurations are handed over to run-time management which searches for a suitable mapping. We achieve real-time guarantees through the concept of composability either by spatial or a novel temporal isolation for tasks and by exploiting composable NoCs. The experiments reveal that the success rate in finding feasible application mappings is increased by temporal isolation by up to 30% and energy consumption is reduced compared to spatial isolation.
Editorial: Need for Artefact Verified Articles in ACM Transactions
Guest Editorial: Special Issue of ACM TECS on the ACM-IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE 2017)
As real-time systems are evolving in scale and complexity, the demand for higher performance at a minimum energy consumption has become a necessity. Consequently, many embedded systems have adopted multicore architectures into their design. Scheduling on multicores in not a trivial task. Optimizing for energy adds to the complexity of the problem. There is now a trend towards heterogeneous multicores where cores differ in power, performance, and architectural capabilities. In this article we present a survey on energy-efficient multicore scheduling for hard real-time systems both homogeneous and heterogeneous architectures.
The Internet of Things (IoT) is expanding at a large rate, with devices found in commercial and domestic settings from industrial sensors to home appliances. However, as the IoT market grows, so does the number of attacks made against it with some reports claiming an increase of 600\% in 2017. This work seeks to prevent code replacement, injection and exploitation attacks by ensuring correct and platform specific application execution. This combines two previously studied problems: secure application execution and binding hardware and software. We present descriptions of both problems and requirements for ensuring both simultaneously. We then propose a scheme extending previous work that meets these requirements, and describe our implementation of the soft-core Secure Execution Processor developed and tested on Xilinx Spartan-6 FPGA. Finally, we analyse the scheme and our implementation according to performance and the requirements listed.
We present a technique for implementing dataflow networks as compositional hardware circuits. We first define an abstract dataflow model with unbounded buffers that supports data-dependent blocks (mux, demux, and nondeterministic merge); we then show how to faithfully implement such networks with bounded buffers and handshaking. Handshaking admits compositionality: our circuits can be connected with or without buffers and still compute the same function without introducing spurious combinational cycles. As such, inserting or removing buffers affects the performance but not the functionality of our networks; which we demonstrate through experiments that show how design space can be explored.
This work introduces a heuristic-guided branching search algorithm for model-based, mutation-driven test case generation. The algorithm is designed towards the efficient and computationally tractable exploration of discrete, non-deterministic models with huge state spaces. Asynchronous parallel processing is a key feature of the algorithm. The algorithm is inspired by the successful path planning algorithm Rapidly exploring Random Trees (RRT). We adapt RRT in several aspects towards test case generation. Most notably, we introduce parametrized heuristics for start and successor state selection, as well as a mechanism to construct test cases from the data produced during search.
With the fast growth of drones, their security problems meet significant challenges. The target of this paper is to develop a technique that just using onboard gyroscopes to detect drones whether have been hijacked. In this paper, we propose a novel method to detect hijacking just based on gyroscopes measurements and GPS data, without using any accelerometer, which reduces some calculation and measurement errors. The computational complexity of our method is very low, and thus is suitable to be implemented in the drones with micro-controllers. Experiments with a quad-rotor drone are conducted to show the effectiveness of the proposed method
Elliptic Curve Cryptography (ECC) now is one of the most important approach to instantiate asymmetric encryption and signature schemes, which has been extensively exploited to protect the security of cyber-physical systems. With the advent of the Internet of Things (IoT), a great deal of constrained devices may require software implementations of ECC operations. Under this circumstances, the SM2, a set of public key cryptographic algorithms based on elliptic curves published by Chinese Commercial Cryptography Administration Office, was standardized at ISO in 2017 to enhance the cyber-security. However, few research works on implementations of SM2 for constrained devices have been conducted. In this work, we fill this gap and propose our efficient, secure and compact implementation of scalar multiplication on a 256-bit elliptic curve recommended by the SM2, as well as a comparison implementation of scalar multiplication on the same bit-length elliptic curve recommended by NIST. We re-designed some existent techniques to fit the low-end IoT platform, namely 8-bit AVR processors, and our ECC implementations evaluated on the desired platform show that the SM2 algorithms have competitive efficiency and security with NIST, which would work well to secure the IoT world.
Time predictability is difficult to achieve in the complex, layered execution environments that are common in modern embedded devices such as smartphones. We explore adopting the Android programming model for a range of embedded applications that extends beyond mobile devices, under the constraint that changes to widely used libraries should be minimized. The challenges we explore include the interplay between real-time activities and the rest of the system, how to express the timeliness requirements of components, and how well those requirements can be met on stock embedded platforms. This work discusses our design and implementation and evaluation results.
Constructing high assurance, secure hardware remains a challenge, because to do so relies on both a verifiable means of hardware description and implementation. Production hardware description languages (HDL) lack the formal underpinnings required by formal methods in security. Still, there is no such thing as high assurance systems without high assurance hardware. We present a core calculus of secure hardware description with its formal semantics, security type system and mechanization in Coq. This calculus is the core of the functional HDL, ReWire. This work supports a full-fledged formal methodology for producing high assurance hardware.
With the rapid development of the Internet of Things (IoT), security has attracted considerable interest. Conventional security solutions that have been proposed for Internet based on classical cryptography cannot be applied to IoT nodes due to the resource-constrained platform. A physical unclonable function (PUF) can be used to generate a key online or uniquely identify an integrated circuits (ICs) by extracting its internal random differences using the so-called challenge-response pairs (CRPs). The PUF is a new type of hardware-based security primitive; it is regarded as a promising low-cost solution for IoT security. A logic reconfigurable PUF (RPUF) is highly efficient in terms of hardware cost. This paper first presents a new classification of RPUFs into circuit based RPUF (C-RPUF) and algorithm based RPUF (A-RPUF); two XOR-based RPUF circuits (namely the XOR-based reconfigurable bistable ring PUF (XRBR PUF) and the XOR-based reconfigurable ring oscillator PUF (XRRO PUF)) are proposed. Both the XRBR and XRRO PUFs are implemented using Xilinx Spartan-6 FPGAs. The implementation results are compared with previous PUF designs showing a good uniqueness and reliability. Compared to conventional PUF designs, the most significant advantage of the proposed designs is that they are highly efficient in terms of hardware cost. Moreover, the XRRO PUF is the most efficient design when compared with previous RPUFs. Also, both the proposed XRRO and XRBR PUFs require only 12.5% of the hardware resources of previous bitstable ring PUFs and reconfigurable RO PUFs, respectively, to generate a 1-bit response; this confirms that the proposed XRBR and XRRO PUFs are very efficient designs with good uniqueness and reliability.
Cache attacks allow attackers to infer the properties of a secret execution by observing cache hits and misses. But how much information can actually leak through such attacks? For a given program, a cache model, and an input, our CHALICE framework leverages symbolic execution to compute the amount of information that can possibly leak through cache attacks. In our evaluation on real-world programs from OpenSSL and Linux GDK libraries, CHALICE effectively quantifies information leaks: For an AES-128 implementation, for instance, CHALICE finds that a cache attack can leak as much as 127 out of 128 bits of the encryption key.
We develop an assume-guarantee contract framework for cyber-physical system design under probabilistic requirements. Given a stochastic linear system and a set of requirements captured by bounded Stochastic Signal Temporal Logic (StSTL) contracts, we propose algorithms to check contract compatibility, consistency, and refinement, and generate a control trajectory that satisfies a contract. We leverage encodings of the verification and control synthesis tasks into mixed integer optimization problems, and conservative approximations of probabilistic constraints that produce sound and tractable problem formulations. We illustrate the effectiveness of our approach on a few examples, including the design of controllers for aircraft power distribution networks.
Out-of-place update and erase-before-write wear out P/Es and shorten SSD lifetime. Log space in an SSD is updated pages buffer to extend SSD lifetime. We propose DLSpace, a distributed log space allocation strategy, which divides log space into block- and page- log space. DLSpace fully utilizes pages in data and log blocks to avoid erasures of blocks with free pages. Experiments reveal that compared with traditional allocation strategy (TLSpace), DLSpace reduces write amplification and the number of erases by up to 55.2% and 64.1%, extends TLSpaces delay time of garbage collections by 73.3% to optimize SSD lifetime.
During the formal functional verification of RTL designs, a false failure is often observed. Most of the time, this failure is caused by an under-constrained model. The analysis of the root cause for the verification error and the creation of missing assumptions are a significant time burden. In this paper, we present a methodology to automatically mine these missing assumptions from counter-examples. First, multiple counter-examples are generated for the same property. Then, relevant behaviors are mined from the counter-examples. Finally, corresponding assumptions are filtered, and a small number of them is returned to the user for review.
In the growing Internet of Things context, thousands of computing devices with various functionalities are producing data (from environmental sensors or other sources). However, they are also collecting, storing, processing and transmitting data to eventually communicate them securely to third parties (e.g. owners of devices or cloud data storage). The deployed devices are often battery-powered mobile or static nodes equipped with sensors and/or actuators and they communicate using wireless technologies. Examples include unmanned aerial vehicles, wireless sensor nodes, smart beacons, and wearable health objects. Such resource-constrained devices include Active RFID (Radio Frequency IDentification) nodes and these are used to illustrate our proposal. In most scenarios, these nodes are unattended in an adverse environment, so data confidentiality must be ensured from the sensing phase through to delivery to authorized entities: in other words, data must be securely stored and transmitted to prevent attack by active adversaries even if the nodes are captured. However, due to the scarce resources available to nodes in terms of energy, storage and/or computation, the proposed security solution has to be lightweight. In this paper, we propose a serverless protocol to enable MDCs (Mobile Data Collectors), such as drones, to securely collect data from mobile and static Active RFID nodes and then deliver them later to an authorized third party. The whole solution ensures data confidentiality at each step (from the sensing phase, before data collection by the MDC, once data have been collected by MDC, and during final delivery) while fulfilling the lightweight requirements for the resource-limited entities involved. To assess the suitability of the protocol against the performance requirements, it was implemented on the most resource-constrained devices to get the worst possible results. In addition, to prove the protocol fulfills the security requirements, it was analyzed with regard to security games and also formally verified using the AVISPA tool.
This paper proposes Momentum, a general power-neutral methodology that can be applied to a wide-range of different computing systems, where the system dynamically scales its performance such that the consumed power equals the harvested power. This methodology combines at run-time a hierarchical control strategy, which utilizes available power management controls to achieve efficient power-neutral operation, a software-based maximum power point tracking scheme and experimental validation on two different scales of computing system. Experimental results show that Momentum operates correctly and exhibits improvements in forward application execution of up to 11% against existing power-neutral approaches, and 46% against existing static approaches.
A typical automotive integrated architecture is a controller area network (CAN) cluster integrated by a central gateway. This study proposes a novel and exact worst case response time (WCRT) analysis method for message-processing tasks in the gateway. We first propose a round search method to obtain lower bound on response time (LBRT) and upper bound on response time (UBRT), respectively. We then obtain the exact WCRT belonging to the scope of the LBRT and UBRT with an effective non-exhaustive exploration. Experiments on real CAN message set reveal that the exact analysis method can reduce 99.99999\% combinations on large-scale CAN clusters.