SESE Introduction Background Cache Analysis for Diverse Programs - - PowerPoint PPT Presentation
Instruction Caches in Static WCET Analysis of Artificially Diversified Software Joachim Fellmuth, Thomas G othel, Sabine Glesner Technische Universit at Berlin Software and Embedded Systems Engineering ECRTS 2018, Barcelona SESE
Joachim Fellmuth, Thomas G¨
Technische Universit¨ at Berlin Software and Embedded Systems Engineering
ECRTS 2018, Barcelona
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Cyber-physical systems (CPS) omnipresent safety-critical, hard real-time requirements highly interconnected → large attack surface
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 2/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Cyber-physical systems (CPS) omnipresent safety-critical, hard real-time requirements highly interconnected → large attack surface Security important development aspect unsafe languages enable code-reuse attacks → use knowledge of system’s memory
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 2/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Cyber-physical systems (CPS) omnipresent safety-critical, hard real-time requirements highly interconnected → large attack surface Security important development aspect unsafe languages enable code-reuse attacks → use knowledge of system’s memory Artificial software diversity hides memory layout (e.g. randomize instruction addresses) copes with unknown attack types WCET-aware security increase possible [FHPG17]
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 2/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Problem: Uncertainty induces pessimism in WCET analysis timing impact of some randomized diversification techniques unpredictable
[DDNS12, LHBF14, Coh93, FSA97, WMHL12]
WCET hardware analyses rely on full knowledge of the program addresses state-of-the-art cache analyses not able to produce upper bound estimate for all program variants
[HJR11, ZK15, BC08, Cul13, LGR+16]
All miss has to be assumed as worst-case cache behavior
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 3/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Our goal: Efficient WCET cache analysis for diverse programs powerful diversity approach reuse established analyses, compatible with IPET tight worst-case estimate over all variants Approach: relocation and reordering of code fragments introduce uncertainty into WCET cache analysis aggregate results for all variants per basic block
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 4/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
1 Background
Artificial software diversity WCET Analysis
2 Cache Analysis for Diverse Programs
Must Analysis Further Analyses
3 Evaluation 4 Conclusion
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 5/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
1 Background
Artificial software diversity WCET Analysis
2 Cache Analysis for Diverse Programs
Must Analysis Further Analyses
3 Evaluation 4 Conclusion
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 6/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Semantically equivalent program variants
→ different program layout in memory → exploit compiler decisions to obtain variants
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 7/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Semantically equivalent program variants
→ different program layout in memory → exploit compiler decisions to obtain variants
We use relocation and reordering of rearrangeable code parts (fragments)
→ no changes to instructions (code size) and CFG → predictable behavior over all variants → covers the entire instruction memory
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 7/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Semantically equivalent program variants
→ different program layout in memory → exploit compiler decisions to obtain variants
We use relocation and reordering of rearrangeable code parts (fragments)
→ no changes to instructions (code size) and CFG → predictable behavior over all variants → covers the entire instruction memory
Different fragment granularities possible
→ segment-, function, block level
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 7/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: CFG creation
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: 9 10 10 1 1 2 2 3 6 7 7 3 4 4 5 5 6 8 8 9 11 11 12 set 1 i1 set 2 i1 set 1 i2 cache (A=2): Assign cache blocks and sets
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: 9 10 10 1 1 2 2 3 6 7 7 3 4 4 5 5 6 8 8 9 11 11 12 set 1 i1 set 2 i1 set 1 i2 cache (A=2):
10 -
10 11 12
2 3
10 -
6 3 4 1 2
6 7
2 3
2 3
6
3
age 2 Abstract Cache State (ACS) filled using fix- point algorithm
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: 9 10 10 1 1 2 2 3 6 7 7 3 4 4 5 5 6 8 8 9 11 11 12 set 1 i1 set 2 i1 set 1 i2 cache (A=2):
10 -
10 11 12
2 3
10 -
6 3 4 1 2
6 7
2 3
2 3
6
3
age 2 ACS update function
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: 9 10 10 1 1 2 2 3 6 7 7 3 4 4 5 5 6 8 8 9 11 11 12 set 1 i1 set 2 i1 set 1 i2 cache (A=2):
10 -
10 11 12
2 3
10 -
6 3 4 1 2
6 7
2 3
2 3
6
3
age 2 ACS join func- tion
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: 9 10 10 1 1 2 2 3 6 7 7 3 4 4 5 5 6 8 8 9 11 11 12 set 1 i1 set 2 i1 set 1 i2 cache (A=2): 16 16 17 17 18 18 bb5’: Diversity:
different number of memory blocks
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: 9 10 10 1 1 2 2 3 6 7 7 3 4 4 5 5 6 8 8 9 11 11 12 set 1 i1 set 2 i1 set 1 i2 cache (A=2): 17 17 18 18 19 19 bb5’: f r a g m e n t a f r a g m e n t b Diversity: Different fragments: Conflicts unknown
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 8/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
1 Background
Artificial software diversity WCET Analysis
2 Cache Analysis for Diverse Programs
Must Analysis Further Analyses
3 Evaluation 4 Conclusion
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 9/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Uncertainty of relocation and reordering in Abstract Cache State every basic block (BB) belongs to a fragment distances to BB are only known within this fragment → one ”virtual” cache per fragment → regular cache replacement within fragment → cache contents of other fragments subject to worst-case behavior depends on offset within set → cache behavior is equal over all sets → fragment starts at 0 plus offset → one cache representation for each possible offset
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 10/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: regular CFG
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: f r a g m e n t a f r a g m e n t b BB on two fragments
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache set map- ping for both
ment a
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): cache set map- ping for both
ment b
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.1 b.2 b.3 b.4 b.5
set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): ACS offset 0
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.1 b.2 b.3 b.4 b.5
b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.2 b.3 b.3 b.4 b.5 b.6
set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): ACS offset 0 & 1
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.1 b.2 b.3 b.4 b.5
b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.2 b.3 b.3 b.4 b.5 b.6
set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): update: con- flict within fragment
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.1 b.2 b.3 b.4 b.5
b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.2 b.3 b.3 b.4 b.5 b.6
set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): update: no conflict within fragment
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.1 b.2 b.3 b.4 b.5
b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.2 b.3 b.3 b.4 b.5 b.6
set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): update: blocks
ments
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bb1: bb2: bb3: bb4: bb5: bb6: bb7: a.0 a.0 a.0 a.1 a.1 a.1 a.1 a.2 a.2 a.2 a.2 a.3 a.3 a.3 a.3 a.4 a.4 a.4 a.4 a.5 a.5 a.5 b.3 b.3 b.3 b.4 b.4 b.4 b.0 b.0 b.0 b.1 b.1 b.1 b.1 b.2 b.2 b.2 b.2 b.3 b.4 b.5 b.5 b.5 b.5 b.6 b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.1 b.2 b.3 b.4 b.5
b.3 b.4 a.0 a.1 a.2 b.3 b.4 b.0 b.1 a.0 a.1 a.2 b.3 a.2 a.3 a.4 a.5 a.0 a.1 a.0 a.1 a.2 b.2 b.3 b.3 b.4 b.5 b.6
set 1 i1 set 2 i1 set 1 i2 cache (fragment a): cache (fragment b): join: oldest possible age for each memory block
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 11/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Must analysis update uses most of addressing information within fragment: regular update
Approach can be applied similarly to may and persistence analyses → Ballabriga’s multi-level persistence analysis [BC08] → Allows for first miss classification with respect to enclosing loops ACS results aggregated to find worst case timing per basic block
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 12/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
1 Background
Artificial software diversity WCET Analysis
2 Cache Analysis for Diverse Programs
Must Analysis Further Analyses
3 Evaluation 4 Conclusion
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 13/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Implemented in OTAWA (I.R.I.T. Labs, Toulouse) analysis entirely static framework intended for extension in research
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 14/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Implemented in OTAWA (I.R.I.T. Labs, Toulouse) analysis entirely static framework intended for extension in research Tested on M¨ alardalen benchmarks widely used WCET benchmark suite program collection, cover all aspects of WCET analysis Experiments conducted with random benchmark variants cache sizes, associativity and granularity varied diverse WCET estimate compared to non-diverse analysis WCETAM base line of all estimations
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 14/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
bs bsort100 cnt crc edn expint fac fdct fibcall fir insertsort jfdctint matmult ndes nsichneu ud 0.2 0.4 0.6 0.8 1 WCET / WCETAM WCETmin WCETmax WCETdiv
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 15/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
b s b s
t 1 c n t c r c e d n e x p i n t f a c f d c t fi b c a l l fi r i n s e r t s
t j f d c t i n t m a t m u l t n d e s n s i c h n e u u d 1 1.2 1.4 WCET over-approximation Segment Level Function Level Block Level
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 16/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
1 Background
Artificial software diversity WCET Analysis
2 Cache Analysis for Diverse Programs
Must Analysis Further Analyses
3 Evaluation 4 Conclusion
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 17/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Contribution: static cache analysis for diversified programs tight estimates with respect to uncertainties of diversity major improvement to assuming all miss acceptable analysis time supports powerful relocation and reordering diversification applicable to other aspects of varying memory layout: e.g. dynamic libraries, redundancy concepts
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 18/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Contribution: static cache analysis for diversified programs tight estimates with respect to uncertainties of diversity major improvement to assuming all miss acceptable analysis time supports powerful relocation and reordering diversification applicable to other aspects of varying memory layout: e.g. dynamic libraries, redundancy concepts Outlook: more WCET aspects: multi-level caches, branch prediction investigate architectures with timing anomalies
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 18/ 18
Introduction Background Cache Analysis for Diverse Programs Evaluation Conclusion
Contribution: static cache analysis for diversified programs tight estimates with respect to uncertainties of diversity major improvement to assuming all miss acceptable analysis time supports powerful relocation and reordering diversification applicable to other aspects of varying memory layout: e.g. dynamic libraries, redundancy concepts Outlook: more WCET aspects: multi-level caches, branch prediction investigate architectures with timing anomalies
Q & A
SESE
Joachim Fellmuth Static Cache Analysis for Diverse Software 18/ 18