ARM Ltd

Until recently low power, fault tolerance and testing techniques for electronic systems have been developed mostly independently, driven by the different requirements of various market segments. The continuing demand for portable devices, however, is creating a very competitive market where low power and high reliability are the two main factors driving products success. The incompatibilities between the existing techniques for low power, fault tolerance and test are making the development of such products an expensive process. This project addresses this issue by investigating and developing fault tolerance and testing techniques that are compatible with low power, thus enabling cost-effective design and manufacturing of low power electronic systems with improved reliability. For this research we will exploit expertise on low power design using dynamic-voltage scaling, fault tolerance improvement using hardware-redundancy and customized design-for-test solutions available at Southampton University. Extensive computer simulations as well as an industrial case study involving practical experiments will be used to validate the developed techniques. The work will be carried out in close collaboration with ARM (Cambridge), and the universities of Bristol and Iowa.

The UK is home to some world-leading electronic companies including semiconductor IP supplier of low-power microprocessors (ARM), multimedia and communications cores (Imagination Technologies); which are at the heart of today's and future consumer electronics, and home entertainment. Power management is an essential enabling technology in such electronics and will become more prominent in future electronic systems. The downside of power management is that it decreases the reliability and increase the testability cost of energy-efficient hardware as demonstrated by recent academic and industrial research including that reported by the investigation team. This is because energy-efficient hardware often have no provision for tolerating run-time soft errors (unless for safety critical applications); and current methods for testing such hardware for manufacturing defects don't explicitly target power management circuitry. There are currently no fault models or test methods for power distribution networks and power management circuitry and no on-line soft error monitoring and correction methods for power management hardware. This grant application is focused on developing new fault models, methods, circuits and their validation (simulation, FPGA and AISC) to quantify and improve the resilience and testability of energy-efficient digital hardware. Particular emphasis is placed upon cost-effectiveness through joint consideration of reliability, and test and re-using on-chip hardware to minimise silicon area, power consumption and impact on functional performance. This is a three-year project involving two post-doctoral researchers (one for three years and the other for two years), and ARM (Cambridge) as an industrial partner. The project will be carried out in collaboration with Prof. F. Kurdahi (Uni. of California, Irvine) and Prof. M. Tehranipoor (Uni. of Connecticut). Both acknowledged world experts in the proposed research. This project will significantly advance the present state-of-the-art in reliable and testable energy-efficient hardware and will lead to the following research deliverables: 1. New fault models for power management circuitry and power distribution network (PDMC) to underpin their logic and timing behaviour due to soft errors and manufacturing defects; 2. New methods and circuits and their practical validation for improving testability and diagnosis (against manufacturing defects) and reliability (against soft errors) through online monitoring and correction. 3. A design automation methodology for embedding automatically into an energy-efficient design the required circuitry to enable enhanced reliability and testability using existing EDA tools.

We wish to re-architect current computer input/output (I/O) systems with security as a first-class design constraint. Existing I/O has evolved organically over the decades and now faces a 'perfect storm' of security vulnerabilities, which we aim to address. Computers today are full of processors: advertised, hidden and even unintentional. Processors, in the form of embedded microcontrollers, are hidden in 'devices' that we name as 'wireless card' or 'system management controller', but fundamentally they form a heterogenous distributed system. The software these processors run is often poorly scrutinised and may be actively malicious. As this field becomes more visible, vulnerabilities are being discovered with increasing frequency. Worse still, the trend is for 'pluggable' devices via interfaces such as USB Type-C and Thunderbolt 3: users are being trained to pick up processors, thinking they are innocuous because they are shaped like chargers or dongles. For instance, many buildings, aircraft, trains and buses now provide 'USB charging', but, without protection, the Type-C user may be exposing themselves to unexpected threats. Such threats are of substantial and increasing concern to businesses, government and consumers. By redesigning I/O with security at the core, we aim to considerably improve on today's weaknesses. We will investigate the weaknesses of current I/O and propose safer alternatives through three threads of research: 1. We will begin by performing a survey of the state-of-the-art of access-control protections in current hardware and software designs, to understand the limits of current pluggable-device security. We will focus in particular on current utilisation of Input/Output Memory Management Units (IOMMUs), which are the primary current defence that prevents devices from having unlimited Direct Memory Access (DMA) - the 'key to the kingdom' of system security that otherwise permits total compromise of firmware, OS, and applications from malicious devices. We will characterise current security-performance tradeoffs to establish a performance baseline. We will systemise new vulnerability classes and develop a corpus of vector-specific attack techniques which future defences must prevent or mitigate. Our existing preliminary results investigating IOMMU use in modern operating systems, and a growing attack literature, suggest substantial security and performance shortcomings. We therefore propose two strands of research to develop and evaluate technical approaches to defend against I/O-based attackers: 2. Many I/O devices (e.g., USB and network cards) communicate with the host operating system through messages sent and received via DMA. We will develop new techniques to restructure CPU-to-I/O interconnects to provide a message-based abstraction for untrustworthy devices, rather than depending on DMA, as is current (and highly vulnerable) best practice. 3. To address devices for which a memory-oriented semantic is intrinsic (e.g., GPUs and Remote-DMA enabled network cards), we will explore new distributed-memory protection techniques that avoid the granularity and performance limitations of IOMMU-oriented approaches. This will enable greater control of device access to host memory while improving security-performance tradeoffs. For instance we might delegate specific memory access rights to devices, with policy and unforgeability enforced by the interconnect bridges. All research will be performed via hardware-software co-design methodology and FPGA prototyping, with evaluation relative to performance, complexity, compatibility, and security metrics for both hardware and software. We will pursue these goals in close collaboration with ARM Ltd, who provide key insights into industry requirements and a transition path into commercial technologies.

Since the turn of the century, multicore processors have become commonplace in almost all computing domains. Instead of performance coming solely from the extraction of instruction-level parallelism (ILP), it now also requires software developers or compilers to break applications into multiple streams of instructions to exploit coarse-grained thread-level parallelism (TLP). Whilst extremely beneficial for a large class of programs, single-threaded performance still matters greatly, especially during sequential parts of an application where execution speed can dominate overall program performance (sometimes dubbed "Amdahl's cruel law"). In addition, improvements in single-threaded performance benefit all applications, as each thread experiences a performance uplift, thus impacting all parts of the code-sequential and parallel. However, improving single-threaded performance is hard. The move to multicore was driven by the power limitations of complex out-of-order hardware schemes to extract ILP (caused by the failure of Dennard scaling in the underlying transistor technologies). While designers do still increase the out-of-order instruction window, unfortunately this only makes a marginal difference and future designs are expected to be limited by Pollack's rule and the fundamental limits of ILP (the ILP wall). Conversely, although many applications would see a major performance boost from taking advantage of TLP, actually extracting it remains a challenge (John Hennessy said writing parallel code is "a problem that's as hard as any that computer science has faced"). This project takes a radically different approach. Instead of going back to the future with elaborate schemes for out-of-order execution, it explores the space between ILP and the coarse-grained TLP exploited by modern multicores. In particular, it focuses on the extraction of fine-grained TLP from a single stream of instructions within and across cores. On the one hand it will investigate schemes to identify and spin-up independent short-running threads (hardware threadlets) transparently to the application, so as to boost single-threaded performance. On the other, it will research compiler techniques to indicate this parallelism, with the hardware able to exploit it within and across multiple tightly coupled cores. If successful, this project would lead to a step change in performance of high-performance cores, driven by increased utilisation of core resources and the ability to increase those resources in a scalable manner. It would also open up a broader design space, trading out-of-order pipeline complexity for ILP with increased TLP, to find better balances between area, efficiency and application-domain suitability.

The Chrompartments project will explore hybrid compartmentalisation for web browsers using Chrome as a concrete example. Browsers are systemically important but present a large attack surface due to their scale and complexity: they are a magnet for attackers with frequent published attacks. Chrompartments will use CHERI to split browsers into mutually distrusting compartments, making them more resilient and performant. We will use Chrome (in the form of its open-source variant Chromium) as the vehicle for our experimentation because it is the most widely used browser and it is already partially compartmentalised in a way that we can build upon. Chrome tries when possible to split itself into process-based compartments (roughly speaking: 1 process per tab; and some core components such as graphics are split into separate processes). However, this model is heavyweight: OS processes consume considerable resources and many devices (particularly phones) quickly hit their process limits, forcing the browser to merge multiple tabs in a single process; and communication between processes is painfully slow. Some security-critical components (e.g. V8, Chrome's JavaScript engine) would ideally be split out too, but resource and performance constraints make this impractical. We will use CHERI's "hybrid mode" (i.e. where both traditional width pointers can be used alongside capabilities) to split Chrome into process-like compartments. Most code will use traditional width pointers and will be boxed into compartments; pure capabilities will allow us to emulate various forms of inter-compartment communication. We hypothesise that this will lead to greater practical security, and require fewer changes, than the ideal pure-capability-based compartmentalisation. Our overall aim is thus first to replace Chrome's process-based model with CHERI compartments, and then break those crude compartments into finer-grained compartments, enhancing security without significantly affecting performance. As well as significant engineering, there is also important research: processes give some guarantees (e.g. against some side-channel attacks) that CHERI compartments do not currently give. We will explore these guarantees and replicate them for CHERI compartments where their existence is necessary for browser security. After converting process-based isolation to CHERI compartmentalisation, Chrompartments will operate in two strands: V8, the JavaScript engine; and the graphics stack. Both strands contain significant challenges: for example, the graphics stack is currently contained within a single process no matter how many sites are using it. Understanding the right compartmentalisation points will be critical to Chrompartments' success and lead to a much greater understanding of how to use CHERI on large-scale systems.