Detecting and Removing Malicious Hardware Automatically

Total Page:16

File Type:pdf, Size:1020Kb

Detecting and Removing Malicious Hardware Automatically Appears in Proceedings of the 31st IEEE Symposium on Security & Privacy (Oakland), May 2010 Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically Matthew Hicks, Murph Finnicum, Samuel T. King Milo M. K. Martin, Jonathan M. Smith University of Illinois at Urbana-Champaign University of Pennsylvania Abstract hardware-level vulnerabilities would likely require phys- ically replacing the compromised hardware components. The computer systems security arms race between at- A hardware recall similar to Intel’s Pentium FDIV bug tackers and defenders has largely taken place in the do- (which cost 500 million dollars to recall five million main of software systems, but as hardware complexity chips) has been estimated to cost many billions of dollars and design processes have evolved, novel and potent today [7]. Furthermore, the skill required to replace hard- hardware-based security threats are now possible. This ware and the rise of deeply embedded systems ensure paper presents a hybrid hardware/software approach to that vulnerable systems will remain in active use after the defending against malicious hardware. discovery of the vulnerability. Second, hardware is the We propose BlueChip, a defensive strategy that has lowest layer in the computer system, providing malicious both a design-time component and a runtime component. hardware with control over the software running above. During the design verification phase, BlueChip invokes This low-level control enables sophisticated and stealthy a new technique, unused circuit identification (UCI), attacks aimed at evading software-based defenses. to identify suspicious circuitry—those circuits not used Such an attack might use a special, or unlikely, event to or otherwise activated by any of the design verification trigger deeply buried malicious logic which was inserted tests. BlueChip removes the suspicious circuitry and during design time. For example, attackers might intro- replaces it with exception generation hardware. The ex- duce a sequence of bytes into the hardware that activates ception handler software is responsible for providing for- the malicious logic. This logic might escalate privileges, ward progress by emulating the effect of the exception- turn off access control checks, or execute arbitrary in- generating instruction in software, effectively providing structions, providing a path for the malefactor to take a detour around suspicious hardware. In our experi- control of the machine. The malicious hardware thus ments, BlueChip is able to prevent all hardware attacks provides a foothold for subsequent system-level attacks. we evaluate while incurring a small runtime overhead. In this paper we present the design, implementa- tion, and evaluation of BlueChip, a hybrid design- time/runtime system for detecting and neutralizing ma- 1 Introduction licious circuits. During the design phase, BlueChip flags as suspicious, any unused circuitry (any circuit not acti- Modern hardware design processes closely resemble the vated by any of the many design verification tests) and software design process. Hardware designs consist of deactivates them. However, these seemingly suspicious millions of lines of code and often leverage libraries, circuits might actually be part of a legitimate circuit toolkits, and components from multiple vendors. These within the design, so BlueChip inserts circuitry to raise designs are then “compiled” (synthesized) for fabrica- an exception whenever one of these suspicious circuits tion. As with software, the growing complexity of would have been activated. The exception handler soft- hardware designs creates opportunities for hardware to ware is responsible for emulating hardware instructions become a vehicle for malice. Recent work has demon- to allow the system to continue execution. BlueChip’s strated that small malicious modifications to a hardware- overall goal is to push the complexity of coping with level design can compromise the security of the entire malicious hardware up to a higher, more flexible, and computing system [22]. adaptable layer in the system stack. Malicious hardware has two key properties that make it even more damaging than malicious software. The contributions of this paper are: First, hardware presents a more persistent attack vector. Whereas software vulnerabilities can be fixed via soft- • We present the BlueChip system (Sections 3 and 4), ware update patches or reimaging, fixing well-crafted which automatically removes potentially malicious 1 circuits from a hardware design and uses low-level lectual property) blocks. Many system-on-chip (SoC) software to emulate around removed hardware. designs aggregate subcomponents from existing com- mercial or open-source IP. Although generally trusted, • We propose an algorithm (Section 5), called unused these third-party IP blocks may not be trustworthy. In circuit identification, for automatically identifying this scenario, an attacker can create new IP or modify circuits that avoid affecting outputs during design existing IP blocks to add malicious circuits. The attacker verification. We demonstrate its feasibility (Sec- then distributes or licenses the IP in the hope that some tion 6) for use in addressing the problem of detect- SoC creator will incorporate it and include it in a fabri- ing malicious hardware. cated chip. Although the SoC creator will likely perform significant design verification focused on finding design • We demonstrate (Sections 7, 8, and 9), using fully- bugs, traditional black-box design verification is unlikely tested malicious hardware modifications as test to reveal malicious hardware. cases on a SPARC processor implementation oper- In either scenario, the attacker’s motivation could be ating on an FPGA, that: (1) the system successfully financial or general malice. If the design modification prevents three different malicious hardware modifi- remains undetected by final design validation and ver- cations, and (2) the performance effects (and hence ification, the malicious circuitry will be present in the the overhead) of the system are small. manufactured hardware that is shipped to customers and integrated into computing systems. The attacker has 2 Motivation and attack model achieved this without the resources necessary to actually fabricate a chip or otherwise attacking the manufacturing This paper focuses on the problem of malicious circuits and distribution supply chain. We assume that only one introduced during the hardware design process. Today’s or a few individuals are acting maliciously (i.e., not the complicated hardware designs are increasingly vulner- entire design team) and that these individuals are unable able to the undetected insertion of malicious circuitry to compromise the final end-to-end design verification to create a hardware trojan horse. In other domains, and validation process, which is typically performed by examples of this general type of intentional insertion of a distinct group of engineers. malicious functionality include compromises of software Our approach to detecting insertions of malicious development tools [26], system designers inserting mali- hardware assumes analysis at the level of a hardware cious source code intentionally [8, 20, 21], compromised netlist or hardware description language (HDL) source. servers that host modified source code [11, 12], and In the two scenarios outlined, this assumption is reason- products that come pre-installed with malware [1, 4, 25]. able, as (1) design validation and verification is primarily Such attacks introduce little risk of punishment, because performed at this level and (2) softcore IP blocks are the complexity of modern systems and prevalence of often distributed in HDL or netlist form. unintentional bugs makes it difficult to prove malice or We assume the system software is trustworthy and to correctly attribute the problem to its source [27]. non-malicious (although the malicious hardware may More specifically, our threat model is that a rogue attempt to subvert the overlying software layers). designer covertly adds trojan circuits to a hardware de- sign. We focus on two possible scenarios for such rogue insertion. First, one or more disgruntled employees at a 3 The BlueChip approach hardware design company surreptitiously and intention- ally inserts malicious circuits into a design prior to final Our overall BlueChip architecture is shown in Figure 1. design validation with the hope that the changes will In the first phase of operation, BlueChip analyzes the cir- evade detection. The malicious hardware demonstrated cuit’s behavior during design verification to identify can- by King et al. [22] support the plausibility of this sce- didate circuits that might be malicious. Once BlueChip nario, in that only small and localized changes (e.g., to identifies a suspect circuit, BlueChip automatically re- a single hardware source file) are sufficient for creating moves the circuit from the design. Because BlueChip powerful malicious circuits designed for bootstrapping might remove legitimate circuits as part of the transfor- larger system-level attacks. We call such malicious cir- mation, it inserts logic to detect if the removed circuits cuits footholds, and such footholds persist even after would have been activated, and triggers an exception if malicious software has been discovered and removed, the hardware encounters this condition during runtime. giving attackers a permanent vector into a compromised The hardware delivers this exception to the BlueChip
Recommended publications
  • Wdv-Notes Stand: 29.DEZ.1994 (2.) 329 Intel Pentium – Business Must Learn from the Debacle
    wdv-notes Stand: 29.DEZ.1994 (2.) 329 Intel Pentium – Business Must Learn from the Debacle. Wiss.Datenverarbeitung © 1994–1995 Edited by Karl-Heinz Dittberner FREIE UNIVERSITÄT BERLIN Theo Die kanadische Monatszeitschrift The Im folgenden sowie in den wdv-notes verbreitet werden, wenn dabei die folgen- Computer Post, Winnipeg veröffentlicht Nr. 330 werden diese Artikel im Original den Spielregeln beachtet werden. in mehreren Artikeln in ihrer Januar-Aus- nachgedruckt. Der Dank dafür geht an Permission is hereby granted to copy gabe 1995 eine exzellente erste Zusam- Sylvia Douglas von The Computer Post, this article electronically or in any other menfassung des Debakels um den Defekt 301 – 68 Higgins Avenue, Winnipeg, Ma- form, provided it is reproduced without des Pentium-Mikroprozessors [1–2] des nitoba, Canada, Email: SDouglas@post. alteration, and you credit it to The Compu- Computergiganten Intel. mb.ca. Diese Artikel dürfen auch weiter- ter Post. Intel’s top of the line Pentium™ microproc- This particular error in the Pentium was in essor chip has turned out to have a slight flaw the floating-point divide unit. Intel manage- Editorial: The Computer Post – Jan.95 in its character: when dividing certain rare ment was concerned enough about it that pairs of floating point numbers, it gives the they pulled together a special team to assess The Way it Will Be wrong answer. For anyone who owns a Pen- the implications. tium-based computer, or was thinking about This month you’ll find we’re reporting a In the words of Andrew Grove, Intel’s CEO, buying one, or is just feeling curious, here lot of background information on Intel’s posting later to the Internet [3], “We were are..
    [Show full text]
  • Can the Computer Be Wrong?
    Can the computer be wrong? Wojciech Myszka Department of Mechanics, Materials and Biomedical Engineering January 2021 1 Data 2 Human (operator) 3 Hardware (inevitable) 4 Hardware 5 Manufacturer fault 6 Software 7 Bug free software 8 List of software bugs Data Absolute error I I was talking about this in one of the previous lectures. I One of the main sources of errors are data. I Knowing the range of each value allows us to predict values of the result. I This can be difficult and tricky. I However, in most cases we assume that the data values are correct and believe in computer calculations. Human (operator) Operator I In general, it is difficult to take into account human errors. I These include: I not understanding the problem solved by the program, I errors in preparing input data, I wrong answer to the computer prompt, I ... Hardware (inevitable) Number of bits This is a quite different source of error. 1. Most of todays computers have I 32 or 64 bits processors 2. What does this mean? Number of bits — rangeI 1. The biggest integer value I 32 bits: from −231 to 231 − 1 (−2; 147; 483; 648 to 2; 147; 483; 647) or two billion, one hundred forty-seven million, four hundred eighty-three thousand, six hundred forty-seven I 64 bits: from −263 to 263 − 1 (−9; 223; 372; 036; 854; 775; 808 to 9; 223; 372; 036; 854; 775; 807) nine quintillion two hundred twenty three quadrillion three hundred seventy two trillion thirty six billion eight hundred fifty four million seven hundred seventy five thousand eight hundred and seven 2.
    [Show full text]
  • A Hybrid-Parallel Architecture for Applications in Bioinformatics
    A Hybrid-parallel Architecture for Applications in Bioinformatics M.Sc. Jan Christian Kässens Dissertation zur Erlangung des akademischen Grades Doktor der Ingenieurwissenschaften (Dr.-Ing.) der Technischen Fakultät der Christian-Albrechts-Universität zu Kiel eingereicht im Jahr 2017 Kiel Computer Science Series (KCSS) 2017/4 dated 2017-11-08 URN:NBN urn:nbn:de:gbv:8:1-zs-00000335-a3 ISSN 2193-6781 (print version) ISSN 2194-6639 (electronic version) Electronic version, updates, errata available via https://www.informatik.uni-kiel.de/kcss The author can be contacted via [email protected] Published by the Department of Computer Science, Kiel University Computer Engineering Group Please cite as: Ź Jan Christian Kässens. A Hybrid-parallel Architecture for Applications in Bioinformatics Num- ber 2017/4 in Kiel Computer Science Series. Department of Computer Science, 2017. Dissertation, Faculty of Engineering, Kiel University. @book{Kaessens17, author = {Jan Christian K\"assens}, title = {A Hybrid-parallel Architecture for Applications in Bioinformatics}, publisher = {Department of Computer Science, CAU Kiel}, year = {2017}, number = {2017/4}, doi = {10.21941/kcss/2017/4}, series = {Kiel Computer Science Series}, note = {Dissertation, Faculty of Engineering, Kiel University.} } © 2017 by Jan Christian Kässens ii About this Series The Kiel Computer Science Series (KCSS) covers dissertations, habilitation theses, lecture notes, textbooks, surveys, collections, handbooks, etc. written at the Department of Computer Science at Kiel University. It was initiated in 2011 to support authors in the dissemination of their work in electronic and printed form, without restricting their rights to their work. The series provides a unified appearance and aims at high-quality typography. The KCSS is an open access series; all series titles are electronically available free of charge at the department’s website.
    [Show full text]
  • P5 (Microarchitecture)
    P5 (microarchitecture) The Intel P5 Pentium family Produced From 1993 to 1999 Common manufacturer(s) • Intel Max. CPU clock rate 60 MHz to 300 MHz FSB speeds 50 MHz to 66 MHz Min. feature size 0.8pm to 0.25pm Instruction set x86 Socket(s) • Socket 4, Socket 5, Socket 7 Core name(s) P5. P54C, P54CS, P55C, Tillamook The original Pentium microprocessor was introduced on March 22, 1993.^^ Its microarchitecture, deemed P5, was Intel's fifth-generation and first superscalar x86 microarchitecture. As a direct extension of the 80486 architecture, it included dual integer pipelines, a faster FPU, wider data bus, separate code and data caches and features for further reduced address calculation latency. In 1996, the Pentium with MMX Technology (often simply referred to as Pentium MMX) was introduced with the same basic microarchitecture complemented with an MMX instruction set, larger caches, and some other enhancements. The P5 Pentium competitors included the Motorola 68060 and the PowerPC 601 as well as the SPARC, MIPS, and Alpha microprocessor families, most of which also used a superscalar in-order dual instruction pipeline configuration at some time. Intel's Larrabee multicore architecture project uses a processor core derived from a P5 core (P54C), augmented by multithreading, 64-bit instructions, and a 16-wide vector processing unit. T31 Intel's low-powered Bonnell [4i microarchitecture employed in Atom processor cores also uses an in-order dual pipeline similar to P5. Development The P5 microarchitecture was designed by the same Santa Clara team which designed the 386 and 486.^ Design work started in 1989;^ the team decided to use a superscalar architecture, with on-chip cache, floating-point, and branch prediction.
    [Show full text]
  • APA Newsletters NEWSLETTER on PHILOSOPHY and COMPUTERS
    APA Newsletters NEWSLETTER ON PHILOSOPHY AND COMPUTERS Volume 11, Number 1 Fall 2011 FROM THE EDITOR, PETER BOLTUC FROM THE CHAIR, DAN KOLAK SPECIAL SESSION DAVID L. ANDERSON “Special Session on ‘Machine Consciousness’” FEATURED ARTICLE JAAKKO HINTIKKA “Logic as a Theory of Computability” ARTICLES DARREN ABRAMSON AND LEE PIKE “When Formal Systems Kill: Computer Ethics and Formal Methods” HECTOR ZENIL “An Algorithmic Approach to Information and Meaning: A Formal Framework for a Philosophical Discussion” PENTTI O A HAIKONEN “Too Much Unity: A Reply to Shanahan” PHILOSOPHY AND ONLINE EDUCATION RON BARNETTE “Reflecting Back Twenty Years” © 2011 by The American Philosophical Association ISSN 2155-9708 FRANK MCCLUSKEY “Reflections from Teaching Philosophy Online” TERRY WELDIN-FRISCH “A Comparison of Four Distance Education Models” KRISTEN ZBIKOWSKI “An Invitation for Reflection: Teaching Philosophy Online” THOMAS URBAN “Distance Learning and Philosophy: The Term-Length Challenge” FEDERICO GOBBO “The Heritage of Gaetano Aurelio Lanzarone” APA NEWSLETTER ON Philosophy and Computers Piotr Bołtuć, Editor Fall 2011 Volume 11, Number 1 Terry Weldin-Frish, in his informative paper, compares the ROM THE DITOR experiences he had with online learning in philosophy first as a F E graduate student, reaching a Ph.D. entirely online, and later as a faculty member, at four different educational institutons in the UK and the US. Kristen Zbikowski presents a spirited defense Peter Boltuc of teaching philosophy online based on her experiences as an University of Illinois at Springfield online student and then a faculty member also teaching online courses. Thomas Urban raises a specific problem of the length I used to share the general enthusiasm about web-only of viable online philosophy courses.
    [Show full text]
  • On Improving Cybersecurity Through Memory Isolation Using Systems Management Mode
    On Improving Cybersecurity Through Memory Isolation Using Systems Management Mode A thesis submitted for the degree of Doctor of Philosophy James Andrew Sutherland School of Design and Informatics University of Abertay Dundee August 2018 i Abstract This thesis describes research into security mechanisms for protecting sensitive areas of memory from tampering or intrusion using the facilities of Systems Man- agement Mode. The essence and challenge of modern computer security is to isolate or contain data and applications in a variety of ways, while still allowing sharing where desir- able. If Alice and Bob share a computer, Alice should not be able to access Bob’s passwords or other data; Alice’s web browser should not be able to be tricked into sending email, and viewing a social networking web page in that browser should not allow that page to interact with her online banking service. The aim of this work is to explore techniques for such isolation and how they can be used usefully on standard PCs. This work focuses on the creation of a small dedicated area to perform cryp- tographic operations, isolated from the rest of the system. This is a sufficiently useful facility that many modern devices such as smartphones incorporate dedic- ated hardware for this purpose, but other approaches have advantages which are discussed. As a case study, this research included the creation of a secure web server whose encryption key is protected using this approach such that even an intruder with full Administrator level access cannot extract the key. A proof of concept backdoor which captures and exfiltrates encryption keys using a modified processor wasalso demonstrated.
    [Show full text]
  • Harnessing Simulation Acceleration to Solve the Digital Design Verification Challenge
    Harnessing Simulation Acceleration to Solve the Digital Design Verification Challenge by Debapriya Chatterjee A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in The University of Michigan 2013 Doctoral Committee: Associate Professor Valeria M. Bertacco, Chair Professor Todd M. Austin Professor Igor L. Markov Assistant Professor Zhengya Zhang c Debapriya Chatterjee All Rights Reserved 2013 To my parents ii Acknowledgments I would like to thank my advisor Professor Valeria Bertacco, who introduced me to re- search. Her willingness to let me explore new ideas has been a cherished freedom, while our discussions on research directions have enabled me to pursue a fixed direction in an interesting and uncharted research territory. Moreover, my writing and presentation skills have grown significantly as a result of her mentoring and her careful attention. I am also grateful for my committee members. I am appreciative of Professor Igor Markov’s contributions: often pointing me to relevant research articles as well as our friendly interactions in the department and various conferences. Professor Todd Austin has been a consistent source of extremely valuable feedback on various matters throughout my studies. I am grateful to Professor Zhengya Zhang for his kind feedback. Early in my graduate school career, I was very fortunate to work with Ilya Wagner and Andrew DeOrio – they instilled the fundamentals of the role of a graduate student into me. I am especially grateful to Joseph Greathouse, Andrea Pellegrini and Biruk Mammo for the innumerable illuminating discussions we have had in the office, often extending into late hours.
    [Show full text]
  • Information Assurance MELANI
    Federal IT Steering Unit FITSU Federal Intelligence Service FIS Reporting and Analysis Centre for Information Assurance MELANI https://www.melani.admin.ch/ INFORMATION ASSURANCE SITUATION IN SWITZERLAND AND INTERNATIONALLY Semi-annual report 2018/I (January – June) 8 NOVEMBER 2018 REPORTING AND ANALYSIS CENTRE FOR INFORMATION ASSURANCE MELANI https://www.melani.admin.ch/ 1 Overview / Content 1 Overview / Content .............................................................................................. 2 2 Editorial................................................................................................................. 5 3 Key topic: vulnerabilities in the hardware ....................................................... 6 3.1 Spectre and Meltdown ..................................................................................... 6 3.2 Why this design error? .................................................................................... 6 3.3 Possible solutions ........................................................................................... 7 3.4 Possible developments.................................................................................... 8 4 Situation in Switzerland...................................................................................... 9 4.1 Espionage ........................................................................................................ 9 Spiez Laboratory name misused as sender of "Olympic Destroyer" ........................... 9 4.2 Industrial control systems ............................................................................
    [Show full text]
  • A Fault Tolerant Approach to Microprocessor Design
    Appears in Dependable Systems and Networks (DSN), July 2001 A Fault Tolerant Approach to Microprocessor Design Chris Weaver Todd Austin Advanced Computer Architecture Laboratory University of Michigan {chriswea, taustin}@eecs.umich.edu Abstract 1.1.1 Design faults Design faults are the result of human error, either in the We propose a fault-tolerant approach to reliable micropro- design or specification of a system component, that renders the cessor design. Our approach, based on the use of an on-line part unable to correctly respond to certain inputs. The typical checker component in the processor pipeline, provides signifi- approach used to detect these bugs is simulation-based verifi- cant resistance to core processor design errors and opera- cation. A model of the processor being designed executes a tional faults such as supply voltage noise and energetic series of tests and compares the model’s results to expected particle strikes. We show through cycle-accurate simulation results. Unfortunately, design errors sometimes slip through and timing analysis of a physical checker design that our this testing process due to the immense size of the test space. approach preserves system performance while keeping area To minimize the probability of undetected errors, designers overheads and power demands low. Furthermore, analyses employ various techniques to improve the quality of verifica- suggest that the checker is a fairly simple state machine that tion including co-simulation [4], coverage analysis, random can be formally verified, scaled in performance, and reused. test generation [5], and model-driven test generation [6]. Further simulation analyses show virtually no performance Another popular technique, formal verification, uses equal- impacts when our simple checker design is coupled with a ity checking to compare a design under test with the specifica- high-performance microprocessor model.
    [Show full text]
  • Historia Procesorów Firmy Intel. Modele Pentium P5 I Pentium
    Historia procesorów firmy Intel Pentium P5 ₥@ʁ€₭ ‽ud3£k0 Urządzenia Techniki Komputerowej Spis treści • Nazwa Pentium • Pentium MMX • Marketing Intela • Charakterystyka Intel • Pentium P5 Pentium MMX • Charakterystyka Intel • Architektura Intel Pentium Pentium MMX • Architektura Intel Pentium • Rozwiązania zastosowane w • Wnętrze Intel Pentium Pentium MMX A80501 66 SX950 • Wnętrze Intel Pentium MMX • Rozwiązania zastosowane • Modele Pentium MMX w Pentium • Tillamook • Modele Pentium • Instrukcje MMX • Pentium FDIV bug • It's All About the Pentiums • Narzędzie pentNT 2 Nazwa Pentium • Procesor Pentium miał się początkowo nazywać 80586 lub i586. Jednak Intel nie mógł zarejestrować samych cyfr jako znaku towarowego. Wybrał więc nazwę „Pentium”. • Nazwa wzięła się z greckiej cyfry „pięć” (πέντε 'pente') - oznacza piątą generację procesorów - i końcówki łacińskiej -ium. – W pierwszych programach powstałych w tym czasie i w ich dokumentacji używano jednak terminu „i586”. • Nazwa Pentium była zabiegiem marketingowym symbolizującym nową jakość. Stworzyła wyraźną i rozpoznawalną markę komputerową. – Wynajęto firmę marketingową Lexington Branding w celu rozpropagowania nowej nazwy procesora. • Było to coś odmiennego od nazywania komputera samą liczbą. • David Placek z Lexington Branding wyjaśnia dlaczego konieczna była zmiana. – Sprzedawca mówi tobie, że ten komputer ma procesor 286, a ten ma 386. Ty pytasz „A co to znaczy?”. A on odpowiada: „Jest szybszy”. Ale poza tym nie niesie to żadnej innej informacji. Procesor Intela potrafił przetwarzać grafikę i wideo tak, że stał się podstawą komputerów domowych. • Był nowa jakością. Konieczna była wyraźna i dobrze brzmiąca nazwa. 3 Marketing Intela • Pragnieniem firmy była chęć wyróżnienia się na rynku wśród grupy producentów tańszych odpowiedników. • Celem Intela było zwiększenie świadomości marki wśród klientów i dystrybutorów sprzętu komputerowego.
    [Show full text]
  • On Hardware and Hardware Models for Embedded Real-Time Systems
    On Hardware and Hardware Models for Embedded Real-Time Systems Jakob Engblom∗ Dept. of Information Technology, Uppsala University P.O. Box 325, SE-751 05 Uppsala, Sweden [email protected] / http://www.docs.uu.se/~jakob effects if deadlines are missed or some other timing- Abstract related bugs manifest themselves. When developing embedded real-time systems, de- When building an embedded real-time systems, the signers and programmers rely on various forms of choice of hardware platform is very important to create scheduling and timing analysis. At some point, all an analyzable and predictable system. Also, the quality such analyses must account for the hardware used to of the models of the hardware used in software tools obtain execution time information, and if the analysis is very important to the correctness of timing analysis method does not accurately reflect the hardware char- and the integrity of the system. acteristics, the result is likely to be a bad analysis and In this paper, we discuss some of the aspects of how potentially a bad system. to build hardware models that are correct visavi the The choice of hardware, specifically the microproces- hardware, and how to select hardware that allows real- sor or microcontroller to use, has a profound influence time systems to be constructed in a reliable fashion. on the analyzability of a system. The timing behav- The purpose of this paper is to inspire some discus- ior of a complex CPU core is very hard to understand sion regarding how real-time systems are designed and (even without a cached memory system).
    [Show full text]
  • Automatic Verification of Micro- Processor Designs Using Random Simulation
    IT 12 035 Examensarbete 30 hp Juli 2012 Automatic Verification of Micro- processor designs using Random Simulation Anantha Ganesh Karikar Kamath Institutionen för informationsteknologi Department of Information Technology Abstract Automatic Verification of Microprocessor designs using Random Simulation Anantha Ganesh Karikar Kamath Teknisk- naturvetenskaplig fakultet UTH-enheten Verification of microprocessor cores has always been a major challenge and a crucial phase in the development of a microprocessor. Increasing chip complexities and Besöksadress: decreasing time-to-market windows has led to steady increase in the verification Ångströmlaboratoriet Lägerhyddsvägen 1 costs. Automatic verification of microprocessor designs based on random simulation Hus 4, Plan 0 helps to quickly capture inconceivable corner cases that would not have been found by manual testing. Postadress: Box 536 751 21 Uppsala This thesis work focuses on the design and implementation of a Co-Simulation testbench platform together with a framework for generating random assembly Telefon: programs for the functional verification of the OpenRISC Processor, OR1200. A 018 – 471 30 03 Random Program Generator based on configurable instruction weights is developed Telefax: to generate large test volumes. These random test programs are used to verify the 018 – 471 30 00 functional correctness of the Register Transfer Logic model of a processor against a behavioral Instruction Set C Simulator. The simulation results show the effectiveness Hemsida: of this approach. Histograms are used to graphically illustrate the instruction and http://www.teknat.uu.se/student register coverage statistics. Handledare: Philipp Rümmer, Marcus Erlandsson Ämnesgranskare: Leif Gustafsson Examinator: Philipp Rümmer IT 12 035 Sponsor: ORSoC AB Tryckt av: Reprocentralen ITC ACKNOWLEDGMENTS This is a Master Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Embedded Systems to the Department of Information Technology, Uppsala Universiy, Uppsala, Sweden.
    [Show full text]