30.10.16 - 04.11.16, Seminar 16441

Adaptive Isolation for Predictability and Security

Diese Seminarbeschreibung wurde vor dem Seminar auf unseren Webseiten veröffentlicht und bei der Einladung zum Seminar verwendet.


Today, more than 100 processor cores may be realized on a single chip (MPSoC), giving enormous parallel processing capabilities. Whereas higher (average) performance has been and still is the major driver for any MPSoC platform design, there is a big hesitation to install such platforms in embedded systems that require predictable (boundable) guarantees of non-functional properties of execution. Moreover, it may be observed that in embedded systems, each application may (a) require different qualities to be satisfied such as a demand for authentication or, alternatively, execution in a bounded amount of time. It must therefore be possible to enforce a set of non-functional qualities of execution on a multi-core platform on a per-application/job basis. (b) The above requirements on execution qualities may even change over time or during the execution of a single application or can be dependent on user/environmental settings.

Unfortunately, the way MPSoCs are built and programmed today, we may generally observe worse execution qualities for multi-cores than in the single-core case because of the sharing of resources such as cores, buses and/or memory in an unpredictable way. Moreover, multiple layers of software are controlling program executions on a complex MPSoC platform where each layer is often designed for a contradictory goal. For example, the power management firmware of an MPSoC is designed to reduce the energy/power consumption or to avoid temperature hot spots at the cost of unpredictable timing. Providing tight bounds on execution qualities of individual applications sharing an execution platform is therefore not possible on many MPSoC platforms available today.

One remedy out of this dilemma is isolation. With isolation, a set of techniques is subsumed to separate the execution of multiple programs either spatially (by allocating disjoint resources) or temporally (by separating the time intervals in which the shared resources are used). Additionally, in order to provide isolation on demand, there is need for adaptivity in all hardware as well as software layers from application program to hardware platform. Indeed, adaptivity is a key to reduce/bound execution quality variations actively on a system in an on-demand manner so as to neither overly restrict nor underutilize available resources.

Adaptive Isolation, the topic of the proposed Dagstuhl Seminar, may be seen as a novel and important research topic for providing predictability of not only timing but also security and maybe even other properties of execution on a multi-core platform on a per application basis while easing and trading off compile-time and run-time complexity.

First, a common understanding of which techniques may be used for isolation including hardware design, resource reservation protocols, virtualization, and including novel hybrid and dynamic resource assignment techniques must be found. In this realm, three major research topics shall be discussed and elaborated:

  1. Adaptive Isolation for Timing Predictability: Discuss new ways to establish isolation by means of novel hardware and software concepts, e.g., adaptive hardware. Which of the approaches/concepts for isolation can be used in adaptive scenarios? Which approach is more suitable: statistical analysis or techniques for hard guarantees? What are limitations of either approach?
  2. Isolation and Adaptivity for Security: How do security issues change by introducing adaptivity? What is the attackers’ model? With respect to which properties may security be defined? For example, basic isolation might be defined as a guarantee that no other application may read/write the data of another. May different levels of per-application security be established adaptively?
  3. Cross-Cutting Concerns. Finally, the interaction between security and timing predictability shall be explored. A malware can compromise a real-time system by making an application miss its deadline. Therefore, the system should ensure that deadline overruns in the presence of malware must be predicted or detected early and remedial actions taken. Scheduling and resource allocation should also take into account the trade-off between the timing overheads of a security protection mechanism.

A very interdisciplinary team of experts including processor designers, OS and compiler specialists, as well as experts for predictability and security analysis will evaluate these opportunities and present novel solutions.