SIListra. Coded Processing in Medical Devices. Dr. Martin Süßkraut (TU-Dresden / SIListra Systems)

Transcription

1 SIListra making systems safer Coded Processing in Medical Devices Dr. Martin Süßkraut (TU-Dresden / SIListra Systems) martin.suesskraut@se.inf.tu-dresden.de Embedded goes Medical 5./6. Oct

2 SIListra making systems safer Mission: safer, less expensive safety critical system New Technology to detect execution errors 2

3 SIListra making systems safer Mission: IEC safer, less expensive safety critical system New Technology to detect execution errors 2

4 SIListra making systems safer Mission: IEC safer, less expensive safety critical system New Technology to detect execution errors Coded Processing 2

5 SIListra making systems safer Mission: IEC safer, less expensive safety critical system New Technology to detect execution errors Coded Processing 2

6 EXECUTION ERRORS Examples: Radio therapy device: Calculate wrong but lethal radiation dose Patient monitor: Don t raise an alarm when patient is in critical condition Reasons: Physical limits; hardware aging; design faults; interference 3

7 MOTIVATION: EXECUTION ERRORS Correct Software Hardware (e.g., CPU) 4

8 MOTIVATION: EXECUTION ERRORS a = 2 b = 3 Correct Software Hardware (e.g., CPU) 4

9 MOTIVATION: EXECUTION ERRORS a = 2 b = 3 Correct Software a + b Hardware (e.g., CPU) 4

10 MOTIVATION: EXECUTION ERRORS a = 2 b = 3 Correct Software a + b Hardware (e.g., CPU) = 5 4

11 MOTIVATION: EXECUTION ERRORS a = 2 b = 3 5 Correct Software a + b Hardware (e.g., CPU) = 5 4

12 MOTIVATION: EXECUTION ERRORS a = 2 b = 3 57 Correct Software a + b Hardware (e.g., CPU) = 75 4

13 MOTIVATION: EXECUTION ERRORS a = 2 b = 3 57 Not a SW failure; a HW failure Correct Software a + b Hardware (e.g., CPU) = 75 4

14 CLASSICAL APPROACH: TWO CHANNELS a = 2 b = 3 5 Software Hardware 5

15 CLASSICAL APPROACH: TWO CHANNELS a = 2 b = 3 5 a = 2 b = 3 5 Software Software Hardware Hardware 5

16 CLASSICAL APPROACH: TWO CHANNELS a = 2 b = 3 5 a = 2 b = 3 57 Software Software Hardware Hardware 5

17 CLASSICAL APPROACH: TWO CHANNELS twice the hardware do not detect design failures and interference 6

18 CODED PROCESSING: ONE CHANNEL a = 2 b = 3 5 Coded Software Hardware 7

19 CODED PROCESSING: ONE CHANNEL a = 2 b = 3 5 OK Coded Software Hardware 7

20 CODED PROCESSING: ONE CHANNEL a = 2 b = 3 75 Fail OK Coded Software Hardware 7

21 EXECUTION ERRORS Correct Program failure propagation failure propagation failure propagation Hardware Compiler Interference: OS/Middleware 8

22 AGENDA Software Coded Processing Arithmetic Codes SIListra Transformer Measurements 9

23 SOFTWARE CODED PROCESSING 10

24 HISTORY Foundation Forin s Vital Coded Processor (VCP) used by rail road industry in the 90s in France used by automation engineering however: no automatic transformation no broad programming language support 11

25 SOFTWARE CODED PROCESSING Input values I1, I2, I3,... Program O1, O2, O3,... Output values [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series,

26 SOFTWARE CODED PROCESSING Input values Checksums S1, S2, S3,... Coded I1, I2, I3,... Program O1, O2, O3,... Output values [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series,

27 WATCHDOG Coded Input Program Output Watchdog Pre-computed checksums 13

28 WATCHDOG Coded Checksums Input Program Output Watchdog Pre-computed checksums 13

29 PROTECTION Detects: Transient and permanent failures in processing unit (including memory) Systematic failures in processing unit (including memory) Systematic failures in Compiler, OS, and other SW running on processing unit 14

30 FAILURE MODEL Data flow failures faulty operation modified operand Control flow failures wrong jumps, wrong calls modified IP exchanged operand exchanged operation lost store [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series,

31 TOOLS Transformer Transforms program Coded program calculates checksums at runtime 16

32 TOOLS Transformer Transforms program Coded program calculates checksums at runtime Checksums Calculator Pre-calculates checksum based on original program 16

33 ARITHMETIC CODES 17

34 ARITHMETIC CODES OVERVIEW domain of data words valid code word Figure by Ute Schiffel. 18

35 ARITHMETIC CODES OVERVIEW + domain of data words valid code word + valid operation Figure by Ute Schiffel. 18

36 ARITHMETIC CODES OVERVIEW + domain of data words valid code word + valid operation faulty operation Figure by Ute Schiffel. 18

37 ARITHMETIC CODES OVERVIEW + + domain of data words valid code word + valid operation faulty operation Figure by Ute Schiffel. 18

38 AN CODE Encode data: xc = A x Check: xc mod A 0 Encoded add: z = x + y zc = xc + yc = A (x + y) Example: zc = xc + yc + err zc mod A err [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series,

39 ANB CODE Encode data: xc = A x + Bx Check: xc mod A Bx Encoded add: z = x + y zc = xc + yc = A (x + y) + (Bx + By) pre-computed: Bz = Bx + By Example: zc = xc - yc zc mod A Bx - By Bz [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series,

40 TRANSFORMER 21

41 TRANSFORMER Coded Program (C) Original Program (C) Transformer Checksums [Schiffel09] Ute Schiffel, et al, AN-Encoding Compiler: Building Safety-Critical Systems with Commodity Hardware, The 28th International Conference on Computer Safety, Reliability and Security (SafeComp 2009), 2009 [Schiffel10] Ute Schiffel, et al., ANB- and ANBDmem-Encoding: Detecting Hardware Errors in Software, The 29th International Conference on Computer Safety, Reliability and Security (SafeComp 2010),

42 TRANSFORMER may be generated code Coded Program (C) Original Program (C) Transformer Checksums [Schiffel09] Ute Schiffel, et al, AN-Encoding Compiler: Building Safety-Critical Systems with Commodity Hardware, The 28th International Conference on Computer Safety, Reliability and Security (SafeComp 2009), 2009 [Schiffel10] Ute Schiffel, et al., ANB- and ANBDmem-Encoding: Detecting Hardware Errors in Software, The 29th International Conference on Computer Safety, Reliability and Security (SafeComp 2010),

43 C SUPPORT Datatypes: signed/unsigned char, short, integer (up to 32 bit) structs, arrays, pointer Operations: arithmetic, (bitwise) logic, integer comparisons, casts static/dynamic memory any conditional/unconditional control flow (while, for, dowhile, if, switch) function calls 23

44 C SUPPORT floating point currently encodable via soft float library function pointers currently unimplemented, because general not as safe as direct calls special support for often used libraries: e.g. integrals encode C implementations of these functions 24

45 COMPARISON TO FORIN S VCP more complete language support all integer arithmetic of C pointers, pointer arithmetic explicit control flow protection automatic transformation 25

46 CHECKSUMS SIMPLE EXAMPLE int foo (int x, int y, int z) { int u = x + y; int v = z - u; return v; } 26

47 CHECKSUMS SIMPLE EXAMPLE int c foo c (intx, c x, int inty, c y, int int z) c { z) { int c u = x + c y; y; int c v = z - c u; u; return v; } 26

48 CHECKSUMS SIMPLE EXAMPLE Known at compile-time: Bx By Bz int c foo c (intx, c x, int inty, c y, int int z) c { z) { int c u = x + c y; y; int c v = z - c u; u; return v; } 26

49 CHECKSUMS SIMPLE EXAMPLE Known at compile-time: Bx By Bz int c foo c (intx, c x, int inty, c y, int int z) c { z) { int c u = x + c y; y; int c v = z - c u; u; return v; } Calculated at compile-time: Bz - (Bx + By) 26

50 EXECUTION ERRORS Coded Correct Program detectable failure propagation failure propagation failure propagation Hardware Compiler Interference: OS/Middleware 27

51 MEASUREMENTS 28

52 SAFETY MEASUREMENTS reference execution 1000s of error injection executions: simulate execution errors compare output with reference execution count number of times output does not match 29

53 EXPERIMENTAL EVALUATION 30 Rate of Undetected Errors in % Unprotected Protected (AN) Protected (ANB) Protected (ANBD) [Schmitt10] André Schmitt et al., Encoded Processing (Poster), UBooth at Design, Automation & Test in Europe (DATE 2010),

54 SUMMARY SIListra Transformer / Coded Processing more safe (can detect HW design failures) less expensive (one channel) 31

55 ACKNOWLEDGEMENTS EXIST-Forschungstransfer 32

56 REFERENCES Papers [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series, [Wappler07a] Ute Wappler and Christof Fetzer, Software Encoded Processing: Building Dependable Systems with Commodity Hardware, Lecture Notes in Computer Science on Computer Safety, Reliability and Security (SafeComp 2007), [Schiffel09] Ute Schiffel, Martin Süßkraut, and Christof Fetzer, AN-Encoding Compiler: Building Safety-Critical Systems with Commodity Hardware, The 28th International Conference on Computer Safety, Reliability and Security (SafeComp 2009), [Schiffel10] Ute Schiffel, André Schmitt, Martin Süßkraut, and Christof Fetzer, ANB- and ANBDmem-Encoding: Detecting Hardware Errors in Software, The 29th International Conference on Computer Safety, Reliability and Security (SafeComp 2010), [Schmitt10] André Schmitt, Ute Schiffel, and Martin Süßkraut, Encoded Processing (Poster), UBooth at Design, Automation & Test in Europe (DATE 2010), [Schiffel10a] Ute Schiffel, André Schmitt, Martin Süßkraut, and Christof Fetzer, Slice Your Bug: Debugging Error Detection Mechanisms using Error Injection Slicing, Eighth European Dependable Computing Conference (EDCC'10), [Schiffel10b] Ute Schiffel, et al., Software-Implemented Hardware Error Detection: Costs and Gains, The Third International Conference on Dependability, DEPEND 2010, Patents pending 33

57 Backup Slides 34

58 DISTRIBUTED SYSTEM Node A Node B Input Coded Program A Checksums + Output Coded Program B Pre-computed checksums 35

59 ADDITIONAL PROTECTION Detects modified data Can be extended to detect message reordering No need to encode communication stack (network protocol implementation, OS) 36

60 OTHER TOOLS Replicator similar to Transformer, but detects transient faults only automatically replicates any instruction and memory region in application improved version in development Evaluator error injection tool to evaluate safety related code independent of Transformer Preflight Tool estimates runtime costs of Transformer by statically analyzing code in development 37

61 CHECKSUMS List of random numbers Protect Data flow Control flow Memory, caches, busses, CPU 38

62 UNDER THE HOOD Implementation is based on compiler framework LLVM SIListra making systems safertransformer C-code C Front-end LLVM IR Transformer LLVM IR C back-end C-code 39

63 EVALUATOR Evaluations tool = Error Injector Injects Forin s error model modified operand faulty operation exchanged operand exchanged operation lost store 40

64 ADJUSTABLE SAFETY Concrete safety depends on failure model of hardware Approximation: functional bits: n (e.g., 16 or 32 bit) redundant bits: k (e.g., A = 11 k = 4) number of valid code words n Pundetected = = 2 -k number of possible words 2 n+k [Forin90] P. Forin, Vital Coded Microprocessor Priniciples and Application for various Transit Systems, in Control, Computers, Communication in Transportation, IFAC Symposia Series, 1990 [Wappler07a] Ute Wappler and Christof Fetzer, Software Encoded Processing: Building Dependable Systems with Commodity Hardware, Lecture Notes in Computer Science on Computer Safety, Reliability and Security (SafeComp 2007),

65 & clients (Fig. 3) 8 parallel servers & clients (Fig. 4) COSTS VS GAINS throughput relative to native execution etection 100% 90% 80% 70% 60% 50% 40% 30% 20% higher performance 10% better error detection 0% 0.1% 1% 10% 100% rate of undetected errors relative to native execution native SWIFT SWIFT ECF AN ANB ANBDmem [Schiffel10b] Ute Schiffel, et al., Software-Implemented Hardware Error Detection: Costs and Gains, The Third International Conference on Dependability, DEPEND 2010,