# The Path to Fault- and Intrusion-Resilient Manycore Systems on a Chip

Ali Shoker Paulo Esteves-Verissimo RC3 Center, CEMSE Division, King Abdullah University of Science and Technology (KAUST) [ali.shoker@kaust.edu.sa,](ali.shoker@kaust.edu.sa) <paulo.verissimo@kaust.edu.sa>

Marcus Völp University of Luxembourg Interdisciplinary Center for Security, Reliability and Trust (SnT) - CritiX group <marcus.voelp@uni.lu>

*Abstract*— The hardware computing landscape is changing. What used to be distributed systems can now be found on a chip with highly configurable, diverse, specialized and general purpose units. Such Systems-on-a-Chip (SoC) are used to control today's cyber-physical systems, being the building blocks of critical infrastructures. They are deployed in harsh environments and are connected to the cyberspace, which makes them exposed to both accidental faults and targeted cyberattacks. This is in addition to the changing fault landscape that continued technology scaling, emerging devices and novel application scenarios will bring. In this paper, we discuss how the very features—distributed, parallelized, reconfigurable, heterogeneous—that cause many of the imminent and emerging security and resilience challenges, also open avenues for their cure though SoC replication, diversity, rejuvenation, adaptation, and hybridization. We show how to leverage these techniques at different levels across the entire SoC hardware/software stack, calling for more research on the topic.

*Index Terms*—fault and intrusion tolerance, resilience, hardware, system on a chip, FPGA

## I. OPPORTUNITIES FOR HARDWARE RESILIENCE

Hardware chips continue to be the core building blocks of computing devices due to their inherent immutability and speed, required in modern digital and mission-critical systems like Cyber-Physical Systems, Healthcare, Fintech, Automotive, and Space. This hardware can implement an entire monolithic system or even be used as proof-of-trust anchors. Contrary to the common belief, hardware is prone to unintentional (benign) and intentional/malicious (intrusion or Byzantine [\[1\]](#page-4-0)) faults. The former can be caused by the fabrication (e.g., Silicon) material prone to dust, aging, and overheating, or by design/implementation glitches [\[2\]](#page-4-1), [\[3\]](#page-4-2). Malicious faults manifest in many forms, prior- or post-fabrication, where stealthy logic, *backdoors*, *trojans*, *kill switches*, and postfab fabric editing are possible [\[4\]](#page-4-3)–[\[7\]](#page-4-4). In line with this, the trends of building complex hardware out of smaller *commercial-off-the-shelf* (COTS) components and introducing programmable/reconfigurable hardware, e.g., FPGA [\[8\]](#page-4-5), [\[9\]](#page-4-6), are closing the gap with software systems: hardware systems are no longer rigid, immutable, and fixed creatures. This raises both new challenges and opportunities, which call to revisit the way resilient and secure hardware systems are built.

The notable demand on hardware due to the automation and digitalization of services in many sectors raised new challenges in the hardware fabrication industry, where vendors need to maintain delivery on time and reduce production costs. This resulted in a *divide-and-conquer* [\[10\]](#page-4-7) production style: a system is split into smaller and cheaper building blocks, i.e., components. Components are developed in parallel to reduce the production cycle time. Each block is likely developed by a dedicated specialized vendor, i.e., generating COTS [\[11\]](#page-4-8). This means that the synthesising entity of these COTS can focus on the technology it masters, rather than distributing its efforts on multiple fronts. Despite this, these cheap components are becoming more prone to failures and attacks [\[12\]](#page-4-9), which can lead to drastic impacts on critical sectors like Cyber-Physical Systems, health smart systems, mission-critical space systems, etc. Our experience in software systems shows that building resilient systems composed of small and cheap components can be more resilient than a single complex monolithic system, that is usually very expensive.

There are ample opportunities for hardware resilience leveraging the above advancements. To demonstrate this, we showcase in Fig. [1](#page-1-0) different levels of the chip development process, from low-level fine-grained gate logic blocks up to multicore systems-on-chip (SoC). Literary works reveal some selected resiliency techniques on most of these layers for constructing resilient clock networks, replicated power domains, and lockstep coupling of cores  $[13]$ – $[18]$ , which is a good starting point. We, however, advocate for more systematic and comprehensive resiliency, probably leveraging hardware *hybrids* to simplify the designs. This holistic view helps optimising SoC designs by suggesting the right level of resiliency at each stage to reduce the redundant complexity and cost.

In a nutshell, the lowest level, in Fig. [1,](#page-1-0) is building a single layer microchip that constitutes a simple logical circuit of gates. Different gates are known to have different resiliency levels [\[13\]](#page-4-10), [\[17\]](#page-4-12). Recently, SiNW transistors are used to bridge *Source* to *Drain* with multiple *nanowires* to compensate manufacturing defects and aging [\[19\]](#page-4-13). While a typical design process mainly considers the *space*, *energy*, and *time* metrics in the design, making these circuits more resilient would mean trading these metrics for resiliency, e.g., using backup gates, replicated parallel gates, or diverse gates [\[17\]](#page-4-12), [\[18\]](#page-4-11). On the other hand, single-layered circuits can today be synthesized in a *3D fabric* [\[20\]](#page-4-14). Layers typically have different complementary functionalities. However, they can also have layers of identical functionality from different vendors, which is useful to improve diversity in fault masking scenarios (discussed later). It is also helpful to synthesize a monolithic chip from multi-vendor layers to avoid vendor lock-in or potential aging issues, backdoors, and *kill switches* [\[2\]](#page-4-1)–[\[4\]](#page-4-3) so called *Distribution attack* on the supply chain.

At a higher level, always depicted in Fig. [1,](#page-1-0) these 3D microchips can be assembled to build a system-on-chip fabric [\[21\]](#page-4-15). Again, components of identical functionalities can be used to build fault and intrusion masking SoC fabric. This can be enriched with heterogeneous diverse microchips at a higher level, thus building resilient Multicore Systems on Chip (MPSoC) [\[9\]](#page-4-6), [\[22\]](#page-4-16). At the higher layers, where a software stack complements the functionality of the system to form a more *programmable* flexible hardware (discussed next), one can take advantage of a remarkable body of research and practice to build resilient *soft-custom* logic [\[23\]](#page-4-17)–[\[25\]](#page-4-18). This can be done by exploiting virtualization techniques to provide software-level containment and replication. More complex systems can be built through networked *systems of systems on chip*. First instances of *networked* SoC systems are already emerging in the automotive, aeronautics, and CPS domain.

Across this spectrum, we foresee a need and opportunities to revisit how resilient hardware is built:

- building complex systems of systems and MPSoCs out of smaller COTS;
- taking advantage of the programability and elasticity of modern hardware, e.g., FPGA, GPGPU, to replicate, diversity and adapt; and
- simplifying the design of secure robust systems using smaller hardware *hybrids*—easy to design and verify, as resilient anchors.

# II. PROGRAMABILITY, ELASTICITY, PLASTICITY

The genuine immutability properties of hardware components and elements, make them ideal for security hardening and containment, i.e., by making the hard-implemented logic tamper-resistant against both benign and intrusion faults. Despite these facts, there is a continuous wave of relaxing these "rigid" hardware designs through introducing programmable (including reconfigurable and adaptable) fabric [\[8\]](#page-4-5), [\[26\]](#page-4-19). The main reason is to improve hardware flexibility and compatibility, i.e., making them application-agnostic, and to facilitate the daunting design verification process prior to fabrication, hence cutting off fabrication costs thereof. For this, programmable hardware is considered a tradeoff between software logic fully flexible, slow, and mutable—and hard logic—fully rigid, fast, and immutable. We believe that there are promising opportunities to boost the resilience of the programmable platforms against faults and intrusions, although immutability is slightly reduced. To explain these benefits, we consider two classes of programmable hardware:

Soft Custom Logic Fabric (SCLF) : these are commonly known as software-defined devices like PLC, ECU, and SDN



<span id="page-1-0"></span>Fig. 1. Resilience forms at the different (networked) hardware layers of Multicore Systems on Chip.

devices [\[24\]](#page-4-20), [\[27\]](#page-4-21)–[\[29\]](#page-4-22). This hardware is mostly domainspecialized, where computing is done using general-purpose micro-controller or microprocessors, often managed by a full software stack: hypervisors, RTOS/OS, drivers, libraries, and applications. Consequently, these devices exhibit high programability features, analogous to IT computing, although they have specialized roles and use domain specific peripherals, e.g., sensors, actuators, and interfaces.

Hard Custom Logic Fabric (HCLF) : these are hardware chip fabrics, e.g., FPGA [\[8\]](#page-4-5) and GPGPU [\[26\]](#page-4-19), composed of arrays of logical components, e.g., *gates* and *multiplexers*, that are not "hard etched", i.e., can be reprogrammed as needed. The programming logic in this case is almost entirely implemented in hardware, without the need for a software stack at runtime. Fabric is reprogrammed through soft *IP Cores* [\[30\]](#page-4-23), [\[31\]](#page-4-24) (HDL code [\[32\]](#page-4-25)) or through components (*softcores* or *blocks*) synthesized on the chip as needed. This programability feature is a very interesting tradeoff that retains the speed and security of *Application-Specific Integrated Circuit* (ASIC) chips, while giving the flexibility to support diverse applications and update implementations without the need for costly and slow fabrication.

Although programability, in both classes, opens the door for tampering with the system, and thus injecting surveillance circuits, intrusions and backdoors [\[3\]](#page-4-2), [\[4\]](#page-4-3) after fabrication (though slightly compared with software systems), there is a huge opportunity to leverage this programability to improve the resilience of these systems through four main ingredients: replication, diversity, rejuvenation, and adaptation.

### *A. Replication*

Replication is often useful to build resilience against Benign or Byzantine faults. *Passive replication* [\[33\]](#page-4-26), [\[34\]](#page-4-27) allows a failing system to failover into a backup replica. This is a cheap solution that typically requires one passive backup replica. However, recovery is slow, requires reliable detection and is not seemless to the user, even if implemented entirely at transistor level. For example, Razor [\[35\]](#page-4-28) integrates detection capabilities, originally for timing faults in sequential logic, but also for power instability [\[36\]](#page-4-29) and side channels [\[37\]](#page-4-30), and reinjects stored state into the pipeline for re-execution. Albeit functionally transparent, users may observe timing differences and anomalies caused by them. *Active replication* masks faults through building a *deterministic replicated state machine* [\[38\]](#page-4-31), composed of replicas of identical functionality, which execute an agreement protocol, e.g. *Paxos* [\[39\]](#page-4-32) or *PBFT* [\[1\]](#page-4-0). The number of required replicas is typically  $2f + 1/3f + 1$  in order to tolerate  $f$  faults. Interestingly, several works make use of hardware hybrids as root-of-trust to simplify these protocols to build resilient broadcast and agreement abstractions for embedded real-time systems  $[40]$ – $[42]$  (requiring only  $2f + 1$ replicas to tolerate f Byzantine ones).

Replication in SCLF is analogous to software replication at the software layer. While some literary works have studied this in some settings  $[23]$ – $[25]$ ,  $[43]$ , there are research opportunities in other real-time applications like softwaredefined vehicles, UXVs, Smart Grid, etc. On the other hand, replication in HCLF is today easier than ever. Using an FPGA, it is possible to spawn replicas as soft cores or logical blocks, using off-the-shelf soft IPs. This is a nice hardware feature that gives the flexibility to create hard-replicas quickly and on-demand, using only one fabric, in a similar way to creating virtual machines or containers at software level.

# *B. Diversity*

Resiliency through active replication is, however, only guaranteed as long as the replicas fail independently [\[1\]](#page-4-0), [\[38\]](#page-4-31). The second ingredient, diversity, helps building replicas of the same functionality but with different implementations. The aim is to avoid common-mode benign failures and intrusions.

Since programability in both classes, SCLF and HCLF, open new avenues for multi-vendor implementations and COTS, the likelihood of diversity is higher than the case of monolithic hardware that require deep technology capabilities. An interesting trend that would benefit this model greatly is more standardization for architectures and APIs. For instance, the introduction of the *AutoSAR* [\[44\]](#page-4-36) standard has greatly enriched the automotive market with multi-vendor implementations of the entire software and hardware stack, which act as a blockboxes of identical functionalities. *CUDA* [\[26\]](#page-4-19) and *OpenGL* [\[45\]](#page-4-37) provide standard APIs to implement accelerated parallel computing logic on a GPGPU using COTS implementations. Open source hardware platforms like RISC-V [\[46\]](#page-4-38) also standardize the architectures provided by different vendors, and enrich the market with diverse architectures.

Interestingly, FPGAs allow for hardware diversity through modifying the hard-logic through using different implementations or specifications for the softcore/block IP, possibly from different vendors, which is then used to spawn computing cores. It would be interesting to study the case where IP compilers can generate diverse versions of identical softcores to be used on the fly. First approaches towards such a generation of morphable softcores has been investigated in the context of organic computing [\[47\]](#page-4-39).

#### *C. Rejuvenation*

Rejuvenation is the third complementary ingredient to replication and diversity. These latter techniques can only maintain resilience as long as the assumed number of failing replicas f is fixed. This assumption is unfortunately hard due to benign faults and malicious behaviours. The first is related to aging, which manifest in software [\[48\]](#page-4-40) as memory leakage, failure to release resources and locks, failure to garbage collect, data corruption, etc. Surprisingly, aging occurs also in hardware, due to the deterioration of hardware material under overuse and overheating, etc. The second reason is recently getting more attention with the increasing attempts of *Advanced Persistent Attacks* (APT)—where a big deal of time and effort is usually put to identify vulnerabilities and exploit them. While this might be clear at the software level, there are continuous concerns about hardware backdoors and timed Trojans. Indeed, this is behind the recent agendas of acquiring chip sovereignty or split manufacturing in many countries [\[49\]](#page-5-0), [\[50\]](#page-5-1).

SCLF reprogramability can greatly benefit from the huge body of research on software rejuvenation, that is proven to mitigate failures. This would even be more effective when rejuvenation is simultaneous with diversity, which allows the rejuvenation to a different implementation with identical functionally, in consequence, reducing the success rate of APTs. Using FPGAs, rejuvenation can also happen at hardware level in HCLF [\[51\]](#page-5-2). An FPGA allows restarting or spawning new soft cores and logical blocks at runtime—avoiding slow device restarts. In fact, one can partially rejuvenate some soft cores while others continue to run. FPGAs allow for even smarter techniques, e.g., to rejuvenate to diverse softcore variants that are loaded in different FPGA spatial locations, which can avoid potential backdoors in the FPGA grid fabric.

## *D. Adaptation*

Yet, another way to withstand a varying number of faults  $f$ is to adapt the resilient system accordingly. Among the adaptation forms are scaling out/in the system when  $f$  may change, e.g., upon experiencing more threats, or switching to a backup protocol that is more adequate to the current conditions [\[23\]](#page-4-17), [\[52\]](#page-5-3)–[\[54\]](#page-5-4) (considering safety, liveness, performance, etc.). This would require research on the aforementioned adaptation mechanisms and, importantly, on severity detectors that can trigger adaptation actions once needed. As we discussed above, both SCLF (e.g., virtualization) and HCLF (e.g., FPGAs)

provide tempo-spatial elasticity, which allows changing the number of replicas and their locations on the fabric as needed. It will be interesting to study these research questions from scratch or validating the feasibility of existing ones (developed in the software realm).

## *E. Resilient Reconfiguration*

It should be evident that reconfiguration must be resilient to faults and attacks, irrespective of the kind of adjustment performed (i.e., diverse rejuvenation, relocation, or adaptation). This holds for both reconfiguration of an FPGA grid fabric as well as multi-chip FPGAs—where the individual FPGA chiplets are the unit of reconfiguration. We shall focus here exclusively on internal, partial and dynamic reconfiguration, since the reliance on external complex and non-configurable modules (e.g., CPUs) would induce a weak spot in the system, which could contaminate its resilience or introduce downtimes. Nevertheless, dependencies on external *hybrids* that are simple, and thus easy to verify, are allowed if they simplify the design. Internal, partial and dynamic mean respectively that reconfiguration (i) is driven from within the FPGA, e.g., by an HCLF or softcore defining the configuration bitstream to be loaded into a reconfigurable region (or frame) through interfaces like internal configuration access ports, (ii) it is bound to the reconfigured area and elements therein, and (iii) it happens while other parts of the FPGA continue to execute.

Optimizing the mapping of blocks to the FPGA grid fabric and integrating the configured block with the remaining blocks remain sufficiently complex tasks to be executed by a software-level operating-system kernel. Disabling and enabling configured circuits and frames constitute the critical operations, which leaves writing the configuration memory and validating that a correct bitstream is written as tasks that can be executed by the responsible kernel or possibly even kernel replicas. Provided sufficient access controls are in place at the internal configuration access ports, the actual configuration of a frame can even be delegated to its current user. However, as shown in Gouveia et al. [\[55\]](#page-5-5), privilege change must remain a trusted operation executed *consensually* and enforced by a trusted-trustworthy component. This leads to the more general question of architectural hybridization, which we address next.

#### III. ARCHITECTURAL HYBRIDIZATION

Differentiating how the individual hard- and software components of an MPSoC architecture can fail, architectural *hybridization* aims at benefiting from small easy-to-verify and therefore more trustworthy components, called *hybrids*. The goal is to enable, simplify or improve the performance of the overall system, by serving as trust anchors for these properties. These could be components (registers, memory, trusted execution environments or networks) such as USIG, A2M, TrInc, SGX and others, used in hybrid BFT-SMR protocols [\[41\]](#page-4-41), [\[56\]](#page-5-6)–[\[65\]](#page-5-7).

Realizing hybridization poses a challenge dual to the question whether SCLF or HCLF leads to more reliable systemson-a-chip. For software-only hybrids, we used to equate simplicity (measured for example in lines-of-code required to realize a certain functionality) with a low likelihood of failure and ease of verification. However, at hardware level, this equation is not as obvious, even if we consider lines-of-VHDL or another hardware description language.

We illustrate this using the USIG from the MinBFT protocol by Veronese et al. [\[41\]](#page-4-41) as example. USIG is essentially a sequential circuit, which is driven by the counter register and a few additional registers, which provide as constants the secret key for the HMAC and the ID of the replica. The lowest complexity version of such a circuit will use normal registers. But then any bitflip in the counter will have catastrophic effects on the consensus problem at hand since it is reflected unchanged in the computed HMAC and USIG output. *ECC-registers* on the other hand add extra bits and the logic required for correction, which both increase the complexity of the circuit at the benefit of tolerating a certain number of bitflips. We also see the converse effect when the required complexity of producing a special purpose circuit for a given functionality exceeds the complexity of a simple core that is able to fetch, decode and execute software. Once the inherent complexity of such a functionality exceeds this bound, software implementations become preferable and hybridization amounts to providing such an isolated core.

The objective of hardware-level hybridization is therefore to remain in this middle-ground. Hardware hybrids, protected by ECC and other accidental- and malicious-fault countermeasures, provide the desired functionality. This can then be extended into the realm of software hybrids that are possibly executed in a replicated manner and that vote to perform critical operations [\[55\]](#page-5-5).

# IV. CONCLUSIONS AND CALL TO ACTION

We emphasized that hardware architectures, and in particular multi- and manycore systems-on-a-chip are not the robust, dependable and reliable computing units we would like to have. We have subsequently started to replicate entire systems, which has ultimately lead to the huge body of knowledge on implementing resilient distributed systems. However, as we have seen, the continuing miniaturization and integration of processing elements into a single MPSoC, makes full system resilience increasingly costly, in particular when a single system already provides all the processing power that future critical applications need. We have shown how reconfiguration, rejuvenation and adaptation already allow the hardware to repair itself, to recover from faults and retain the resources classical resilience mechanisms need, when applied entirely on chip. Hybridization rooted in exactly the right-complexity circuits and applied to construct incrementally more complex dependable systems will produce the next generation flexible, morphable and highly trustable systems mission-critical systems will need. We therefore appeal for more research to study the resilience of hardware-based systems, systems of systems, and MPSoCs at different layers and cutting vertically across layers, probably through validating the techniques developed in the software *Systems* and *Dependability* areas.

#### **REFERENCES**

- <span id="page-4-0"></span>[1] M. Castro, B. Liskov *et al.*, "Practical byzantine fault tolerance," in *OsDI*, vol. 99, no. 1999, 1999, pp. 173–186.
- <span id="page-4-1"></span>[2] R. L. Merlino and J. A. Goree, "Dusty plasmas in the laboratory, industry, and space," *PHYSICS TODAY.*, vol. 57, no. 7, pp. 32–39, 2004.
- <span id="page-4-2"></span>[3] J. R. Celaya, P. Wysocki, V. Vashchenko, S. Saha, and K. Goebel, "Accelerated aging system for prognostics of power semiconductor devices," in *2010 Ieee Autotestcon*. IEEE, 2010, pp. 1–6.
- <span id="page-4-3"></span>[4] S. Adee, "The hunt for the kill switch," *IEEE Spectrum*, vol. 45, no. 5, pp. 34–39, 2008.
- [5] F. Imeson, S. Nejati, S. Garg, and M. Tripunitara, "{Non-Deterministic} timers for hardware trojan activation (or how a little randomness can go the wrong way)," in *10th USENIX Workshop on Offensive Technologies (WOOT 16)*, 2016.
- [6] S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou, "Designing and implementing malicious hardware." *Leet*, vol. 8, pp. 1–8, 2008.
- <span id="page-4-4"></span>[7] K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, "A2: Analog malicious hardware," in *2016 IEEE symposium on security and privacy (SP)*. IEEE, 2016, pp. 18–37.
- <span id="page-4-5"></span>[8] I. Kuon, R. Tessier, J. Rose *et al.*, "Fpga architecture: Survey and challenges," *Foundations and Trends® in Electronic Design Automation*, vol. 2, no. 2, pp. 135–253, 2008.
- <span id="page-4-6"></span>[9] Xilinx2019, "Ug1085: Zynq ultrascale+ device technical reference manual," *Xilinx*, 2019.
- <span id="page-4-7"></span>[10] J. L. Bentley, "Multidimensional divide-and-conquer," *Communications of the ACM*, vol. 23, no. 4, pp. 214–229, 1980.
- <span id="page-4-8"></span>[11] L. Brownsword and T. Oberndorf, "The opportunities and complexities of applying commercial-off-the-shelf components."
- <span id="page-4-9"></span>[12] D. Doan, "Commercial off the shelf (cots) security issues and approaches," NAVAL POSTGRADUATE SCHOOL MONTEREY CA, Tech. Rep., 2006.
- <span id="page-4-10"></span>[13] A. Namazi and M. Nourani, "Gate-level redundancy: A new design-forreliability paradigm for nanotechnologies," *IEEE transactions on very large scale integration (VLSI) systems*, vol. 18, no. 5, pp. 775–786, 2009.
- [14] R. E. Lyons and W. Vanderkulk, "The use of triple-modular redundancy to improve computer reliability," *IBM journal of research and development*, vol. 6, no. 2, pp. 200–209, 1962.
- [15] L. A. C. Benites and F. L. Kastensmidt, "Automated design flow for applying triple modular redundancy (tmr) in complex digital circuits," in *2018 IEEE 19th Latin-American Test Symposium (LATS)*. IEEE, 2018, pp. 1–4.
- [16] K. S. Morgan, D. L. McMurtrey, B. H. Pratt, and M. J. Wirthlin, "A comparison of tmr with alternative fault-tolerant design techniques for fpgas," *IEEE transactions on nuclear science*, vol. 54, no. 6, pp. 2065– 2072, 2007.
- <span id="page-4-12"></span>[17] X. Han, M. Donato, R. I. Bahar, A. Zaslavsky, and W. Patterson, "Design of error-resilient logic gates with reinforcement using implications," in *Proceedings of the 26th edition on Great Lakes Symposium on VLSI*, 2016, pp. 191–196.
- <span id="page-4-11"></span>[18] J. D. Lohn and S. P. Colombano, "A circuit representation technique for automated circuit design," *IEEE Transactions on Evolutionary Computation*, vol. 3, no. 3, pp. 205–219, 1999.
- <span id="page-4-13"></span>[19] D. Jeon, S. Park, S. Pregl, T. Mikolajick, and W. Weber, "Reconfigurable thin-film transistors based on a parallel array of si-nanowires," vol. 129, pp. 1 245 041 – 1 245 049, 2021.
- <span id="page-4-14"></span>[20] V. F. Pavlidis, I. Savidis, and E. G. Friedman, *Three-dimensional integrated circuit design*. Newnes, 2017.
- <span id="page-4-15"></span>[21] G. Martin and H. Chang, "System-on-chip design," in *ASICON 2001. 2001 4th International Conference on ASIC Proceedings (Cat. No. 01TH8549)*. IEEE, 2001, pp. 12–17.
- <span id="page-4-16"></span>[22] W. Wolf, A. A. Jerraya, and G. Martin, "Multiprocessor system-on-chip (mpsoc) technology," *IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems*, vol. 27, no. 10, pp. 1701–1713, 2008.
- <span id="page-4-17"></span>[23] B.-G. Chun, P. Maniatis, and S. Shenker, "Diverse replication for single-machine byzantine-fault tolerance." in *USENIX Annual Technical Conference*, 2008, pp. 287–292.
- <span id="page-4-20"></span>[24] K. ElDefrawy and T. Kaczmarek, "Byzantine fault tolerant softwaredefined networking (sdn) controllers," in *2016 IEEE 40th annual computer software and applications conference (COMPSAC)*, vol. 2. IEEE,
- <span id="page-4-18"></span>2016, pp. 208–213. [25] V. S. Júnior, L. C. Lung, M. Correia, J. da Silva Fraga, and J. Lau, "Intrusion tolerant services through virtualization: A shared memory

approach," in *2010 24th IEEE International Conference on Advanced Information Networking and Applications*. IEEE, 2010, pp. 768–774.

- <span id="page-4-19"></span>[26] J. Ghorpade, J. Parande, M. Kulkarni, and A. Bawaskar, "Gpgpu processing in cuda architecture," *arXiv preprint arXiv:1202.4347*, 2012.
- <span id="page-4-21"></span>[27] "Virtualized programmable logic controllers," 2021, accessed on: Feb, 14, 2023. [Online]. Available: [controleng.com/articles/](controleng.com/articles/virtualized-programmable-logic-controllers/) [virtualized-programmable-logic-controllers/](controleng.com/articles/virtualized-programmable-logic-controllers/)
- [28] J. Hajda, R. Jakuszewski, and S. Ogonowski, "Security challenges in industry 4.0 plc systems," *Applied Sciences*, vol. 11, no. 21, p. 9785, 2021.
- <span id="page-4-22"></span>[29] C. Wulf, M. Willig, and D. Göhringer, "A survey on hypervisor-based virtualization of embedded reconfigurable systems," in *2021 31st International Conference on Field-Programmable Logic and Applications (FPL)*. IEEE, 2021, pp. 249–256.
- <span id="page-4-23"></span>[30] I. Advanced Micro Devices, "Amd/xilinx intellectual property," 2023, accessed on: May 1st, 2023. [Online]. Available: [https:](https://www.xilinx.com/products/intellectual-property.html) [//www.xilinx.com/products/intellectual-property.html](https://www.xilinx.com/products/intellectual-property.html)
- <span id="page-4-24"></span>[31] I. Corporation, "Intel fpga intellectual property," 2023, accessed on: May 1st, 2023. [Online]. Available: [https://www.intel.com/content/](https://www.intel.com/content/www/us/en/products/details/fpga/intellectual-property.html) [www/us/en/products/details/fpga/intellectual-property.html](https://www.intel.com/content/www/us/en/products/details/fpga/intellectual-property.html)
- <span id="page-4-25"></span>[32] P. Bellows and B. Hutchings, "Jhdl-an hdl for reconfigurable systems," in *Proceedings. IEEE symposium on FPGAs for custom computing machines (Cat. No. 98TB100251)*. IEEE, 1998, pp. 175–184.
- <span id="page-4-26"></span>[33] N. Budhiraja, K. Marzullo, F. B. Schneider, and S. Toueg, "The primarybackup approach," *Distributed systems*, vol. 2, pp. 199–216, 1993.
- <span id="page-4-27"></span>[34] X. Defago, A. Schiper, and N. Sergent, "Semi-passive replication," in *Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281)*, 1998, pp. 43–50.
- <span id="page-4-28"></span>[35] D. Ernst, N. S. Kim, S. Das, S. Pant, R. Rao, T. Pham, C. Ziesler, D. Blaauw, T. Austin, K. Flautner, and T. Mudge, "Razor: a low-power pipeline based on circuit-level timing speculation," in *Proceedings. 36th Annual IEEE/ACM International Symposium on Microarchitecture, 2003. MICRO-36.*, 2003, pp. 7–18.
- <span id="page-4-29"></span>[36] S. Das, D. Roberts, S. Lee, S. Pant, D. Blaauw, T. Austin, K. Flautner, and T. Mudge, "A self-tuning dvs processor using delay-error detection and correction," *IEEE Journal of Solid-State Circuits*, vol. 41, no. 4, pp. 792–804, 2006.
- <span id="page-4-30"></span>[37] S. Kim, I. Kwon, D. Fick, M. Kim, Y.-P. Chen, and D. Sylvester, "Razorlite: A side-channel error-detection register for timing-margin recovery in 45nm soi cmos," in *2013 IEEE International Solid-State Circuits Conference Digest of Technical Papers*, 2013, pp. 264–265.
- <span id="page-4-31"></span>[38] F. B. Schneider, *Replication Management Using the State-Machine Approach*. USA: ACM Press/Addison-Wesley Publishing Co., 1993, p. 169–197.
- <span id="page-4-32"></span>[39] L. Lamport, "Paxos made simple," *ACM SIGACT News (Distributed Computing Column) 32, 4 (Whole Number 121, December 2001)*, pp. 51–58, 2001.
- <span id="page-4-33"></span>[40] T. Distler, C. Cachin, and R. Kapitza, "Resource-efficient byzantine fault tolerance," *IEEE Transactions on Computers*, vol. 65, no. 9, pp. 2807– 2819, 2016.
- <span id="page-4-41"></span>[41] G. S. Veronese, M. Correia, A. N. Bessani, L. C. Lung, and P. Verissimo, "Efficient byzantine fault-tolerance," *IEEE Transactions on Computers*, vol. 62, no. 1, pp. 16–30, 2011.
- <span id="page-4-34"></span>[42] D. Kozhaya, J. Decouchant, V. Rahli, and P. Esteves-Verissimo, "Pistis: an event-triggered real-time byzantine-resilient protocol suite," *IEEE Transactions on Parallel and Distributed Systems*, vol. 32, no. 9, pp. 2277–2290, 2021.
- <span id="page-4-35"></span>[43] A. Shoker, V. Rahli, J. Decouchant, and P. Esteves-Verissimo, "Intrusion resilience systems for modern vehicles," in *In the 97th IEEE Vehicular Technology Conference (VTC2023)*. IEEE, 2023.
- <span id="page-4-36"></span>[44] "Autosar standard," 2023, accessed on: Feb, 14, 2023. [Online]. Available: <https://www.autosar.org/>
- <span id="page-4-37"></span>[45] K. Group, "Opengl," 2023, accessed on: April, 19, 2023. [Online]. Available: <https://www.opengl.org/>
- <span id="page-4-38"></span>[46] R.-V. International, "Risc-v," 2023, accessed on: April, 19, 2023. [Online]. Available: <https://riscv.org/>
- <span id="page-4-39"></span>[47] J. Zeppenfeld, A. Bouajila, A. Herkersdorf, and W. Stechele, "Towards scalability and reliability of autonomic systems on chip," in *2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops*, 2010, pp. 73–80.
- <span id="page-4-40"></span>[48] Y. Huang, C. Kintala, N. Kolettis, and N. D. Fulton, "Software rejuvenation: Analysis, module and applications," in *Twenty-fifth international symposium on fault-tolerant computing. Digest of papers*. IEEE, 1995, pp. 381–390.
- <span id="page-5-0"></span>[49] Y. Yang, Z. Chen, Y. Liu, T.-Y. Ho, Y. Jin, and P. Zhou, "How secure is split manufacturing in preventing hardware trojan?" *ACM Transactions on Design Automation of Electronic Systems (TODAES)*, vol. 25, no. 2, pp. 1–23, 2020.
- <span id="page-5-1"></span>[50] A. Shoker, "Digital sovereignty strategies for every nation," 2022.
- <span id="page-5-2"></span>[51] A. T. Sheikh, A. Shoker, and P. Esteves-Verissimo, "System on chip rejuvenation in the wake of persistent attacks," in *the 16th European Workshop on Systems Security (EuroSec), EuroSys-W*. IEEE, 2023.
- <span id="page-5-3"></span>[52] D. Silva, R. Graczyk, J. Decouchant, M. Volp, and P. Esteves-Verissimo, "Threat adaptive byzantine fault tolerant state-machine replication," in *2021 40th International Symposium on Reliable Distributed Systems (SRDS)*. Los Alamitos, CA, USA: IEEE Computer Society, sep 2021, pp. 78–87. [Online]. Available: [https:](https://doi.ieeecomputersociety.org/10.1109/SRDS53918.2021.00017) [//doi.ieeecomputersociety.org/10.1109/SRDS53918.2021.00017](https://doi.ieeecomputersociety.org/10.1109/SRDS53918.2021.00017)
- [53] J.-P. Bahsoun, R. Guerraoui, and A. Shoker, "Making bft protocols really adaptive," in *2015 IEEE International Parallel and Distributed Processing Symposium*. IEEE, 2015, pp. 904–913.
- <span id="page-5-4"></span>[54] E. Sakic, N. Đerić, and W. Kellerer, "Morph: An adaptive framework for efficient and byzantine fault-tolerant sdn control plane," *IEEE Journal on Selected Areas in Communications*, vol. 36, no. 10, pp. 2158–2174, 2018.
- <span id="page-5-5"></span>[55] I. P. Gouveia, M. Völp, and P. Esteves-Verissimo, "Behind the last line of defense: Surviving soc faults and intrusions," *Computers & Security*, vol. 123, p. 102920, 2022.
- <span id="page-5-6"></span>[56] J. Behl, T. Distler, and R. Kapitza, "Hybrids on steroids: Sgx-based high performance bft," in *Proceedings of the Twelfth European Conference on Computer Systems*, 2017, pp. 222–237.
- [57] B.-G. Chun, P. Maniatis, S. Shenker, and J. Kubiatowicz, "Attested append-only memory: Making adversaries stick to their word," *ACM SIGOPS Operating Systems Review*, vol. 41, no. 6, pp. 189–204, 2007.
- [58] S. Gupta, S. Rahnama, S. Pandey, N. Crooks, and M. Sadoghi, "Dissecting bft consensus: In trusted components we trust!" *arXiv preprint arXiv:2202.01354*, 2022.
- [59] R. Kapitza, J. Behl, C. Cachin, T. Distler, S. Kuhnle, S. V. Mohammadi, W. Schröder-Preikschat, and K. Stengel, "Cheapbft: Resource-efficient byzantine fault tolerance," in *Proceedings of the 7th ACM european conference on Computer Systems*, 2012, pp. 295–308.
- [60] J. Lind, O. Naor, I. Eyal, F. Kelbert, E. G. Sirer, and P. Pietzuch, "Teechain: a secure payment network with asynchronous blockchain access," in *Proceedings of the 27th ACM Symposium on Operating Systems Principles*, 2019, pp. 63–79.
- [61] D. L. J. R. D. Jacob and R. L. T. Moscibroda, "Trinc: Small trusted hardware for large distributed systems."
- [62] M. K. Aguilera, N. Ben-David, R. Guerraoui, A. Murat, A. Xygkis, and I. Zablotchi, "ubft: Microsecond-scale bft using disaggregated memory," in *Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2*, 2023, pp. 862–877.
- [63] T. Distler, C. Cachin, and R. Kapitza, "Resource-efficient byzantine fault tolerance," *IEEE Transactions on Computers*, vol. 65, no. 9, pp. 2807– 2819, 2016.
- [64] M. Correia, N. Neves, and P. Verissimo, "How to tolerate half less one byzantine nodes in practical distributed systems," in *Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004.*, 2004, pp. 174–183.
- <span id="page-5-7"></span>[65] J. Decouchant, D. Kozhaya, V. Rahli, and J. Yu, "Damysus: Streamlined bft consensus leveraging trusted components," in *Proceedings of the Seventeenth European Conference on Computer Systems*, ser. EuroSys '22. New York, NY, USA: Association for Computing Machinery, 2022, p. 1–16. [Online]. Available: <https://doi.org/10.1145/3492321.3519568>