instruction caches in static wcet analysis of arti cially ... fileoutline 1 background arti cial...

SESE

Instruction Caches in Static WCET Analysisof Artificially Diversified Software

Joachim Fellmuth, Thomas Gothel, Sabine Glesner

Technische Universitat BerlinSoftware and Embedded Systems Engineering

ECRTS 2018, Barcelona

Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion

Motivation

Cyber-physical systems (CPS) omnipresent

safety-critical, hard real-time requirements

highly interconnected → large attack surface

Security important development aspect

unsafe languages enable code-reuse attacks

→ use knowledge of system’s memory

Artificial software diversity

hides memory layout (e.g. randomize instruction addresses)

copes with unknown attack types

WCET-aware security increase possible [FHPG17]

SESE Joachim Fellmuth Static Cache Analysis for Diverse Software 2/ 18


Problem

Problem: Uncertainty induces pessimism in WCET analysis

timing impact of some randomized diversification techniquesunpredictable[DDNS12, LHBF14, Coh93, FSA97, WMHL12]

WCET hardware analyses rely on full knowledge of theprogram addresses

state-of-the-art cache analyses not able to produce upperbound estimate for all program variants[HJR11, ZK15, BC08, Cul13, LGR+16]

All miss has to be assumed as worst-case cache behavior



Proposed Solution

Our goal: Efficient WCET cache analysis for diverse programs

powerful diversity approach

reuse established analyses, compatible with IPET

tight worst-case estimate over all variants

Approach:

relocation and reordering of code fragments

introduce uncertainty into WCET cache analysis

aggregate results for all variants per basic block



Outline

1 BackgroundArtificial software diversityWCET Analysis

2 Cache Analysis for Diverse ProgramsMust AnalysisFurther Analyses

3 Evaluation

4 Conclusion



Outline



3 Evaluation

4 Conclusion



Artificial software diversity

Semantically equivalent program variants

→ different program layout in memory

→ exploit compiler decisions to obtain variants

We use relocation and reordering of rearrangeable codeparts (fragments)

→ no changes to instructions (code size) and CFG

→ predictable behavior over all variants

→ covers the entire instruction memory

Different fragment granularities possible

→ segment-, function, block level



Cache analysis: Must (LRU)

bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

CFG creation




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

91010

11223

677

344556

889

111112

set 1 i1set 2 i1

set 1 i2

cache (A=2):

Assign cacheblocks and sets




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

91010

11223

677

344556

889

111112

set 1 i1set 2 i1

set 1 i2

cache (A=2):- - - -- - - -

9 10 - -- - - -

9 10 11 12- - - -

1 2 3 -9 10 - -

5 6 3 41 2 - -

1 6 7 -9 2 3 -

- 6 - -1 2 3 -

9 6 - 8- 2 3 -

age 1age 2

Abstract CacheState (ACS)filled using fix-point algorithm




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

91010

11223

677

344556

889

111112

set 1 i1set 2 i1

set 1 i2

cache (A=2):- - - -- - - -

9 10 - -- - - -

9 10 11 12- - - -

1 2 3 -9 10 - -

5 6 3 41 2 - -

1 6 7 -9 2 3 -

- 6 - -1 2 3 -

9 6 - 8- 2 3 -

age 1age 2

ACS updatefunction




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

91010

11223

677

344556

889

111112

set 1 i1set 2 i1

set 1 i2

cache (A=2):- - - -- - - -

9 10 - -- - - -

9 10 11 12- - - -

1 2 3 -9 10 - -

5 6 3 41 2 - -

1 6 7 -9 2 3 -

- 6 - -1 2 3 -

9 6 - 8- 2 3 -

age 1age 2

ACS join func-tion




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

91010

11223

677

344556

889

111112

set 1 i1set 2 i1

set 1 i2

cache (A=2):

161617171818

bb5’:

Diversity:Alt. node location -different number ofmemory blocks




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

91010

11223

677

344556

889

111112

set 1 i1set 2 i1

set 1 i2

cache (A=2):

171718181919

bb5’:

fragment

a

fragment

b

Diversity:Different fragments:Conflicts unknown



Outline



3 Evaluation

4 Conclusion



Cache Analysis for diverse Programs

Uncertainty of relocation and reordering in Abstract Cache State

every basic block (BB) belongs to a fragment

distances to BB are only known within this fragment→ one ”virtual” cache per fragment→ regular cache replacement within fragment→ cache contents of other fragments subject to worst-case

behavior depends on offset within set→ cache behavior is equal over all sets→ fragment starts at 0 plus offset→ one cache representation for each possible offset



Location-tolerant Must analysis

bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

regular CFG




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

fragment

a

fragment

b

BB on twofragments




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache set map-ping for bothoffsets, frag-ment a




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

cache set map-ping for bothoffsets, frag-ment b




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.1 b.2

b.3 b.4 b.5

offset 0:

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

ACS offset 0




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.1 b.2

b.3 b.4 b.5

offset 0:

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.2 b.3

b.3 b.4 b.5 b.6

offset 1:

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

ACS offset 0 & 1




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5

a.0 a.1

a.0 a.1 a.2

b.1 b.2

b.3 b.4 b.5

offset 0:

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5

a.0 a.1

a.0 a.1 a.2

b.2 b.3

b.3 b.4 b.5 b.6

offset 1:

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

update: con-flict withinfragment




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.1 b.2

b.3 b.4 b.5

offset 0:

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.2 b.3

b.3 b.4 b.5 b.6

offset 1:

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

update: noconflict withinfragment




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.1 b.2

b.3 b.4 b.5

offset 0:

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.2 b.3

b.3 b.4 b.5 b.6

offset 1:

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

update: blocksof other frag-ments




bb1:

bb2:

bb3:

bb4:

bb5:

bb6:

bb7:

a.0 a.0a.0 a.1a.1 a.1a.1 a.2a.2 a.2

a.2 a.3a.3 a.3a.3 a.4a.4 a.4a.4 a.5a.5 a.5

b.3 b.3b.3 b.4b.4 b.4

b.0 b.0b.0 b.1b.1 b.1

b.1 b.2b.2 b.2b.2 b.3

b.4 b.5b.5 b.5b.5 b.6

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.1 b.2

b.3 b.4 b.5

offset 0:

b.3 b.4

a.0 a.1 a.2b.3 b.4

b.0 b.1a.0 a.1 a.2 b.3

a.2 a.3 a.4 a.5a.0 a.1

a.0 a.1 a.2

b.2 b.3

b.3 b.4 b.5 b.6

offset 1:

set 1 i1set 2 i1

set 1 i2

cache (fragment a):

cache (fragment b):

join: oldestpossible age foreach memoryblock



Further analyses

Must analysis update uses most of addressing information

within fragment: regular update

outside fragment: worst-case aging may not cause eviction

Approach can be applied similarly to may and persistence analyses

→ Ballabriga’s multi-level persistence analysis [BC08]

→ Allows for first miss classification with respect to enclosingloops

ACS results aggregated to find worst case timing per basic block



Outline



3 Evaluation

4 Conclusion



Experimental Setup

Implemented in OTAWA (I.R.I.T. Labs, Toulouse)

analysis entirely static

framework intended for extension in research

Tested on Malardalen benchmarks

widely used WCET benchmark suite

program collection, cover all aspects of WCET analysis

Experiments conducted with random benchmark variants

cache sizes, associativity and granularity varied

diverse WCET estimate compared to non-diverse analysis

WCETAM base line of all estimations



Results: Precision

bsbs

ort1

00 cnt

crc

edn

expi

nt fac

fdct

fibca

ll firin

sert

sort

jfdc

tint

mat

mul

tnd

esns

ichn

eu ud

0

0.2

0.4

0.6

0.8

1

WC

ET

/WCETAM

WCETmin WCETmax

WCETdiv



Results: Impact of granularity

bsbs

ort1

00 cnt

crc

edn

expi

nt fac

fdct

fibca

ll firin

sert

sort

jfdc

tint

mat

mul

tnd

esns

ichn

eu ud

1

1.2

1.4

WC

ET

over

-ap

prox

imat

ion

Segment LevelFunction LevelBlock Level



Outline



3 Evaluation

4 Conclusion



Conclusion

Contribution: static cache analysis for diversified programs

tight estimates with respect to uncertainties of diversity

major improvement to assuming all miss

acceptable analysis time

supports powerful relocation and reordering diversification

applicable to other aspects of varying memory layout: e.g.dynamic libraries, redundancy concepts

Outlook:

more WCET aspects: multi-level caches, branch prediction

investigate architectures with timing anomalies

optimize fragmentation using cache analysis results

Q & A


instruction caches in static wcet analysis of arti cially ... fileoutline 1 background arti cial...

Documents