汇编级软硬结合的控制流检测方法

控制流检测技术是防止由于瞬时故障造成程序错误运行的有效手段之一,在ARGOS卫星上测试过的基于汇编语言的软件控制流检测算法CFCSS具有较高的错误检测能力和较低的冗余指令开销,实用性较强,但此算法存在检测混淆和检测出错现象.为此,首先阐述了CFCSS算法中存在的检测混淆和检测出错现象;接下来根据汇编语言特点,修改了基础基本块的选择方法和多调整签名值赋值语句的插入位置,提出了改进的ICFCSS控制流检测算法;为了在ICFCSS算法基础上进一步提高错误检测能力、降低故障延迟时间和冗余指令开销,提出了软硬结合的ICFCSSHS控制流检测方法,此方法在编译程序时只增加了和签名有关的信息,在程序运行时通过译码阶段判指令类型来触发相应的硬件完成控制流检测.实验表明,此方法的冗余代码空间开销比CFCSS算法减少了21.5%,平均未检测出错误率仅为1.5%,具有一定的使用价值.     

一种辐射环境下瞬时故障的软件检测方法

空间辐射环境中,大量的宇宙射线经常导致星载计算机出现瞬时故障,这些瞬时故障致使程序执行出现数据错误或者控制流错误。针对瞬时故障导致的程序错误,本文提出了一种软件实现的故障检测算法SITFT,它结合软件复算和标签分析的方法,既可以检测程序运行中的数据错误,又可以有效检测控制流错误。故障注入实验的结果表明,SIT-FT算法在性能开销比源程序增加58%～111%,存储开销增加153%～225%的前提下,使程序执行出现错误结果的情形比源程序减少了49.0%～73.2%。     

一种控制流错误检测方法的实现

本文介绍了一种控制流错误检测方法的实现。该方法将看门狗定时器、软件看门狗、程序块信号自检和错误捕捉指令等方法有机地结合在一起。看门狗能有效地检测出永久控制流错误,软件看门狗能检测出死循环,而程序块信号自检则能够检测出时间极短的瞬时控制流错误。这种综合检测方法的实现复杂性要比看门狗处理器低得多,同时又能达到一定的检错覆盖率要求,并且检测的延迟时间比较短。     

一种软硬件结合的控制流检测与恢复方法

控制流检测可以有效地提高微处理器容错能力.针对传统软件实现的控制流检测时空开销大的缺点,提出了一种软硬件结合的控制流检测与恢复方法.该方法通过编译自动插入签名数据,由硬件在分支/跳转指令之后自动执行检测,并且提供了硬件现场保存和恢复机制,检测到控制流错误后无需复位系统即可以快速恢复正常控制流.基于8051体系结构实现了软硬件结合的控制流检测与恢复方法,实验结果表明与传统的软件控制流检测相比,该方法在保持相同的错误检测率的情况下,可以大幅减小二进制代码量和额外的性能开销,在发生控制流错误以后可以快速恢复正常控制流.     

基于级联森林的控制流错误检测优化算法

在单粒子翻转引起的瞬时故障中,控制流错误占很大比例.主流的控制流错误软件检测方法依靠插桩标签来检测控制流错误.但基于标签的检测算法很难在标签插桩的开销和错误检测率之间找到一个平衡.本文提出一种智能的基本块拆分方法,在不用修改原有检测算法的基础上,提升控制流错误的检测率,同时尽可能的减小额外开销.首先,使用GDB调试工具...     

一种基于虚拟基本块和格式化标签的控制流检测方法

空间辐射环境中,大量的宇宙射线经常导致星载计算机出现瞬时故障,这些故障的主要影响之一是引发程序控制流错误.文中提出了一种软件实现的控制流检测方法CFCAF.CFCAF基于插入虚拟基本块后的控制流图对基本块分类,并为基本块设计格式化标签,然后在基本块内插装标签更新、比较指令,实现对基本块之间、基本块内和过程间调用的控制流检测.CFCAF的特点是可以根据可靠性和性能的需求进行灵活配置.对CFCAF及目前有代表性的两个同类算法进行的故障注入实验结果表明,CFCAF算法以平均41.7%的性能代价和平均34%的空间代价,使程序的平均失效率降到了5.2%,在3个同类算法中,CFCAF算法具有较低的时空开销和最高的可靠性.     

CFCIB:基于插入块的控制流错误检测方法

为了避免当计算机系统的内部器件发生瞬时或永久性的故障时程序的执行流程发生错误,提出了一种基于插入块的控制流错误检测方法——CFCIB方法.该方法分析程序的控制流图,利用插入新基本块的方式消除混淆错误,在每个基本块的开头和末尾分别插入test和set断言来完成对可执行程序的控制流错误检测.实验结果表明,该方法能将原始程序的平均错误覆盖率从84.31％提升到96.78％.     

一种基于格式化标签的可扩展控制流检测方法

硬件瞬态故障是运行于高辐照宇宙环境下的航天计算机面临的最主要挑战之一.其中,控制流错误是这种故障影响系统可靠性的重要体现.首先在程序控制流图的基础上,利用图着色算法对基本块进行分类,然后基于基本块的格式化标签提出一种有效的控制流检测方法ECCFS,并针对基本块内部和过程间两个控制流检测问题分别给出其扩展解决方法.检测效能分析和故障注入实验的结果都表明,除了伪分支和几个边界检测盲点之外,ECCFS能够检测出绝大部分的控制流错误.与两个有代表性的控制流检测方法相比较,ECCFS在错误检测率和性能开销等方面都具有一定的优势.     

基于表驱动的纯软件签名错误检测算法

针对临时性、间歇性与永久性错误的存在,处理器获取并执行一条不正确的指令将导致控制流错误的发生。为此,在研究通过软件签名的控制流检错(CFDSS)算法的基础上,基于表驱动形式,提出一种纯软件签名错误检测算法(EDSS)。构建二维表(CFID),用于存储控制流图的信息,通过比较基本块中的签名和存储在CFID表中的签名检测出非法的指令跳转。对于CFDSS算法不能有效检测的共享分支扇入节点的非法指令跳转错误,可成功检测出这类错误。实验结果表明,EDSS算法的平均错误检测覆盖率比CFDSS算法高出1.3%,对具有共享分支扇入节点的检错能力平均高出约1.9%。     

一种检测控制流错误的多层分段标签方法

提出一种利用多层分段标签实现的控制流错误检测技术CFMSL,可通过对多层分段标签的更新和检查在线检测出程序的控制流错误。CFMSL在编译时将标签更新与检查指令自动嵌入程序中,从而实现程序运行时的动态检查效果。本文提出的标签设计与计算方法较为新颖,可较大地降低方法的时空开销,并且具有处理复杂程序以及检测细微控制流错误的能力。通过编写的LLVM pass文件,CFMSL具备批量化、自动化处理程序的能力。最后使用本文设计的故障注入工具模拟控制流错误对软件的影响,同时评估CFMSL的错误检测能力与时空开销。实验结果表明,相较于其他方法,CFMSL在保证较高检错能力的同时具有较低时空开销,显示出了本文提出的方法的优越性。     

Tolerating Radiation-Induced Transient Faults in Modern Processors

As MOS device sizes continue shrinking, lower charges, for example those charges carried by single ionizing particles of naturally occurring radiation, are sufficient to upset the functioning of complex modern microprocessors. In order to handle these inevitable errors, designs should include fault-tolerant features so that the processors can continue to correctly perform despite the occurrence of errors. The main goal of this work is to develop architecture mechanisms to protect processors against the effect of such radiation-induced transient faults. It should first be noted that, from a program execution perspective, many faults manifest themselves as control flow errors that cause processors to violate the correct sequencing of instructions. We present here at first a basic compile-time signature assignment algorithm and describe a novel approach to improve the fault detection coverage of the basic algorithm. Moreover, to allow the processor to efficiently check the run-time sequence and detect control flow errors, we introduce an on-chip assigned-signature checker which is capable of executing three additional instructions (SIC, SIJ, SIJC). Second, since the very concept of simultaneous multi-threading (SMT) provides the necessary redundancy, some proposals have been made to run two copies of the same thread on top of SMT platforms in order to detect and correct soft errors. This allows, upon detection of an error, the rolling back of the processor state to a known safe point, and then a retry of the instructions, thereby effecting a completely error-free execution. This paper has focused on two crucial implementation issues introduced by this scheme: (1) the design trade-off between the fault detection coverage versus design costs; (2) the possible occurrence of deadlock situations.     

Using Tag-Match Comparators for Detecting Soft Errors

Soft errors caused by high energy particle strikes are becoming an increasingly important problem in microprocessor design. With increasing transistor density and die sizes, soft errors are expected to be a larger problem in the near future. Recovering from these unexpected faults may be possible by reexecuting some part of the program only if the error can be detected. Therefore it is important to come up with new techniques to detect soft errors and increase the number of errors that are detected. Modern microprocessors employ out-of-order execution and dynamic scheduling logic. Comparator circuits, which are used to keep track of data dependencies, are usually idle. In this paper, we propose various schemes to exploit on-chip comparators to detect transient faults. Our results show that around 50% of the errors on the wakeup logic can be detected with minimal hardware overhead by using the proposed techniques.     

An Approach to Concurrent Control Flow Checking

A control flow checking scheme capable of detecting control flow errors of programs resulting from software coding errors, hardware malfunctions, or memory mutilation during the execution of the program is presented. In this approach, the program is partitioned into loop-free intervals and a database containing the path information in each of the loop-free intervals is derived from the detailed design. The path in each loop-free interval actually traversed at run time is recorded and then checked against the information provided in the database, and any discrepancy indicates an error. This approach is general, and can detect all uncompensated illegal branches. Any uncompensated error that occurs during the execution of a loop-free interval and manifests itself as a wrong branch within the loop-free interval or right after the completion of execution of the loop-free interval is also detectable. The approach can also be used to check the control flow in the testing phase of program development. The capabilities, limitations, implementation, and the overhead of using this approach are discussed.     

A configurable, virtual microprocessor system for instructional usein real-time, real-world studies

A system that allows students to simulate an validate a process plant of their own design, associate I/O channels to the individual components of it, and write a control or sequencer program to control the plant operation using any given assembler is described. Instructors can add a control section to the system that will produce random faults, power failures, and input/output errors in a simulation. With this capability, instructors can test a student's design for completeness, error handling, and fail-safe operation. Some self-correcting faults simulate a repair; the control program restarts as and when appropriate, while other conditions must close the plant down. In the graphics mode of operation the plant design appears as a cartoon with fluid levels altering, pumps switching on and off, and so on, according to the control effected by the student program. The system also displays a trace of the execution and I/O status of the program under execution. If no process design is included, the system can be used to run simple assembler programs on a stand-alone basis. The system was written in response to a need for a teaching tool usable in graduate-level real-time, real-world computing courses     

Self-stabilizing real-time OPS5 production systems

We examine the task of constructing bounded-time self-stabilizing rule-based systems that take their input from an external environment. Bounded response-time and self-stabilization are essential for rule-based programs that must be highly fault-tolerant and perform in a real-time environment. We present an approach for solving this problem using the OPS5 programming language as it is one of the most expressive and widely used rule-based programming languages. Bounded response-time of the program is ensured by constructing the state space graph so that the programmer can visualize the control flow of the program execution. Potential infinite firing sequences, if any, should be detected and the involved rules should be revised to ensure bounded termination. Both the input variables and internal variables are made fault-tolerant from corruption caused by transient faults via the introduction of new self-stabilizing rules in the program. Finally, the timing analysis of the self-stabilizing OPS5 program is shown in terms of the number of rule firings and the comparisons performed in the Rete network.     

Experimental studies of flowchart use at different stages of program debugging

Two experimental studies are described of the effect on performance of alternative program representations in different components of program debugging tasks. The use of diagrammatic notation provides useful information when the debugging task is mainly concerned with tracing execution flow in a program. In more complex tasks involving the identification of procedures commonly used under fault conditions, the use of flowcharts still increases the speed with which faults are identified, and reduces irrelevant testing, but does not reduce the incidence of errors likely to lead to inaccurate fault identification.     

PLC程序控制流分析方法

可编程逻辑控制器（PLC）是工业控制系统的重要组成部分,控制着各类物理设备及工艺流程。无论是攻击者的恶意篡改还是内部人员的编程错误所造成的PLC控制程序错误都将严重威胁设备及人身安全。为解决该问题,提出了针对PLC程序的控制流分析方法。首先,利用flex和bison分析了源代码的词法及语法结构;其次,通过分析抽象语法树（AST）生成并优化了不含指令副作用的中间表示;最后,在中间表示的基础上划分基本块,并以此为基本单元构建了程序的控制流图。实验结果表明,所提方法能够恢复语句表形式PLC程序的控制流结构,为程序理解和安全性分析提供了基础。