Dagstuhl Seminar 16441
Adaptive Isolation for Predictability and Security
( Oct 30 – Nov 04, 2016 )
Permalink
Organizers
- Tulika Mitra (National University of Singapore, SG)
- Jürgen Teich (Universität Erlangen-Nürnberg, DE)
- Lothar Thiele (ETH Zürich, CH)
- Ingrid Verbauwhede (KU Leuven, BE)
Contact
- Susanne Bach-Bernhard (for administrative matters)
Today, more than 100 processor cores may be realized on a single chip (MPSoC), giving enormous parallel processing capabilities. Whereas higher (average) performance has been and still is the major driver for any MPSoC platform design, there is a big hesitation to install such platforms in embedded systems that require predictable (boundable) guarantees of non-functional properties of execution. Moreover, it may be observed that in embedded systems, each application may (a) require different qualities to be satisfied such as a demand for authentication or, alternatively, execution in a bounded amount of time. It must therefore be possible to enforce a set of non-functional qualities of execution on a multi-core platform on a per-application/job basis. (b) The above requirements on execution qualities may even change over time or during the execution of a single application or can be dependent on user/environmental settings.
Unfortunately, the way MPSoCs are built and programmed today, we may generally observe worse execution qualities for multi-cores than in the single-core case because of the sharing of resources such as cores, buses and/or memory in an unpredictable way. Moreover, multiple layers of software are controlling program executions on a complex MPSoC platform where each layer is often designed for a contradictory goal. For example, the power management firmware of an MPSoC is designed to reduce the energy/power consumption or to avoid temperature hot spots at the cost of unpredictable timing. Providing tight bounds on execution qualities of individual applications sharing an execution platform is therefore not possible on many MPSoC platforms available today.
One remedy out of this dilemma is isolation. With isolation, a set of techniques is subsumed to separate the execution of multiple programs either spatially (by allocating disjoint resources) or temporally (by separating the time intervals in which the shared resources are used). Additionally, in order to provide isolation on demand, there is need for adaptivity in all hardware as well as software layers from application program to hardware platform. Indeed, adaptivity is a key to reduce/bound execution quality variations actively on a system in an on-demand manner so as to neither overly restrict nor underutilize available resources.
Adaptive Isolation, the topic of the proposed Dagstuhl Seminar, may be seen as a novel and important research topic for providing predictability of not only timing but also security and maybe even other properties of execution on a multi-core platform on a per application basis while easing and trading off compile-time and run-time complexity.
First, a common understanding of which techniques may be used for isolation including hardware design, resource reservation protocols, virtualization, and including novel hybrid and dynamic resource assignment techniques must be found. In this realm, three major research topics shall be discussed and elaborated:
- Adaptive Isolation for Timing Predictability: Discuss new ways to establish isolation by means of novel hardware and software concepts, e.g., adaptive hardware. Which of the approaches/concepts for isolation can be used in adaptive scenarios? Which approach is more suitable: statistical analysis or techniques for hard guarantees? What are limitations of either approach?
- Isolation and Adaptivity for Security: How do security issues change by introducing adaptivity? What is the attackers’ model? With respect to which properties may security be defined? For example, basic isolation might be defined as a guarantee that no other application may read/write the data of another. May different levels of per-application security be established adaptively?
- Cross-Cutting Concerns. Finally, the interaction between security and timing predictability shall be explored. A malware can compromise a real-time system by making an application miss its deadline. Therefore, the system should ensure that deadline overruns in the presence of malware must be predicted or detected early and remedial actions taken. Scheduling and resource allocation should also take into account the trade-off between the timing overheads of a security protection mechanism.
A very interdisciplinary team of experts including processor designers, OS and compiler specialists, as well as experts for predictability and security analysis will evaluate these opportunities and present novel solutions.
Semiconductor industry has shifted from processor clock speed optimization (having reached its physical limits) to parallel and heterogeneous many-core architectures. Indeed, the continuous technological scaling enables today the integration of hundred and more cores and, thus, enormous parallel processing capabilities. Whereas higher (average) performance has been and still is the major driver for any MPSoC platform design, there is a huge hesitation and fear to install such platforms in embedded systems that require predictable (boundable) guarantees of non-functional properties of execution rather than average properties for a mix of applications. Moreover, it may be observed that in an embedded system, each application running on a platform typically a) requires different qualities to be satisfied. For example, one application might demand for authentification, thus requiring the guarantee of unmodified data and program but have no requirements on speed of execution. Another application might rather require the execution to meet a set of real-time properties such as a deadline or a target data rate. To give an example, consider a driver assistance video processing application in a car that must detect obstacles in front of the car fast enough so to activate the brake system in a timely manner. It must therefore be possible to enforce a set of non-functional qualities of execution on a multi-core platform on a per-application/job basis. b) The above requirements on execution qualities may even change over time or during the program execution of a single application or being dependent on user or environmental settings. For example, one user might not care about sending or distributing personal information over the communication interfaces of a mobile phone whereas another one cares a lot, even in the presence of side channels.
Unfortunately, the way MPSoCs are built and programmed today, the embedded system engineers often experience even worse execution qualities than in the single core case, the reason being the sharing of resources such as cores, buses and/or memory in an unpredictable way. Another obstacle for a successful deployment of multi-core technology in embedded systems is the rather unmanageable complexity. This holds particularly true for the analysis complexity of a system for predictable execution qualities at either compile-time or run-time or using hybrid analysis techniques. The complexity is caused here by an abundant number of resources on the MPSoC and the increasing possibilities of interference created by their concurrent execution and multiple layers of software controlling program executions on a platform. Such layers are often designed for contradictory goals. For example, the power management firmware of an MPSoC may be designed to reduce the energy/power consumption or avoid temperature hot spots. The OS scheduler, on the other hand, may be designed to maximize the average CPU utilization for average performance. Providing tight bounds on execution qualities of individual applications sharing an execution platform is therefore not possible on many MPSoC platforms available today.
One remedy out of this dilemma that has been proposed a long time before the introduction of any MPSoC technology is isolation. With isolation, a set of techniques is subsumed to separate the execution of multiple programs either spatially (by allocating disjoint resources) or temporally (by separating the time intervals shared resources are used). Additionally, in order to provide isolation on demand, there is the need for adaptivity in all hardware as well as software layers from application program to executing hardware platform. Indeed, adaptivity is considered a key topic in order to reduce or bound execution quality variations actively on a system and in an on-demand manner for the reason to neither overly restrict nor to underutilize available resources.
Adaptive Isolation, the topic of the proposed Dagstuhl seminar, may be seen as a novel and important research topic for providing predictability of not only timing but also security and may be even other properties of execution on a multi-core platform on a per application/job basis while easing and trading off compile-time and run-time complexity.
First, a common understanding of which techniques may be used for isolation including hardware units design, resource reservation protocols, virtualization techniques, and including novel hybrid and dynamic resource assignment techniques were discussed. Second, a very interdisciplinary team of experts including processor designers, OS and compiler specialists, as well as experts for predictability and security analysis were brought together for evaluating these opportunities and presenting novel solutions. The competencies, experiences, and existing solutions of the multiple communities stimulated discussions and co-operations that hopefully will manifest in innovative research directions for enabling predictability on demand on standard embedded MPSoCs.
- Davide Bertozzi (Università di Ferrara, IT) [dblp]
- Björn B. Brandenburg (MPI-SWS - Kaiserslautern, DE) [dblp]
- David Broman (KTH Royal Institute of Technology, SE) [dblp]
- Samarjit Chakraborty (TU München, DE) [dblp]
- Sudipta Chattopadhyay (Universität des Saarlandes, DE) [dblp]
- Jian-Jia Chen (TU Dortmund, DE) [dblp]
- Albert Cohen (ENS - Paris, FR) [dblp]
- Ruan de Clercq (KU Leuven, BE) [dblp]
- Heiko Falk (TU Hamburg-Harburg, DE) [dblp]
- Felix Freiling (Universität Erlangen-Nürnberg, DE) [dblp]
- Johannes Götzfried (Universität Erlangen-Nürnberg, DE) [dblp]
- Gernot Heiser (UNSW - Sydney, AU) [dblp]
- Andreas Herkersdorf (TU München, DE) [dblp]
- Karine Heydemann (UPMC - Paris, FR) [dblp]
- Patrick Koeberl (Intel - Hillsboro, US) [dblp]
- Pieter Maene (KU Leuven, BE) [dblp]
- Claire Maiza (Université Grenoble Alpes - Sait Martin d'Hères, FR) [dblp]
- Peter Marwedel (TU Dortmund, DE) [dblp]
- Tulika Mitra (National University of Singapore, SG) [dblp]
- Sibin Mohan (Univ. of Illinois - Urbana, US) [dblp]
- Frank Mueller (North Carolina State University - Raleigh, US) [dblp]
- Sri Parameswaran (UNSW - Sydney, AU) [dblp]
- Jan Reineke (Universität des Saarlandes, DE) [dblp]
- Christine Rochange (University Toulouse, FR) [dblp]
- Zoran Salcic (University of Auckland, NZ) [dblp]
- Patrick Schaumont (Virginia Polytechnic Institute - Blacksburg, US) [dblp]
- Martin Schoeberl (Technical University of Denmark - Lyngby, DK) [dblp]
- Wolfgang Schröder-Preikschat (Universität Erlangen-Nürnberg, DE) [dblp]
- Takeshi Sugawara (Mitsubishi - Kanagawa, JP) [dblp]
- Jürgen Teich (Universität Erlangen-Nürnberg, DE) [dblp]
- Lothar Thiele (ETH Zürich, CH) [dblp]
- Theo Ungerer (Universität Augsburg, DE) [dblp]
- Reinhard von Hanxleden (Universität Kiel, DE) [dblp]
- Stefan Wildermann (Universität Erlangen-Nürnberg, DE) [dblp]
- Reinhard Wilhelm (Universität des Saarlandes, DE) [dblp]
Classification
- hardware
- optimization / scheduling
- security / cryptology
Keywords
- Parallel Computing
- Programming Tools
- Timing Analysis
- Embedded Security
- Embedded Systems
- MPSoC
- Virtualization