The 17th International Conference on Safety, Reliability and Security (SAFECOMP 98) LNCS, Heidelberg, 1998

Size: px

Start display at page:

Download "The 17th International Conference on Safety, Reliability and Security (SAFECOMP 98) LNCS, Heidelberg, 1998"

Brandon Wiggins
5 years ago
Views:

1 The 17th International Conference on Safety, Reliability and Security (SAFECOMP 98) LNCS, Heidelberg, 1998 Verifying Integrity of Decision Diagrams Rolf Drechsler Institute of Computer Science Albert-Ludwigs-University Freiburg im Breisgau, Germany Abstract Decision Diagrams (DDs) are the state-of-the-art data structure in CAD of integrated circuits. They are used in many safety critical applications, like verication. In this paper security aspects of implementation techniques of DDs are discussed. A recursive checksum technique is presented for on-line and o-line checks. These methods are used to verify the integrity of DDs. The correctness of the data structures can be veried by (nearly) no overhead. Experimental results are presented to demonstrate the eciency of this approach. 1 Introduction During the last decades, the complexity of Integrated Circuits (ICs) has increased exponentially. In the 1970's a typical microprocessor such as the Intel 8080 consisted of about 5,000 transistors while in 1993 Intel's state-of-the-art processor Pentium contains 3.1 million transistors. To handle the complexity of todays circuits the design engineers are totally dependent on Computer Aided Design (CAD), i.e., software tools. The capabilities and limitations of CAD tools have crucial impact on the performance and cost of the produced circuits as well as on the resources required to develop a circuit. Consequently, CAD for ICs is a very important and increasingly growing research area. In many tasks during the design process Decision Diagrams (DDs) are used: Most common synthesis tools for logic optimization (two-level and multi-level) are based on Binary Decision Diagrams (BDDs) [5] (see e.g. [8, 7, 23, 20]). Especially for the verication step many dierent DD types, i.e. extensions of BDDs, have been introduced [16, 12, 6, 11, 14]. Since ICs are nowadays used in many safety critical applications it is very important to make DD packages not only as fast and memory ecient as possible [2, 18, 17, 13], but also as secure as possible. So far the security aspect for DDs has not been considered. For \simple" data structures like linked lists and binary (search) trees good techniques are known for secure implementations [22, 1, 4].

2 The security aspect becomes even more important when current trends, like parallel implementations of DD packages [21], are considered. These implementations use complicated communication protocols and it is well-known that several of these protocols contain bugs (see e.g. [15]). Recently a Recursive Checksum Method (RCM) has been introduced in [4] for trees. Since most DD packages are based on recursive operations the RCM can directly be applied to DDs. The use of the RCM also helps during the implementation of a DD package, since many errors in the memory management can be detected very early. In this paper we consider methods for guaranteeing the integrity of DDs by on-line and o-line checks. We consider dierent fault types, like Copy Faults (CFs) and Memory Faults (MFs) [4]. We show that the RCM can also be applied successfully to graphs. The implementation is discussed, i.e. the RCM can be integrated in DD packages by (nearly) no overhead: Since most DD packages are based on recursive synthesis operations, like If-Then-Else for BDDs [5, 2], the recursive checksum computation can be incorporated with no additional cost (in contrast to other data structures [1, 4]). We give results on fault injection experiments for BDDs that show that all of the assumed errors can be detected at very low cost, i.e. our method can be implemented without any memory overhead (in clever implementations like [17]) and the runtime overhead is less than 5% on average. The paper is structured as follows: In Section 2 we briey review the denitions of DDs. In Section 3 we discuss the fault model considered in this paper. Section 4 describes our approach to handle the security aspect. Implementation aspects and experimental results are given in Section 5 and 6. Finally, the results are summarized. 2 Decision Diagrams We now introduce basics of DDs. We focuses less on a mathematical exact description, instead we want to give an informal description that helps the reader to get an impression of the underlying data structure. For more details see [10]. The best known DD type is the Binary Decision Diagram (BDD) [5]. The description in the following is mainly based on BDDs, but all results directly transfer to other DD types, e.g. DDs including edge values [16, 6, 11]. All DDs are graph-based representations, where at each (non-terminal) node labeled with a variable x i a decomposition of the function represented by this node into two subfunctions (the low-function and the high-function) is performed. Furthermore, the underlying graph is reduced and ordered, i.e. all redundant nodes are removed and the variables occur in the same order on all paths of the DD, respectively. E.g. for BDDs the following decomposition is considered: f = x i f low(v) + x i f high(v)

3 x 1 x 2 x Fig. 1. BDD for f = x 1x 2 + x 3 (f is the function represented at node v, f low(v) (f high(v) ) denotes the function represented by the low-edge (high-edge) of v. The recursion stops at terminal nodes labeled with 0 or 1. Example 1. In Fig. 1 the reduced ordered BDD for function f = x 1 x 2 + x 3 is given. For the representation of a node the pointer to the low- and high-function has to be stored. Further memory is needed for the index of the node and the reference counter. Additionally, to store edge values for DDs (where this is allowed) memory is needed. It is straightforward to integrate this in the approach that is presented in the following but we restrict ourselves w.l.o.g. to BDDs. Finally, we briey consider the typical synthesis operation on DDs: The synthesis of two DDs is carried out by performing a recursive call on subgraphs. For BDDs a sketch of the recursive If-Then-Else (ITE) algorithm from [2] is given in Fig. 2. Similar algorithms can be considered for word-level DDs [6, 11]. 3 Fault Model In this section we briey discuss some aspects of the fault model. As already pointed out in [22] there is no general agreement how to measure the robustness of a storage data structure. Simple errors that should be detected are errors in single bits or words, i.e. if the contents of a memory cell is modied by a fault. Additionally, in this paper we consider the fault model from [4]: We allow two kinds of memory errors in our model, i.e. Copy Faults (CFs) and Memory Allocation Faults (MAFs). Obviously, many other \real-world" faults are also covered by this model.

4 ite(f,g,h) f if (terminal case) return result; if (computed-table entry (F,G,H) exists) return result; let x i be the top variable of ff,g,hg; THEN = ite(f xi ; G xi ; H xi ) ; ELSE = ite(f xi ; G xi ; H xi ) ; if (THEN == ELSE) return THEN; // Find or create a new node with variable v and sons THEN and ELSE R = Find or add unique table(x i,then,else); // Store computation and result in computed table Insert computed table(ff,g,hg,r); g return R; Fig. 2. ITE-algorithm x 1 Node 1 x x Node x 3 x 3 x 3 x Fig. 3. Example for copy fault Copy faults: Copy the contents of one node into an other node. Memory allocation faults: Memory is allocated that has already been used by an other node. Example 2. An example for a CF is given in Fig. 3. For simplicity the nonreduced BDD of Example 1 is given. If the contents of Node 1 is copied into Node 2 the dotted pointers result. Obviously, the function being represented is changed.

5 Obviously, CFs can not be captured by checksum computations that do not consider the environment of the node, since the node itself is valid but has a wrong location. This fault may result from a wrong address to which data is written back. MAFs often occur during software development, since ecient implementations of DDs often overload the memory management of the operating system [2, 17]. (For more details on CFs and MAFs see [4].) 4 Security Aspects DDs are used in more and more applications were security is a very important aspect, e.g. verication. Thus, there is a need for secure data structures. The simplest idea to make data structures securer is to store each component several times. (Notice that in that way some kind of memory faults, like MAFs, can also not be detected.) The idea of multiple storing also leads to the ability of not only error detecting, but also error correcting data structures. These topics have been studied for \simpler" data structures like linked lists (see e.g. [22]). Storing the same information several times obviously results in large memory overhead. Also the access time per node would drastically increase for DDs, since several pointers have to be handled. (E.g. during sifting [19] often several thousand pointers have to be redirected.) In the following we restrict to the problem of error detection. A general method for making data structures more secure is the use of checksums, i.e. for each element a characteristic value is computed. The simplest example is the parity check. But this method has the drawback that errors that result from neighborhood relations (as e.g. MAFs) can not be detected. We now describe in more detail the Recursive Checksum Method (RCM) that we apply to DDs: For each node a checksum c is computed that results from the checksums c l and c r of the left and right son of the node and from a node internal information. Here we make use of the index of the node. (We will see in the following that for DDs methods based on recursive computations can easily be integrated in the synthesis operations, like ITE (see Section 2 and 5).) For the following we dene the RCM c of a node by c = (c l + c r + variable index) mod m; (1) where m denotes an integer number and variable index of a BDD node v is i i v is labeled with variable x i1. Obviously, the choice of m largely inuences the quality of the checksum. The larger m is chosen the more memory is used to store the information, but the more secure the DD gets. Example 3. If m = 2 then only a parity check is performed. Remark 1. For DD types allowing edge values these values have also to be incorporated in the checksum. 1 Here we choose a very simple function so that the description remains simple.

6 We now consider two main problems: We want to detect errors on-line and we want to check the integrity of a given DD by o-line tests. On-line check: The on-line check veries the correctness of the node during each access. This is done by recomputing the checksum of the successors during each access. Additionally, each information that is obtained by a look-up in the computed table is checked. Due to the recursive nature of the synthesis procedures on DDs and of the RCM the checksum computation can easily be incorporated in the program code. (For more details see Section 5.) O-line check: The check for integrity can be performed by a depth-rst-search algorithm starting from the roots of the DD. At each node (starting at the terminals) the checksum is recursively computed. Then a comparison to the checksum value stored in each node is carried out. If a comparison fails an error is detected. Using these on-line and o-line techniques also the software development can be simplied tremendously. As mentioned above many DD packages overload the memory management of the operating systems. Using the on-line check many errors can be detected very early. If (due to performance reasons) the on-line check is not desired during normal operation of the package it can easily be switched o. (This also oers the possibility to operate DD packages in a debug mode and in a normal operation mode.) One further advantage of an o-line check on DDs is that the nodes are referenced several times (in contrast to trees). Thus, there is a high probability to detect errors with only a small number of encoding bits (see experiments in Section 6). One problem that is not considered in this paper is the aspect of faulty computations, e.g. what happens, if the checksum computation is wrong? Previous work has proposed the term of safe and unsafe memory for other data structures. These results can directly be transfered to graphs and DDs. (For more details see e.g. [1, 4].) 5 Implementation We now briey discuss how the RCM of the previous section can be implemented in a DD package. (For the rest of this section we assume that the reader is familiar with basics about the implementation of DD packages.) In the following we restrict ourselves to the ITE operator used for BDDs. (For other DD packages based on recursive synthesis analogous modications can be given.) Only minor modications have to be performed to integrate the approach in a given DD package: { An additional (integer) value must be included in the description of a node. At this point also a short integer or only a few bits can be used, but with smaller number of memory the data structure becomes less secure (see Section 6). It depends on the designer of the data structure to determine the

7 optimal trade-o for his application: Is security or memory overhead more important? { During the recursive ITE calls the checksum has to be computed. Since ITE also works recursively only a constant overhead per node has to be invested. For each node that is newly created the checksum c is computed as described in the previous section. Example 4. For ITE-based BDD packages after each computation of the nodes THEN and ELSE (see Fig. 2) the checksum of these new nodes is veried. Thus also erroneous modications of bits (or even words) in a node can be detected. Additionally, after each successful lookup in the unique table the node is checked for correctness. Remark 2. In usual DD packages some bits are often unused, e.g. in the BDD package from [17] two bits per pointer have no functionality. Since in each node two pointers are stored, i.e. the pointers for the low- and high-function, four bits are unused. 6 Experimental Results In this section we present results of some fault injection experiments. All experiments have been carried out on a preliminary BDD package implementation on a SUN SPARCstation 4. An upper node limit of was used. Several symbolic simulation runs were considered for the combinational parts of the sequential benchmarks from [3]. For the ordering of the variables the initial ordering of the inputs as they occur in the benchmark description was used. In the rst set of experiments we considered the on-line check method, i.e. we check the data structure during the symbolic simulation. We inserted a fault by randomly changing the contents of one variable in a node. Thus, we not only considered bit faults, but also word faults that correspond to multi-bit faults. (Notice that this fault can also be detected by a conventional checksum approach. Recursive computation does not inuence the result.) We use Formula (1) for the recursive computation of the checksum 2. During each run one fault is inserted. In some cases this fault does not have to modify the result, e.g. if the fault occurs in a redundant part of the circuit during the symbolic simulation. But nevertheless the on-line check detects that something might be damaged. In Table 1 a 1 (0) denotes that the error was (not) detected. Each column denotes a dierent value for m. As can easily be seen only a few bits are needed to detect all errors in the package during the symbolic simulation of these benchmarks, i.e. only 3 bits are needed to encode the 5 values. We now focus on the o-line check for CFs and MAFs. In a second experiment we considered a successful symbolic simulation and started with a depth-rstsearch computation. We randomly inserted faults by the following procedure: 2 More sophisticated computation methods could obviously even improve the quality of the result.

8 name m = 2 m = 3 m = 4 m = 5 s s s s s s s s s s s s s s s s Table 1. On-line check name pointers faults m = 2 m = 3 m = 4 m = 5 s s s s s s s s s s s s s s s s Table 2. O-line check

9 During the construction we stored a pointer's address for fault insertion at about each 50th node creation (up to a maximum of 10 pointer addresses) 3. In the second and third column of Table 2 we give the information about the number of faults considered. pointers (faults) denotes the number of addresses stored (faults inserted). Again we considered dierent values for m. The results are given in the succeeding columns of Table 2. Once more it can be seen from the table that only 3 bits are needed to detect all faults. (For benchmark s01238 no faults have been inserted, since all stored pointers are not present in the representation of the outputs.) Even an encoding of 2 bits is able to detect most faults. This results from the fact that often the same node is referenced several times. Such during each access there is the possibility to detect the fault. As can be seen from our experiments only 3 bits are needed to detect all faults. Thus, following Remark 2 no memory overhead results for ecient DD package implementations from incorporating the RCM. In our implementation the runtime overhead was less than 5% on average. 7 Conclusions Security aspects of Decision Diagrams have been discussed. Since DDs are used in more and more safety critical applications there is a need to also make the implementation of the DD package as secure as possible. In this paper a rst step in this direction has been performed: Fault models for other data structures have been considered for DDs. The method of recursive checksum computation has been applied to DDs and has been integrated in online and o-line checks. It has been demonstrated by fault injection experiments that these methods are able to identify memory errors during the operation of a DD package. A check for the whole DD for integrity can also easily be performed. These methods can be integrated with only little overhead with respect to runtime and no overhead with respect to memory. If is focus of current work to extend the ideas discussed in this paper to DD packages that also allow dynamic minimization algorithms, like sifting [19, 9]. Furthermore, aspects of secure DDs will be extended to not only error detection but also error correction. Acknowledgment The author likes to thank Bernd Becker and Nicole Drechsler for their helpful comments. 3 The problem was that in this way we mostly stored enough pointers so that at least some were also present in the nal result, i.e. during a symbolic simulation many nodes are created that are not needed for the representation of the outputs. Thus, errors in these nodes could not be detected by the o-line test.

10 References 1. N.M. Amato and M.C. Loui. Checking linked data structures. In Int'l Symp. on Fault-Tolerant Comp., pages 164{173, K.S. Brace, R.L. Rudell, and R.E. Bryant. Ecient implementation of a BDD package. In Design Automation Conf., pages 40{45, F. Brglez, D. Bryan, and K. Kozminski. Combinational proles of sequential benchmark circuits. In Int'l Symp. Circ. and Systems, pages 1929{1934, J.D. Bright, G.F. Sullivan, and G.M. Masson. Checking the integrity of trees. In Int'l Symp. on Fault-Tolerant Comp., pages 402{411, R.E. Bryant. Graph - based algorithms for Boolean function manipulation. IEEE Trans. on Comp., 35(8):677{691, R.E. Bryant and Y.-A. Chen. Verication of arithmetic functions with binary moment diagrams. In Design Automation Conf., pages 535{541, O. Coudert. Two-level logic minimization: an overview. Integration the VLSI Jour., 17(2):97{140, O. Coudert, H. Fraisse, and J.C. Madre. A breakthrough in two-level logic minimization. In Int'l Workshop on Logic Synth., page P2b, R. Drechsler and B. Becker. Dynamic minimization of OKFDDs. In Int'l Conf. on Comp. Design, pages 602{607, R. Drechsler and B. Becker. Binary Decision Diagrams - Theory and Implementation. Kluwer Academic Publishers, R. Drechsler, B. Becker, and S. Ruppertz. K*BMDs: A new data structure for verication. In European Design & Test Conf., pages 2{8, R. Drechsler, A. Sarabi, M. Theobald, B. Becker, and M.A. Perkowski. Ecient representation and manipulation of switching functions based on ordered Kronecker functional decision diagrams. In Design Automation Conf., pages 415{419, S. Horeth. Implementation of a multiple-domain decision diagram package. In CHARME, Chapman & Hall, pages 185{202, S. Horeth and R. Drechsler. Dynamic minimization of word-level decision diagrams. In Design, Automation and Test Europe, pages 612{617, R.P. Kurshan. Computer-Aided Verication of Coordinating Processes. Princeton University Press, Y.-T. Lai and S. Sastry. Edge-valued binary decision diagrams for multi-level hierarchical verication. In Design Automation Conf., pages 608{613, D.E. Long. Long-Package Sun Release 4.1 Overview of C Library Functions S. Minato, N. Ishiura, and S. Yajima. Shared binary decision diagrams with attributed edges for ecient Boolean function manipulation. In Design Automation Conf., pages 52{57, R. Rudell. Dynamic variable ordering for ordered binary decision diagrams. In Int'l Conf. on CAD, pages 42{47, C. Scholl. Multi-output functional decomposition with exploitation of don't cares. In Design, Automation and Test Europe, pages 743{748, T. Stornetta and F. Brewer. Implementation of an ecient parallel BDD package. In Design Automation Conf., pages 641{644, D.J. Taylor. Error models for robust storage structures. In Int'l Symp. on Fault- Tolerant Comp., pages 416{422, B. Wurth, K. Eckl, and K. Antreich. Functional multiple-output decomposition: Theory and implicit algorithm. In Design Automation Conf., pages 54{59, 1995.

Checking Equivalence for Circuits Containing Incompletely Specified Boxes

Freiburg, Germany, September 00 Checking Equivalence for Circuits Containing Incompletely Specified Boxes Christoph Scholl Bernd Becker Institute of Computer Science Albert Ludwigs University D 79110 Freiburg