Demystifying Soft-Error Mitigation by Control-Flow Checking – A New Perspective on its Effectiveness

Research output: Contribution to journalArticleResearchpeer review

Authors

  • Simon Schuster
  • Peter Ulbrich
  • Isabella Stilkerich
  • Christian Dietrich
  • Wolfgang Schröder-Preikschat

Research Organisations

External Research Organisations

  • Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU Erlangen-Nürnberg)
  • Schaeffler Technologies AG & Co. KG
View graph of relations

Details

Original languageEnglish
Article number180
JournalACM Transactions on Embedded Computing Systems
Volume16
Issue number5s
Publication statusPublished - Sept 2017

Abstract

Soft errors are a challenging and urging problem in the domain of safety-critical embedded systems. For decades, checking schemes have been investigated and improved to mitigate soft-error effects for the class of control-flow faults, with current industrial standards strongly recommending their use. However, reality looks different: Taking a systems perspective, we implemented four representative Control-Flow Checking (CFC) schemes and put them through their paces in 396 fault-injection campaigns. In contrast to previous work, which typically relied on probability-based vulnerability metrics, we accounted for the influence of memory and time overheads on the fault-space dimensions and applied those in full-scan fault injections. This change in procedure alone severely degraded the perceived effectiveness of CFC. In addition, we expanded the perspective to data-flow faults and their influence on the overall susceptibility, an aspect that so far has been largely ignored. Our results suggest that, without accompanying measures, any improvement regarding control-flow faults is dominated by the increase in data faults caused by the increased attack surface in terms of memory and runtime overhead. Moreover, CFC performance less depended on the detection capabilities than on general aspects of the concrete binary compilation and execution. In conclusion, incorporating CFC is not as straightforward as often assumed and the vulnerability of systems with hardened control-flow may in many cases even be increased by the schemes themselves.

Keywords

    Absolute-failurecount metrics, CFC, CFCSS, Control-flow checking, Fault-coverage, Fault-injection experiments, Reliability metrics, Soft error mitigation, Software-based fault tolerance, YACCA

ASJC Scopus subject areas

Cite this

Demystifying Soft-Error Mitigation by Control-Flow Checking – A New Perspective on its Effectiveness. / Schuster, Simon; Ulbrich, Peter; Stilkerich, Isabella et al.
In: ACM Transactions on Embedded Computing Systems, Vol. 16, No. 5s, 180, 09.2017.

Research output: Contribution to journalArticleResearchpeer review

Schuster S, Ulbrich P, Stilkerich I, Dietrich C, Schröder-Preikschat W. Demystifying Soft-Error Mitigation by Control-Flow Checking – A New Perspective on its Effectiveness. ACM Transactions on Embedded Computing Systems. 2017 Sept;16(5s):180. doi: 10.1145/3126503
Download
@article{23bde0866d384e87a9641537ee9bc541,
title = "Demystifying Soft-Error Mitigation by Control-Flow Checking – A New Perspective on its Effectiveness",
abstract = "Soft errors are a challenging and urging problem in the domain of safety-critical embedded systems. For decades, checking schemes have been investigated and improved to mitigate soft-error effects for the class of control-flow faults, with current industrial standards strongly recommending their use. However, reality looks different: Taking a systems perspective, we implemented four representative Control-Flow Checking (CFC) schemes and put them through their paces in 396 fault-injection campaigns. In contrast to previous work, which typically relied on probability-based vulnerability metrics, we accounted for the influence of memory and time overheads on the fault-space dimensions and applied those in full-scan fault injections. This change in procedure alone severely degraded the perceived effectiveness of CFC. In addition, we expanded the perspective to data-flow faults and their influence on the overall susceptibility, an aspect that so far has been largely ignored. Our results suggest that, without accompanying measures, any improvement regarding control-flow faults is dominated by the increase in data faults caused by the increased attack surface in terms of memory and runtime overhead. Moreover, CFC performance less depended on the detection capabilities than on general aspects of the concrete binary compilation and execution. In conclusion, incorporating CFC is not as straightforward as often assumed and the vulnerability of systems with hardened control-flow may in many cases even be increased by the schemes themselves.",
keywords = "Absolute-failurecount metrics, CFC, CFCSS, Control-flow checking, Fault-coverage, Fault-injection experiments, Reliability metrics, Soft error mitigation, Software-based fault tolerance, YACCA",
author = "Simon Schuster and Peter Ulbrich and Isabella Stilkerich and Christian Dietrich and Wolfgang Schr{\"o}der-Preikschat",
note = "Funding information: This article was presented in the International Conference on Embedded Software 2017 and appears as part of the ESWEEK-TECS special issue. This work is supported by the German Research Foundation (DFG) under grants no. SCHR 603/9-2, the Transregional Collaborative Research Centre “Invasive Computing” (SFB/TR89, Project C1), the Bavarian Ministry of State for Economics under grant no. 0704/883 25 (EU EFRE funds) and the German Federal Ministry of Education and Research with the funding ID 01IS16025 (ARAMiS II). Authors{\textquoteright} addresses: S. Schuster, P. Ulbrich, I. Stilkerich, C. Dietrich, and W. Schr{\"o}der-Preikschat; emails: {schuster, ul-brich}@cs.fau.de, isabella@stilkerich.eu, dietrich@sra.uni-hannover.de, wosch@cs.fau.de. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. 2017 Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 1539-9087/2017/09-ART180 $15.00 https://doi.org/10.1145/3126503",
year = "2017",
month = sep,
doi = "10.1145/3126503",
language = "English",
volume = "16",
journal = "ACM Transactions on Embedded Computing Systems",
issn = "1539-9087",
publisher = "Association for Computing Machinery (ACM)",
number = "5s",

}

Download

TY - JOUR

T1 - Demystifying Soft-Error Mitigation by Control-Flow Checking – A New Perspective on its Effectiveness

AU - Schuster, Simon

AU - Ulbrich, Peter

AU - Stilkerich, Isabella

AU - Dietrich, Christian

AU - Schröder-Preikschat, Wolfgang

N1 - Funding information: This article was presented in the International Conference on Embedded Software 2017 and appears as part of the ESWEEK-TECS special issue. This work is supported by the German Research Foundation (DFG) under grants no. SCHR 603/9-2, the Transregional Collaborative Research Centre “Invasive Computing” (SFB/TR89, Project C1), the Bavarian Ministry of State for Economics under grant no. 0704/883 25 (EU EFRE funds) and the German Federal Ministry of Education and Research with the funding ID 01IS16025 (ARAMiS II). Authors’ addresses: S. Schuster, P. Ulbrich, I. Stilkerich, C. Dietrich, and W. Schröder-Preikschat; emails: {schuster, ul-brich}@cs.fau.de, isabella@stilkerich.eu, dietrich@sra.uni-hannover.de, wosch@cs.fau.de. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. 2017 Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 1539-9087/2017/09-ART180 $15.00 https://doi.org/10.1145/3126503

PY - 2017/9

Y1 - 2017/9

N2 - Soft errors are a challenging and urging problem in the domain of safety-critical embedded systems. For decades, checking schemes have been investigated and improved to mitigate soft-error effects for the class of control-flow faults, with current industrial standards strongly recommending their use. However, reality looks different: Taking a systems perspective, we implemented four representative Control-Flow Checking (CFC) schemes and put them through their paces in 396 fault-injection campaigns. In contrast to previous work, which typically relied on probability-based vulnerability metrics, we accounted for the influence of memory and time overheads on the fault-space dimensions and applied those in full-scan fault injections. This change in procedure alone severely degraded the perceived effectiveness of CFC. In addition, we expanded the perspective to data-flow faults and their influence on the overall susceptibility, an aspect that so far has been largely ignored. Our results suggest that, without accompanying measures, any improvement regarding control-flow faults is dominated by the increase in data faults caused by the increased attack surface in terms of memory and runtime overhead. Moreover, CFC performance less depended on the detection capabilities than on general aspects of the concrete binary compilation and execution. In conclusion, incorporating CFC is not as straightforward as often assumed and the vulnerability of systems with hardened control-flow may in many cases even be increased by the schemes themselves.

AB - Soft errors are a challenging and urging problem in the domain of safety-critical embedded systems. For decades, checking schemes have been investigated and improved to mitigate soft-error effects for the class of control-flow faults, with current industrial standards strongly recommending their use. However, reality looks different: Taking a systems perspective, we implemented four representative Control-Flow Checking (CFC) schemes and put them through their paces in 396 fault-injection campaigns. In contrast to previous work, which typically relied on probability-based vulnerability metrics, we accounted for the influence of memory and time overheads on the fault-space dimensions and applied those in full-scan fault injections. This change in procedure alone severely degraded the perceived effectiveness of CFC. In addition, we expanded the perspective to data-flow faults and their influence on the overall susceptibility, an aspect that so far has been largely ignored. Our results suggest that, without accompanying measures, any improvement regarding control-flow faults is dominated by the increase in data faults caused by the increased attack surface in terms of memory and runtime overhead. Moreover, CFC performance less depended on the detection capabilities than on general aspects of the concrete binary compilation and execution. In conclusion, incorporating CFC is not as straightforward as often assumed and the vulnerability of systems with hardened control-flow may in many cases even be increased by the schemes themselves.

KW - Absolute-failurecount metrics

KW - CFC

KW - CFCSS

KW - Control-flow checking

KW - Fault-coverage

KW - Fault-injection experiments

KW - Reliability metrics

KW - Soft error mitigation

KW - Software-based fault tolerance

KW - YACCA

UR - http://www.scopus.com/inward/record.url?scp=85030697676&partnerID=8YFLogxK

U2 - 10.1145/3126503

DO - 10.1145/3126503

M3 - Article

AN - SCOPUS:85030697676

VL - 16

JO - ACM Transactions on Embedded Computing Systems

JF - ACM Transactions on Embedded Computing Systems

SN - 1539-9087

IS - 5s

M1 - 180

ER -