Prototype of fault adaptive embedded software for large-scale real-time systems

This paper describes a comprehensive prototype of large-scale fault adaptive embedded software developed for the proposed Fermilab BTeV high energy physics experiment. Lightweight self-optimizing agents embedded within Level 1 of the prototype are responsible for proactive and reactive monitoring and mitigation based on specified layers of competence. The agents are self-protecting, detecting cascading failures using a distributed approach. Adaptive, reconfigurable, and mobile objects for reliablility are designed to be self-configuring to adapt automatically to dynamically changing environments. These objects provide a self-healing layer with the ability to discover, diagnose, and react to discontinuities in real-time processing. A generic modeling environment was developed to facilitate design and implementation of hardware resource specifications, application data flow, and failure mitigation strategies. Level 1 of the planned BTeV trigger system alone will consist of 2500 DSPs, so the number of components and intractable fault scenarios involved make it impossible to design an ‘expert system’ that applies traditional centralized mitigative strategies based on rules capturing every possible system state. Instead, a distributed reactive approach is implemented using the tools and methodologies developed by the Real-Time Embedded Systems group.     

A compiler-hardware approach to software protection for embedded systems

Because of their rapid growth in recent years, embedded systems present a new front in vulnerability and an attractive target for attackers. Their pervasive use, including sensors and mobile devices, makes it easier for an adversary to gain physical access to facilitate both attacks and reverse engineering of the system. This paper describes a system - CODESSEAL - for software protection and evaluates its overhead. CODESSEAL aims to protect embedded systems from attackers with enough expertise and resources to capture the device and attempt to manipulate not only software, but also hardware. The protection mechanism involves both a compiler-based software tool that instruments executables and an on-chip FPGA-based hardware component that provides run-time integrity and control flow checking on the executable code. The use of reconfigurable hardware allows CODESSEAL to provide such security services as confidentiality, integrity and program-flow protection in a platform-independent manner without requiring a redesign of the processor. Similarly, the compiler instrumentation hides the security details from software developers. Software and data protection techniques are presented for our system and a performance analysis is provided using cycle accurate simulation. Our experimental results show that protecting instructions and data with a high level of security can be achieved with low performance penalty, in most cases less than 10%.     

A software integration approach for designing and assessing dependable embedded systems

Embedded systems increasingly entail complex issues of hardware-software (HW-SW) co-design. As the number and range of SW functional components typically exceed the finite HW resources, a common approach is that of resource sharing (i.e., the deployment of diverse SW functionalities onto the same HW resources). Consequently, to result in a meaningful co-design solution, one needs to factor the issues of processing capability, power, communication bandwidth, precedence relations, real-time deadlines, space, and cost. As SW functions of diverse criticality (e.g. brake control and infotainment functions) get integrated, an explicit integration requirement need is to carefully plan resource sharing such that faults in low-criticality functions do not affect higher-criticality functions.On this background, the main contribution of this paper is a dependability-driven framework that helps to conduct the integration of SW components onto HW resources such that the maintenance of system dependability over integration of diverse criticality components is assured by design.We first develop a clustering strategy for SW components into Fault Containment Modules (FCMs) such that error propagation via interaction is minimized. Subsequently, the rules of composition for FCMs with respect to error propagation are developed. To allocate the resulting FCMs to the existing HW resources we provide several heuristics, each optimizing particular attributes thereof. Further, a framework for assessing the goodness of the achieved HW-SW composition as a dependable embedded system is presented. Two new techniques for quantifying the goodness of the proposed mappings are introduced by examples, both based on a multi-criteria decision theoretic approach.     

基于软件故障注入的嵌入式系统鲁棒性测试

以研究对嵌入式系统鲁棒性进行评价和基于软件故障注入技术的嵌入式系统鲁棒性测试为目的。对嵌入式系统鲁棒性测试的相关概念以及软件故障注入技术原理进行了介绍,以Linux操作系统内核函数测试为例,通过对系统API参数的故障注入接口进行分析,提出基于GDB工具的软件故障注入方法来实现系统鲁棒性故障注入测试。完成了相应的Linux操作系统API接口故障注入测试实例并给出了测试结果。为嵌入式系统鲁棒性测试提供了更为直观、有效的方法。     

Fault tolerant embedded systems design by multi-objective optimization

The design of fault tolerant systems is gaining importance in large domains of embedded applications where design constrains are as important as reliability. New software techniques, based on selective application of redundancy, have shown remarkable fault coverage with reduced costs and overheads. However, the large number of different solutions provided by these techniques, and the costly process to assess their reliability, make the design space exploration a very difficult and time-consuming task. This paper proposes the integration of a multi-objective optimization tool with a software hardening environment to perform an automatic design space exploration in the search for the best trade-offs between reliability, cost, and performance. The first tool is commanded by a genetic algorithm which can simultaneously fulfill many design goals thanks to the use of the NSGA-II multi-objective algorithm. The second is a compiler-based infrastructure that automatically produces selective protected (hardened) versions of the software and generates accurate overhead reports and fault coverage estimations. The advantages of our proposal are illustrated by means of a complex and detailed case study involving a typical embedded application, the AES (Advanced Encryption Standard).     

Experiments on six commercial TCP implementations using a software fault injection tool

TCP, the de facto standard transport protocol in today's operating systems, is a very robust protocol that adapts to various network characteristics, packet loss, link congestion, and even significant differences in vendor implementations. This paper describes a set of experiments performed on six different vendor TCP implementations using ORCHESTRA, a tool for testing and fault injection of communication protocols. These experiments uncovered violations of the TCP protocol specification, and illustrated differences in the philosophies of various vendors in their implementations of TCP. The paper summarizes several lessons learned about the TCP implementations through these experiments. © 1997 John Wiley & Sons, Ltd.     

DFTA在软硬件相关故障诊断中的应用研究

软件密集型系统中由于有大量软件的嵌入,其故障模式发生了变化,产生了新的软硬件相关的故障模式。在分析软硬件相关故障特征的基础上,提出了一种基于动态故障树分析方法的故障诊断方案,并给出了分析方法和步骤。最后通过实例分析,证明了这种方法的可行性。     

A distributed development environment for embedded software

The HAGAR project is building a high-performance disk controller. It is an embedded system for which many hundreds of thousands of lines of embedded software will have to be developed concurrently with the development of the hardware. We found existing methods for embedded software development, such as simulation and remote cross development, to be inadequate for us. To meet our special needs, we developed a distributed development environment that combines and extends the capabilities of existing methods while fixing their drawbacks. Our environment is based on a processor-pool architecture, in which multiple hardware sets are pooled and managed systematically. It supports embedded software development for many programmers at different sites. It allows for the emulation of non-existing hardware adaptor cards and for the integration of embedded software testing with hardware simulation. The environment provides a single system image, hiding many hardware and configuration details from its users. From the perspective of the programmers, our environment makes developing embedded software for special hardware systems as easy as developing application programs for a UNIX workstation.     

Model-driven architecture for embedded software: A synopsis and an example

MDA proposes a new paradigm for software development in general. We claim that MDA could be beneficial for embedded software development, especially if it is extended to address the special needs of embedded systems. The paper consists of two sections: the first is a brief synopsis on how MDA ought to be extended to handle embedded software development, while the second illustrates the concepts in practice using a prototype modeling language and tool chain designed for developing mission computing software.     

Multi-objective hardware–software partitioning of embedded systems: A case study of JPEG encoder

Embedded systems have become integral parts of today's technology-based life, starting from various home appliances to satellites. Such a wide range of applications encourages for their economic design using optimization-based tools. The JPEG encoder is an embedded system, which is applied for obtaining high quality output from continuous-tone images. It has emerged in recent years as a problem of optimum partitioning of its various processes into hardware and software components. Realizing pairing and conflicting nature among its various cost terms, for the first time the JPEG encoder is formulated and partitioned here as a multi-objective optimization problem. A multi-objective binary-coded genetic algorithm is proposed for this purpose, whose effectiveness is demonstrated through the application to a real case study and a number of large-size hypothetical instances.     

Mutation-oriented test data augmentation for GUI software fault localization

ContextFault localization lies at the heart of program debugging and often proceeds by contrasting the statistics of program constructs executed by passing and failing test cases. A vital issue here is how to obtain these “suitable” test cases. Techniques presented in the literature mostly assume the existence of a large test suite a priori. However, developers often encounter situations where a failure occurs, but where no or no appropriate test suite is available for use to localize the fault.ObjectiveThis paper aims to alleviate this key limitation of traditional fault localization techniques for GUI software particularly, namely, it aims at enabling cost-effective fault localization process for GUI software in the described scenario.MethodTo address this scenario, we propose a mutation-oriented test data augmentation technique, which actually is directed by the “similarity” criterion in GUI software’s test case context towards the generation of test suite with excellent fault localization capabilities. More specifically, the technique mainly uses four proposed novel mutation operators to iteratively mutate some failing GUI test cases’ event sequences to derive new test cases potentially useful to localize the specific encountered fault. We then compare the fault localization performance of the test suite generated using this technique with that of an original provided large event-pair adequate test suite on some GUI applications.ResultsThe results indicate that the proposed technique is capable of generating a test suite that has comparable, if not better, fault localization effectiveness to the event-pair adequate test suite, but it is much smaller and it is generated immediately once a failure is encountered by developers.ConclusionIt is concluded that the proposed technique can truly enable quick-start cost-effective fault localization process under the investigated all-too-common scenario, greatly alleviating one key limitation of traditional fault localization techniques and prompting the test–diagnose–repair cycle.     

A component-based process with separation of concerns for the development of embedded real-time software systems

Numerous component models have been proposed in the literature, a testimony of a subject domain rich with technical and scientific challenges, and considerable potential. Unfortunately however, the reported level of adoption has been comparatively low. Where successes were had, they were largely facilitated by the manifest endorsement, where not the mandate, by relevant stakeholders, either internal to the industrial adopter or with authority over the application domain. The work presented in this paper stems from a comprehensive initiative taken by the European Space Agency (ESA) and its industrial suppliers. This initiative also enjoyed significant synergy with interests shown for similar goals by the telecommunications and railways domain, thanks to the interaction between two parallel project frameworks. The ESA effort aimed at favouring the adoption of a software reference architecture across its software supply chain. The center of that strategy revolves around a component model and the software development process that builds on it. This paper presents the rationale, the design and implementation choices made in their conception, as well as the feedback obtained from a number of industrial case studies that assessed them.     

Reliability-driven deployment optimization for embedded systems

One of the crucial aspects that influence reliability of embedded systems is the deployment of software components to hardware nodes. If the hardware architecture is designed prior to the customized software architecture, which is often the case in product-line manufacturing (e.g. in the automotive domain), the system architect needs to resolve a nontrivial task of finding a (near-)optimal deployment balancing the reliabilities of individual services implemented on the software level.In this paper, we introduce an approach to automate this task. As distinct to related approaches, which typically stay with quantification of reliability for a specific deployment, we target multi-criteria optimization and provide the architect with near-optimal (non-dominated) deployment alternatives with respect to service reliabilities. Toward this goal, we annotate the software and hardware architecture with necessary reliability-relevant attributes, design a method to quantify the quality of individual deployment alternatives, and implement the approach employing an evolutionary algorithm.     

Practitioner perceptions of Open Source software in the embedded systems area

There is a growing body of research to show that, with the advent of so-called professional Open Source, attitudes within many organisations towards adopting Open Source software have changed. However, there have been conflicting reports on the extent to which this is true of the embedded software systems sector—a large sector in Europe. This paper reports on attitudes towards Open Source software within that sector. Our results show a high level of acceptance of Open Source products with large, well established communities, and not only at the level of the operating system. Control over the software is seen as fundamentally important. Other key perceptions with Open Source are an easing of long-term maintenance problems and ready availability of support. The classical strengths of Open Source, namely mass inspection, ease of conducting trials, longevity and source code access for debugging, were at the forefront of thinking. However, there was an acknowledgement that more guidelines are needed for assessing Open Source software and incorporating it into products.     

Enriching MATLAB with aspect-oriented features for developing embedded systems

This article presents an approach to enrich the MATLAB¹ language with aspect-oriented modularity features, enabling developers to experiment different implementation characteristics and to acquire runtime data and traces without polluting their base MATLAB code. We propose a language through which programmers configure the low-level data representation of variables and expressions. Examples include specifically-tailored fixed-point data representations leading to more efficient support for the underlying hardware, e.g., digital signal processors and application-specific architectures, without built-in floating point units. This approach assists developers in adding handlers and monitoring features in a non-invasive way as well as configuring MATLAB functions with optimized implementations. Different aspect modules can be used to retarget common MATLAB code bases for different purposes and implementations. We validate the proposed approach with a set of representative examples where we attain a simple way to explore a number of properties. Experiment results and collected aspect-oriented software metrics lend support to the claims on its usefulness.     

Standard Linux for embedded real-time robotics and manufacturing control systems

The main goal of the research presented in this paper is to evaluate the possibility of using standard Linux for embedded real-time applications in robotics and manufacturing as a consequence of dramatic improvements in hardware computing power and free software quality in the last few years. After an accurate analysis of the problems related to make Linux, a native Unix-like fair kernel, real-time, laboratory tests showed that a large variety of applications (up to 1 KHz) can be implemented using Linux and commercial-of-the-shelf hardware. Practical examples of the control systems of an unmanned surface vessel used for robotics research and of a marking machine for steelworks are reported and discussed.     

Combining mutation and fault localization for automated program debugging

This paper proposes a strategy for automatically fixing faults in a program by combining the ideas of mutation and fault localization. Statements ranked in order of their likelihood of containing faults are mutated in the same order to produce potential fixes for the faulty program. The proposed strategy is evaluated using 8 mutant operators against 19 programs each with multiple faulty versions. Our results indicate that 20.70% of the faults are fixed using selected mutant operators, suggesting that the strategy holds merit for automatically fixing faults. The impact of fault localization on efficiency of the overall fault-fixing process is investigated by experimenting with two different techniques, Tarantula and Ochiai, the latter of which has been reported to be better at fault localization than Tarantula, and also proves to be better in the context of fault-fixing using our proposed strategy. Further experiments are also presented to evaluate stopping criteria with respect to the mutant examination process and reveal that a significant fraction of the (fixable) faults can be fixed by examining a small percentage of the program code. We also report on the relative fault-fixing capabilities of mutant operators used and present discussions on future work.     

Diversity and fault avoidance for dependable replication systems

In the hot-standby replication system, the system cannot process its tasks anymore when all replicated nodes have failed. Thus, the remaining living nodes should be well-protected against failure when parts of replicated nodes have failed. Design faults and system-specific weaknesses may cause chain reactions of common faults on identical replicated nodes in replication systems. These can be alleviated by replicating diverse hardware and software. Going one-step forward, failures on the remaining nodes can be suppressed by predicting and preventing the same fault when it has occurred on a replicated node. In this paper, we propose a fault avoidance scheme which increases system dependability by avoiding common faults on remaining nodes when parts of nodes fail, and analyze the system dependability.     

Optimizing CAM-based instruction cache designs for low-power embedded systems

Energy consumption and power dissipation are important concerns in the design of embedded systems and they will become even more crucial with finer process geometry, higher frequencies, deeper pipelines and wider issue designs. In particular, the instruction cache consumes more energy than any other processor module, especially with commonly used highly associative CAM-based implementations.Two energy-efficient approaches for highly associative CAM-based instruction cache designs are presented by means of using a segmented wordline and a predictor-based instruction fetch mechanism. The latter is based on the fact that not all instructions in a given I-cache fetch are used due to taken branches. The proposed Fetch Mask Predictor unit determines which instructions in a cache access will actually be used to avoid fetching any of the other instructions. Both proposed approaches are evaluated for an embedded 4-wide issue processor in 100 nm technology. Experimental results show average I-cache energy savings of 48% and overall processor energy savings of 19%.