References of "Pinto Gouveia, Ines 50030208"
     in
Bookmark and Share    
Full Text
See detailArchitectural Support for Hypervisor-Level Intrusion Tolerance in MPSoCs
Pinto Gouveia, Ines UL

Doctoral thesis (2022)

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While ... [more ▼]

Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation and resource allocation. Currently, solutions to protect low-level software often rely on a simpler, underlying trusted layer which is often a SPoF itself and/or exhibits downgraded performance. Architectural hybridization allows for the introduction of trusted-trustworthy components, which combined with fault and intrusion tolerance (FIT) techniques leveraging replication, are capable of safely handling critical operations, thus eliminating SPoFs. Performing quorum-based consensus on all critical operations, in particular privilege management, ensures no compromised low-level software can single handedly manipulate privilege escalation or resource allocation to negatively affect other system resources by propagating faults or further extend an adversary’s control. However, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive in the context of MPSoCs due to the high costs of cryptographic operations and the quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in such platforms. There is so far no solution completely and efficiently addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting all software layers, specifically at low level, by performing critical operations only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. It then becomes possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting tiles into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level. [less ▲]

Detailed reference viewed: 48 (6 UL)
Full Text
Peer Reviewed
See detailTo verify or tolerate, that’s the question
Pinto Gouveia, Ines UL; Sakr, Mouhammad UL; Graczyk, Rafal UL et al

Scientific Conference (2021, December 06)

Formal verification carries the promise of absolute correctness, guaranteed at the highest level of assurance known today. However, inherent to many verification attempts is the assumption that the ... [more ▼]

Formal verification carries the promise of absolute correctness, guaranteed at the highest level of assurance known today. However, inherent to many verification attempts is the assumption that the underlying hardware, the code-generation toolchain and the verification tools are correct, all of the time. While this assumption creates interesting recursive verification challenges, which already have been executed successfully for all three of these elements, the coverage of this assumption remains incomplete, in particular for hardware. Accidental faults, such as single-event upsets, transistor aging and latchups keep causing hardware to behave arbitrarily in situations where such events occur and require other means (e.g., tolerance) to safely operate through them. Targeted attacks, especially physical ones, have a similar potential to cause havoc. Moreover, faults of the above kind may well manifest in such a way that their effects extend to all software layers, causing incorrect behavior, even in proven correct ones. In this position paper, we take a holistic system-architectural point of view on the role of trusted-execution environments (TEEs), their implementation complexity and the guarantees they can convey and that we want to be preserved in the presence of faults. We find that if absolute correctness should remain our visionary goal, TEEs can and should be constructed differently with tolerance embedded at the lowest levels and with verification playing an essential role. Verification should both assure the correctness of the TEE construction protocols and mechanisms as well as help protecting the applications executing inside the TEEs. [less ▲]

Detailed reference viewed: 60 (2 UL)
Full Text
Peer Reviewed
See detailBridging the space systems performance-reliability gap for future deep space resources exploration and exploitation.
Pinto Gouveia, Ines UL; Graczyk, Rafal UL; Volp, Marcus UL

Poster (2021, April)

In building equipment for space exploitation, one has to trade system robustness for the high processing capabilities and low energy consumption. The high performance, low robustness approach, is ... [more ▼]

In building equipment for space exploitation, one has to trade system robustness for the high processing capabilities and low energy consumption. The high performance, low robustness approach, is acceptable, especially in Earths’ vicinity. However, in more demanding (especially high-radiation) environments, attempts had disappointing outcomes. The processing-reliability gap, between highly reliable and highly performant systems, spans 2-3 orders of magnitude. This gap brings hope, that some of this excess processing power can be utilized, in building a combination of hardware and software mechanisms that is capable of increasing robustness and resilience of otherwise susceptible semiconductor devices, while allowing to harness the remaining processing power to build affordable space systems with large degrees of autonomy, rich functionality and high bandwidth. At the CritiX research group, we aim to bridge this performance-reliability gap, by researching the enabling building blocks for constructing more reliable and more secure System-on-Chips. [less ▲]

Detailed reference viewed: 60 (10 UL)
Full Text
See detailBehind the Last Line of Defense -- Surviving SoC Faults and Intrusions
Pinto Gouveia, Ines UL; Volp, Marcus UL; Esteves-Verissimo, Paulo UL

E-print/Working paper (2020)

Today, leveraging the enormous modular power, diversity and flexibility of manycore systems-on-a-chip (SoCs) requires careful orchestration of complex resources, a task left to low-level software, e.g ... [more ▼]

Today, leveraging the enormous modular power, diversity and flexibility of manycore systems-on-a-chip (SoCs) requires careful orchestration of complex resources, a task left to low-level software, e.g. hypervisors. In current architectures, this software forms a single point of failure and worthwhile target for attacks: once compromised, adversaries gain access to all information and full control over the platform and the environment it controls. This paper proposes Midir, an enhanced manycore architecture, effecting a paradigm shift from SoCs to distributed SoCs. Midir changes the way platform resources are controlled, by retrofitting tile-based fault containment through well known mechanisms, while securing low-overhead quorum-based consensus on all critical operations, in particular privilege management and, thus, management of containment domains. Allowing versatile redundancy management, Midir promotes resilience for all software levels, including at low level. We explain this architecture, its associated algorithms and hardware mechanisms and show, for the example of a Byzantine fault tolerant microhypervisor, that it outperforms the highly efficient MinBFT by one order of magnitude. [less ▲]

Detailed reference viewed: 244 (32 UL)