-
[show abstract]
[hide abstract]
ABSTRACT: This paper investigates on the security of time -- triggered transmission channels, which are used to establish a predictable and timely message transfer in a distributed embedded system with potential safety constraints. Within such a system, safety and security are closely related, because malicious attacks can have an impact on a system's safety and thereby cause severe damage. An attacker could masquerade as an original sender and try to alter some system parameters by injecting malicious messages in the system. In the embedded real-time systems domain particularly the authenticity of data items is of interest, because a lack of integrity can lead to incorrect or erroneous system behavior. In addition, we address the open research question how a common notion of time can contribute to a system's security. Our solution encompasses an authentication protocol to secure time-triggered transmission channels. We illustrate two attack scenarios (insertion and substitution) that aim at injecting fake messages in such a channel thereby corrupting the internal system state of a receiver. We discuss the feasibility of several key management strategies for embedded systems and describe an authentication protocol using time-delayed release of symmetric keys for time-triggered systems. In a case study we implement the protocol for a prototype Time-Triggered Ethernet (TTE) system. The insight gained from the evaluation is that the computation of the cryptographic algorithms consumes most resources. Our solution shows that authentication can be transparently applied to a time-triggered system exploiting the available global time base and without violating its timeliness properties.
Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC), 2011 14th IEEE International Symposium on; 05/2011
-
[show abstract]
[hide abstract]
ABSTRACT: High-integrity systems are deployed in order to realize safety-critical applications. To meet the rigorous requirements in this domain, these systems require a sophisticated approach to design, verification, and certification. Not only safety consideration shave an impact on a product's overall dependability, but also security has to be taken into account. In this paper we analyze the Time-Triggered System-on-Chip (TTSoC) architecture, which is a novel architecture for Multi-Processor System-on-Chip (MPSoC) devices, regarding its security properties. We discuss essential compliance criteria to the Multiple Independent Layers of Security (MILS) architecture, which is a industry-ready architecture for embedded high-integrity systems. We found that both architectures share intrinsic properties and we are able to show that the TTSoC architecture implements the core requirements of a MILS Separation Kernel and thus realizes its elementary security policies by design.
Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC), 2010 13th IEEE International Symposium on; 06/2010
-
[show abstract]
[hide abstract]
ABSTRACT: This paper describes an integrated system architecture for automotive electronic systems based on multicore systems-on-chips (SoCs). We integrate functions from different suppliers into a few powerful electronic control units using a dedicated core for each function. This work is fueled by technological opportunities resulting from recent advances in the semiconductor industry and the challenges of providing dependable automotive electronic systems at competitive costs. The presented architecture introduces infrastructure IP cores to overcome key challenges in moving to automotive multicore SoCs: a time-triggered network-on-a-chip with fault isolation for the interconnection of functional IP cores, a diagnostic IP core for error detection and state recovery, a gateway IP core for interfacing legacy systems, and an IP core for reconfiguration. This paper also outlines the migration from today's federated architectures to the proposed integrated architecture using an exemplary automotive E/E system.
IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 08/2009; · 1.27 Impact Factor
-
[show abstract]
[hide abstract]
ABSTRACT: Dynamic resource management enables a system to dynamically react to changing resource demands or resource availability. It enables better resource utilization, improved dependability, and the enabling of power-aware system behavior. This paper examines the application of dynamic resource management for an integrated time-triggered system architecture for embedded systems, which is designed to support mixed-criticality systems, i.e., systems integrating distributed application subsystems (DASs) with different dependability requirements on the same hardware platform. For such systems a vital characteristic is to achieve encapsulation of the hosted DASs and to provide mechanisms for fault-isolation. The key challenge addressed in this paper is to preserve these system characteristics despite the presence of dynamic resource allocation. To this end, a resource management framework is presented that provides static resource guarantees for DASs having higher dependability requirements, while facilitating efficient resource utilization for less critical DASs.
Industrial Electronics, 2008. IECON 2008. 34th Annual Conference of IEEE; 12/2008
-
[show abstract]
[hide abstract]
ABSTRACT: It is the objective of the presented System-on-a-Chip (SoC) architecture to provide a predictable integrated execution environment for the component-based design of many different types of embedded applications (e.g., automotive, avionics, consumer electronics). At the core of this architecture is a time-triggered network-on-a-chip for the predictable interconnection of heterogeneous components. A component can be a self-contained computer, including system and application software, an FPGA, or a custom hardware unit. By providing a single uniform interface to all types of components for the exchange of messages, the architecture supports the component-based design of large applications and enables the massive reuse of components. The time-triggered network-on-a-chip offers inherent fault isolation to facilitate the seamless integration of independently developed components, possibly with different criticality levels. Furthermore, mechanisms for integrated resource management support dynamically changing resource requirements (e.g., different operational modes of an application), fault-tolerance, a power-aware system behavior, and the implementation of fault-handling by reconfiguration.
Industrial Electronics, 2008. ISIE 2008. IEEE International Symposium on; 08/2008
-
[show abstract]
[hide abstract]
ABSTRACT: There are many economic and technical arguments for the reduction of the number of Electronic Control Units (EC Us) aboard a car. One of the key obstacles to achieve this goal is the limited composability, fault isolation and error containment of today's single- processor architectures. However, significant changes in the chip architecture are taking place in order to manage the synchronization, energy dissipation, and fault-handling requirements of emerging billion transistor SoCs (systems-on-a-chip). The single processor architecture is replaced by multi-core SoCs that communicate via networks-on-chip (NoC). These emerging multi-core SoCs provide an ideal execution environment for the integration of multiple automotive ECUs into a single SoC This paper presents a model-based software development method for designing applications using these multi-core SoCs.
Software Engineering for Automotive Systems, 2007. ICSE Workshops SEAS '07. Fourth International Workshop on; 06/2007
-
05/2007: pages 339-352;
-
[show abstract]
[hide abstract]
ABSTRACT: The time-triggered System-on-a-Chip (SoC) architecture provides a generic multicore system platform for a family of composable and dependable giga-scale SoCs. It supports the integration of multiple application subsystems of different criticality levels within a single hardware platform. A pivotal property of the architecture is the integrated error containment, which facilitates modular certification, robustness, and composability. By dividing the complete SoC into physically separated components that interact exclusively by the timely exchange of messages on a timetriggered Network-on-a-Chip (NoC), we achieve error containment for both computational and communication resources. The time-triggered design allows protecting the access to the NoC with guardians that are associated with each component. Based on the protection of the time-triggered NoC with inherent predictability and determinism, the architecture also enables error containment for faulty computational results. These value message failures can be masked using active redundancy (e.g., off-chip and on-chip Triple Modular Redundancy (TMR)) or detected using diagnostic assertions on messages. The design of the error containment mechanisms systematically follows a categorization of significant fault classes that an SoC is subject to (e.g., physical/design, transient/permanent). Evidence for the effectiveness of the error containment mechanisms is available through experimental data from a prototype implementation. Full Text at Springer, may require registration or fee
International Federation for Information Processing Digital Library; Embedded System Design: Topics, Techniques and Trends;.
-
[show abstract]
[hide abstract]
ABSTRACT: The DECOS integrated time-triggered architecture provides a framework for integrating multiple heteroge-neous real-time application subsystems within a single distributed computer system while retaining the fault-isolation, fault-containment and complexity-management benefits of a classic federated system. A central issue in the DECOS architecture is the provision of standardized, validated and certified services that facilitate the development of distributed real-time applications. This paper describes how these ser-vices are structured within the architecture in order to satisfy the diverse requirements of heterogeneous applications (e.g. different real-time requirements, different criticality levels). In particular we focus on the reuse of legacy subsystems, and show the feasibility of our concept by implementing a Controller Area Network (CAN) application within the integrated architecture.
-
[show abstract]
[hide abstract]
ABSTRACT: The GENESYS (Generic Embedded System) project is a European research project that aims to develop a cross-domain architecture for embedded systems. The re-quirements and constraints for such an architecture are docu-mented in the ARTEMIS strategic research agenda in the form of seven key challenges. This paper presents the architectural style of GENESYS by listing the key architectural principles, such as: strict component orientation, separation of computa-tion from communication, availability of a common time, hie-rarchical system structure, adherence to message passing, state awareness, fault isolation and integrated resource manage-ment. This paper explains how these architectural principles contribute to solve the seven key challenges in the ARTEMIS strategic research agenda.
-
[show abstract]
[hide abstract]
ABSTRACT: The time-triggered System-on-a-Chip (SoC) architecture provides a generic multicore system platform for a family of composable and dependable giga-scale SoCs. It supports the integration of multiple application subsystems of different criticality levels within a single hardware platform. A pivotal property of the architecture is the integrated error containment, which facilitates modular certification, robustness, and composability. By dividing the complete SoC into physically separated components that interact exclusively by the timely exchange of messages on a timetriggered Network-on-a-Chip (NoC), we achieve error containment for both computational and communication resources. The time-triggered design allows protecting the access to the NoC with guardians that are associated with each component. Based on the protection of the time-triggered NoC with inherent predictability and determinism, the architecture also enables error containment for faulty computational results. These value message failures can be masked using active redundancy (e.g., off-chip and on-chip Triple Modular Redundancy (TMR)) or detected using diagnostic assertions on messages. The design of the error containment mechanisms systematically follows a categorization of significant fault classes that an SoC is subject to (e.g., physical/design, transient/permanent). Evidence for the effectiveness of the error containment mechanisms is available through experimental data from a prototype implementation. Full Text at Springer, may require registration or fee
International Federation for Information Processing Digital Library; Embedded System Design Topics, Techniques and Trends;.
