Safe and Protected Execution in Safe and Protected Execution in Adaptive Architectures Adaptive Architectures Andrew A. Chien Computer Science and Engineering University of California, San Diego Project Kickoff Meeting November 5, 1998 Washington, D.C.
24
Embed
Safe and Protected Execution in Adaptive Architectures Andrew A. Chien Computer Science and Engineering University of California, San Diego Project Kickoff.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Safe and Protected Execution in Safe and Protected Execution in Adaptive ArchitecturesAdaptive Architectures
Andrew A. ChienComputer Science and Engineering
University of California, San Diego
Project Kickoff Meeting
November 5, 1998
Washington, D.C.
Challenges in Integrated Adaptive Challenges in Integrated Adaptive ComputingComputing
• Integration with core system mechanisms enables high performance
– Multiprocess environments fundamental, even for embedded systems
– Errors in synthesis, hardware, software are common.
– How to build robust adaptive systems?
• Adaptation of core presents protection, validation, and fault-containment challenges
– How to ensure process isolation?
– How to contain synthesis or hardware faults in the system architecture?
– How to validate dynamic reconfiguration?
Static Adaptation and ProtectionStatic Adaptation and Protection
• Coprocessor: Host/OS based control or no protection (coprocessor TLB, I/O TLB, direct physical access)
• Host Processor: ? (target of research)
• System Chip set: ? (target of research)
• I/O devices: ? (target of research)
• Everything (system in FPGA): all of the above
• => How to confine / validate the adaptation for safe and correct execution?
SCSI
System bus
I/O Bus
HostProcessor
GigabitEthernet
Coprocessor
M
Dynamic AdaptationDynamic Adaptation
• Dynamic Reconfiguration challenges the basis of protection / validation– What the adaptive hardware can attach to and control? Modules, internals?
– What checks / confines the actions of the dynamic adaptation?
– How to customize / generate the protection hardware to ensure confinement?
– How to customize / generate the adaptive hardware to validate the adaptation/synthesis/correctness?
SCSI
HostProcessor
GigabitEthernet
Coprocessor
ConfigurableWire and Logic
M
Requirements for Safe and Protected Requirements for Safe and Protected ExecutionExecution
• Multiprocess Isolation– system modularity for software (preserve)
– system modularity for software and reconfigurable hardware
– Access controlled by special instructions which check processor mode for execution
– Processor state reflects the CPU mode
– Unauthorized accesses are trapped and handled by a privileged routine
• Privilege mode: Kernel, supervisor, user– changes via: traps to privileged handlers which limit functionality and entry
points
– Base protection bootstrapped with special power-on traps and bootstrap routines
• Instructions to Modify Protection Structures are Privileged– processor state, segment registers, TLB entries
– control much of the access to the shared system data structures which isolate processes
Operating System UsageOperating System Usage
• Basic User/Supervisor Mode Distinction– Supervisor mode allows modification of protection data structures
– Special instructions used to modify these data structures check for privilege mode, trap otherwise
– Bootstrap to privilege mode, initial execution loophole must correctly setup these data structures
• Most isolation is ensured indirectly through implicit instruction execution constraints
– Address checking in the translation lookaside buffer
– Mode checking based on instruction type
– Simple mechanisms in hardware, all conventions in software
Initial AnalysisInitial Analysis
• Requirements/Observations for a Process Isolation Scheme
• Protection Axioms include– Out of line implicit checking through modes, external units (e.g. addressing)
– Complex schemes *not* used (e.g. protection rings, capabilities, ACL’s, etc.) at the hardware level
• Nearly all of the hardware within a conventional processor core is potentially configurable…
– novel operations, instructions, use of registers, datapath, caches, and almost anything else
– Sensitive parts include the TLB/Address checking, a few choice bits of machine state (e.g. privilege level), a few key instructions, and the actual address bits which are sent to the rest of the machine.
• Writing document which describes axiomatic framework and complete analysis
– Outlines architecture requirements for protected execution in the presence of reconfigurable hardware
– First basis of useful distinctions (safe or not)
• Variety of Systematic techniques for Online Validation of Reconfigurable systems
– Invariant and Multiversion synthesis
• Supporting Synthesis constraints and Architecture structures for online validation (invariant introduction, monitoring, and containment)
• Characterization of Cost and Effectiveness – Cost: hardware, speed, and computation (synthesis) effort
– Effectiveness: coverage of errors and faults
SummarySummary
• Develop and demonstrate architectures and techniques for safe and protected execution in statically and dynamically configurable systems
• Develop architectural classifications for mechanisms which successively greater levels of safety for both statically and dynamically configurable systems
• => Understand the protection / validation implications of design choices / features
• Design and evaluate a spectrum of techniques for online validation in support of dynamic adaptation
• Demonstrate them on AMRM II prototype hardware
ChallengesChallenges
• How to perform experiments?– What are reasonable application workloads?
– What are reasonable error models?
– What are reasonable fault models?
– What tools/vehicles are available for experiments?
– What are good metrics?
• What constitutes a good design?– Single architecture?
– Knowledge to design a set of architectures subject to application and technology constraints rationally?
Bullets for Milestones and TimelineBullets for Milestones and Timeline
• Yr 2: Axiomatic Framework for Flexible Reconfiguration with Provable Safety Guarantees
• Yr 3: Demonstrated Synthesis and Invariant Techniques for Online Validation with high assurance