No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Processor Control Flow Monitoring Using Signatured Instruction Streams
Abstract
This paper presents an innovative approach, called signatured instruction streams (SIS), to the on-line detection of control flow errors caused by transient and intermittent faults. At compile time an application program is appropriately partitioned into smaller subprograms, and cyclic codes, or signatures, characterizing the control flow of each subprogram are generated and embedded in the object code. At runtime, special built-in hardware regenerates these signatures using runtime information and compares them to the precomputed signatures. A mismatch indicates the detection of an error. A demonstration system, based on the MC68000 processor, has been designed and built. Fault insertion experiments have been performed using the demonstration system. The demonstration system, using 17 percent hardware overhead, is able to detect 98 percent of faults affecting the control flow and 82 percent of all randomly inserted faults.
... For example, as shown in Figure 1, CFCSS adds some instructions to assign a variable to a unique value (signature) in each basic block, and also adds instructions in each basic block to check if the control flow is coming from a correct predecessor basic block. Several control flow based soft error protection techniques were developed over the last few decades and span across design layers from hardware [11, 23-25, 31, 32], software [2,3,9,15,28,39,40], and hardware-software hybrid techniques [4,10,12,[34][35][36]42]. ...
... ASIS [11] uses a hardware signature generator and watchdog monitor to check the control flow of several processors. (3) Hybrid CFC techniques [4,10,12,[34][35][36]42], in general, involve modifications of program code using a compiler, and modifications in the processor hardware, to monitor the control flow. They apply a mix of software and hardware techniques to detect CFEs. ...
... They essentially directly inject faults that will cause not-successor CFEs and then perform assumption/analysis/simulation/execution to see if their technique can detect the injected fault or not. Three main approaches have been taken by researchers in targeted fault injection when it comes to how and where to insert faults: (i) Assembly code instrumentation used in CFCSS [28] and CFCSS-NA [8], (ii) gdb-based runtime fault injection used in ACCE [40] and CEDA [39], and (iii) fault injection in memory bus used in OSLC [23] and SIS [36]. Researchers have also employed probability based expressions to increase coverage of fault injections and have even used analytic arguments in many instances to explain the effectiveness of their CFC techniques, while comparing with other schemes. ...
Huge leaps in performance and power improvements of computing systems are driven by rapid technology scaling, but technology scaling has also rendered computing systems susceptible to soft errors. Among the soft error protection techniques, Control Flow Checking (CFC) based techniques have gained a reputation of being lightweight yet effective. The main idea behind CFCs is to check if the program is executing the instructions in the right order. In order to validate the protection claims of existing CFCs, we develop a systematic and quantitative method to evaluate the protection achieved by CFCs using the metric of vulnerability. Our quantitative analysis indicates that existing CFC techniques are not only ineffective in providing protection from soft faults, but incur additional performance and power overheads. Our results show that software-only CFC protection schemes increase system vulnerability by 18%--21% with 17%--38% performance overhead and hybrid CFC protection increases vulnerability by 5%. Although the vulnerability remains almost the same for hardware-only CFC protection, they incur overheads of design cost, area, and power due to the hardware modifications required for their implementations.
... Single-bit flips or multi-bit flips can change the control flow of an application or corrupt data. Fault injection studies by Schutte et al. in [171] and Ohlsson et al. in [139] state that between 33% and 77% of all control flow errors are due to transient faults (like Soft Errors). ...
... Along with security, one of the main reliability issues discussed in this thesis is Soft Most watchdog ESM based approaches do not employ a separate processor for control flow checks [40,41,112,171,172]. Watchdog processor based approaches tend to rely on an extra processor for control flow checks [115,123,156]. ...
... Most watchdog ESM based approaches [40,41,112,171] embed the signature in the application binary whereas some [172] embed the signature in the application's instruction stream at the assembly level. Breuer et al. propose the use of a "roving" emulator, which is a processor that is able to emulate the execution of all the other processors or functional units [17]. ...
... Signatured Instruction Streams (SIS) [66] proposed by Schuette & Shen (1987), Path Signature Analysis (PSA) [67] proposed by Namjoo et al. (1982) and Continuous Signature Monitoring (CSM) [68] proposed by Wilken and Shen (1990) are hybrid control flow checkers to detect the errors in the control flow at the fetch and decode stages. These methods have very high detection latency and instructions can change the architecture state before they graduate. ...
... Signatured Instruction Streams (SIS) [66] proposed by Schuette & Shen (1987), Path Signature Analysis (PSA) [67] proposed by Namjoo et al. (1982) and Continuous Signature Monitoring (CSM) [68] proposed by Wilken and Shen (1990) are hybrid control flow checkers to detect the errors in the control flow at the fetch and decode stages. These methods have very high detection latency and instructions can change the architecture state before they graduate. ...
Fault tolerance in multi-core architecture has attracted attention of research community for the past 20 years. Rapid improvements in the CMOS technology resulted in exponential growth of transistor density. It resulted in increased challenges for designing resilient multi-core architecture at the same pace. The article presents a survey of fault tolerant methods like fault detection, recovery, re-configurability and repair techniques for multi-core architectures. Salvaging at micro-architectural and architectural level are also discussed. Gamut of fault tolerant approaches discussed in this article have tangible improvements on the reliability of the multi-core architectures. Every concept in the seminal articles is examined with respect to relevant metrics like performance cost, area overhead, fault coverage, level of protection, detection latency and Mean Time To Failure. The existing literature is critically examined. New research directions in the form of new fault tolerant design alternatives for both homogeneous and heterogeneous multi-core architectures are presented. Brief on an analytical approach for fault tolerating model is suggested for Intel and AMD based modern homogeneous multi-core architecture are presented to enhance the understanding of the readers about the architecture with respect to performance degradation, memory access time and execution time.
... Dynamic code certification has been proposed for software testing. For instance, in [53], compile time signatures are inserted in the binary and are verified by a coprocessor that examines blocks of fetched instructions; the work of [41] uses basic block signatures, embedded into the literal fields of RISC instructions, for the same purpose. In both schemes, the reference signatures are stored unencrypted, so the system can be easily compromised. ...
... To adopt Argus for authenticating executions dynamically, the signatures will have to be encrypted and the delay of decrypting the reference signatures will have to be somehow absorbed. Several software techniques have been proposed to verify control flow at periodic intervals or at specific checkpoint locations [53, 11, 12, 34, 55, 33, 3]. These techniques fail to detect compromises in-between two consecutive checks, relying on the assumption that any compromise can still be detected using pertinent checks at the next point of validation. ...
The construction of trustworthy systems demands that the execution of every piece of code is validated as genuine, that is, the executed codes do exactly what they are supposed to do. Pre-execution validations of code integrity fail to detect run time compromises like code injection, return and jump-oriented programming, and illegal dynamic linking of program modules. We propose and evaluate a generalized mechanism called REV (for Run-time Execution Validator) that can be easily integrated into a contemporary out-of-order processor to validate, as the program executes, the control flow path and instructions executed along the control flow path. To prevent memory from being tainted by compromised code, REV also prevents updates to the memory from a basic block until its execution has been authenticated. Although control flow signature based authentication of an execution has been suggested before for software testing and for restricted cases of embedded systems, their extensions to out-of-order cores is a non-incremental effort from a micro architectural standpoint. Unlike REV, the existing solutions do not scale with binary sizes, require binaries to be altered or require new ISA support and also fail to contain errors and, in general, impose a heavy performance penalty. We show, using a detailed cycle-accurate micro architectural simulator for an out-of-order pipeline implementing the X86 ISA that the performance overhead of REV is limited to 1.87% on the average across the SPEC 2006 benchmarks.
... The arsenal of control flow based soft error protection techniques span across design layers from hardware [3,8,10,15], software [1,5,13,14,19,18,20], and hardware-software hybrid techniques [4,16,17,21]. CFC techniques are attractive since they can often be implemented with much less overhead (as compared to full scale redundancy) and arguably provide a decent error coverage. Papers proposing CFC techniques perform fault injection tests and conclude that their techniques are quite effective in combating soft errors. ...
... Even in targeted fault injection, there is a question of how and where to insert faults. There have been 3 main approaches of targeted fault injection: i) Assembly code instrumentation (most popular), used in CFCSS [14], CFCSS-NA [2], CFCSS-IS [22], ii) gdb-based runtime fault injection used in ACCE [19], CEDA [18], ACFC [20], and iii) fault injection in memory bus, used in OSLC [8], SIS [17]. In addition researchers have attempted to use probability based expressions to increase the coverage of fault injections or even just use analytical subjective arguments to claim the superiority of their CFC technique over others. ...
Control Flow Checking (CFC) based techniques have gained a reputation of providing effective, yet low-overhead protection from soft errors. The basic idea is that if the control flow -- or the sequence of instructions that are executed -- is correct, then most probably the execution of the program is correct. Although researchers claim the effectiveness of the proposed CFC techniques, we argue that their evaluation has been inadequate and can even be wrong! Recently, the metric of vulnerability has been proposed to quantify the susceptibility of computation to soft errors. Laced with this comprehensive metric, we quantitatively evaluate the effectiveness of several existing CFC schemes, and obtain surprising results. Our results show that existing CFC techniques are not only ineffective in protecting computation from soft errors, but that they incur additional power and performance overheads. Software-only CFC protection schemes (CFCSS [14], CFCSS+NA [2], and CEDA [18]) increase system vulnerability by 18% to 21% with 17% to 38% performance overhead; Hybrid CFC protection technique, CFEDC [4] also increases the vulnerability by 5%; While the vulnerability remains almost the same for hardware only CFC protection technique, CFCET [15], they cause overheads of design cost, area, and power due to the hardware modifications required for their implementations.
... The concepts of fault tolerant designs at thread level are itemized in Table 10. [190], Path Signature Analysis (PSA) [191] and Continuous Signature Monitoring (CSM) [192] are hardwaresoftware amalgamated approaches to detect the errors in the control flow at fetch and decode logic. [195,196] is an improved version of EDDI. ...
Reliability has taken centre stage in the development of high-performance computing processors. A Surge of interest is noticeable in recent times in formulating fault and failure models, understanding failure mechanism and strategizing fault mitigation methods for improving the reliability of the system. The article presents a congregation of concepts illustrated one after the other for a better understanding of damages caused by radiation, relevant fault models, and effects of faults. We examine the state of art fault mitigation techniques at the logical layer for digital CMOS based design and SRAM based FPGA. CMOS SRAM structure is the same for both digital CMOS and FPGA. Understanding of resilient SRAM based FPGA is necessary for developing resilient prototypes and it facilitates a faster integration of digital CMOS designs. At the micro-architectural and architectural layer, error detection and recovery methods are discussed for bus-based multi-core systems. The Through silicon via based 3D Network on chip is the prospective solution for integrating many cores on single die. A suitable interconnection approach for petascale computing on many-core systems. The article presents an elaborate discussion on fault models, failure mechanisms, resilient 3D routers, defect tolerance methods for the TSV based 3D NOC many-core systems. Core redundancy, self-diagnosis and distributed diagnosis at the hardware level are examined for many-core systems. The article presents a gamut of fault tolerance solutions from logic level to processor core level in a multi-core and many-core scenario.
... And some verification information such as signatures are also inserted into these smaller sub-programs. When program runs, a special built-in hardware regenerates these verification information and finds the mismatches [14]. This classic CFA method has high fault coverage rate but needs extra hardware support and also needs to modify binary files. ...
Microprocessors in safety-critical system are extremely vulnerable to hacker attacks and circuit crosstalk, as they can modify binaries and lead programs to run along the wrong control flow paths. It is a significant challenge to design a run-time validation method with few hardware modification. In this paper, an efficient control flow validation method named DCM (Dual-Processor Control Flow Validation Method) is proposed basing on dual-processor architecture. Since a burst of memory-access-intensive instructions could block pipeline and cause lots of waiting clocks, the DCM assigns the idle pipeline cycles of the blocked processor to the other processor to validate control flow at run time. An extra lightweight monitor unit in each processor is needed and a special dual-processor communication protocol is also designed to schedule the redundant computing capacity between two processors to do validation tasks better. To further improve the efficiency, we also design a software-based self-validation algorithm to help reduce validation times. The combination of both hardware method and software method can speed up the validation procedure and protect the control flow paths with different emphasis. The cycle-accurate simulator GEM5 is used to simulate two ARMv7-A processors with out-of-order pipeline. Experiment shows the performance overhead of DCM is less than 22% on average across the SPEC 2006 benchmarks.
... These are daunting numbers. Additionally, some of these approaches [5,6] need application code recompilation to compute specific information (hashes of application program's instruction addresses and opcodes) that is later used at runtime to detect attacks. ...
... These are daunting numbers. Additionally, some of these approaches [9,10] need application code recompilation to compute specific information (hashes of application program's instruction addresses and opcodes) that is later used at runtime to detect attacks. And finally, from the best of our knowledge, we could not find in the literature any work able to jointly detect the three above mentioned attack types. ...
... The logical domain of redundant execution[Reinhardt and Mukherjee 2000].48 Basic block signature has been widely explored targeting varied processors[Schuette and Shen 1987;Ragel and Parameswaran 2006]. ...
Today, soft errors are one of the major design technology challenges at and beyond the 22nm technology nodes. This article introduces the soft error problem from the perspective of processor design. This article also provides a survey of the existing soft error mitigation methods across different levels of design abstraction involved in processor design, including the device level, the circuit level, the architectural level, and the program level.
... Another possibility to deal with transient hardware faults is to apply control-flow monitoring (CFM) [78]. According to several research projects [181,155,124], 33-77% of all affecting soft errors result in control-flow errors. Thus, CFM seems to be a promising candidate to enhance the robustness of the system. ...
Memory management is a challenging task and its handling becomes more difficult with the rising complexity of software systems. Embedded systems are predominated by the use of manual storage control and as these systems become more and more extensive, means to assist the programmer in performing correct memory management are required. By using a type-safe language, the use of automated storage control is promoted: Combining the knowledge about a type-safe application, system software and the hardware properties assists the creation of a memory handling that is tailored to a particular system setup: Software can be deployed on several kinds of microcontrollers that may vary in their hardware-specific properties, such as the availability of memories, the address-space layout or their proneness to transient hardware faults. In addition, a program’s non-functional properties, for instance, its predictability, have to be respected during the design of memory management. In this thesis I describe how system- and application-specific memory management for a particular hardware device can be created. I call my approach cooperative memory management (CMM) and it pursues a co-design of memory management by respecting the software quality attributes efficiency and predictability and the hardware property reliability. CMM is a compound of static analyses on type-safe applications and runtime support. For the implementation of my framework, I use the KESO JVM [169] in which I integrated an amended version of an escape analysis to encourage compiler-assisted storage control. Besides safe, automatic stack allocation, I implemented new backends for my escape analysis through which, among other things, I provide an automated solution to regional memory specified in the Real-Time Specification for Java [33]. The use of escape-analysis results ameliorates a program’s reliability by reducing the effects of transient hardware faults. To further improve reliability, I evolved special runtime checks that are able to preserve memory safety in systems prone to transient faults. Besides compiler support, I developed RT-LAGC, a real-time garbage collector to maintain heap objects not managed by regional memory. RT-LAGC is optimized through the compilation process and tailored to the application whose heap memory it manages. I designed CMM’s storage control techniques to be easily exchangeable and extensible by the developer so that static and dynamic analyses can find out which combination of techniques works reasonably well to achieve efficiency, predictability and reliability. By evaluating a comprehensive real-time benchmark and various memory-management configurations I showed, that the developer-assisted co-design approach is able to address the properties reliability, efficiency and predictability.
... So, one effective way for enhancing the reliability of CMPs, is to modify the configuration of software-centric methods, so that the adaptability with the status and load of the CPU become visible in their structure. This paper presents an adaptive and efficient SCFC technique which takes the advantages of multi-core multi-threaded processors, such as parallel execution capabilities, to remove the main drawbacks of the conventional SCFC techniques [21], [22]. ...
In this paper, a software behavior-based technique is presented to detect control-flow errors in multi-core architectures. The analysis of a key point leads to introduction of the proposed technique: employing under-utilized CPU resources in multi-core processors to check the execution flow of the programs concurrently and in parallel with the main executions. To evaluate the proposed technique, a quad-core processor system was used as the simulation environment, and the behavior of SPEC CPU2006 benchmarks were studied as the target to compare with conventional techniques. The experimental results, with regard to both detection coverage and performance overhead, demonstrate that on average, about 94% of the control-flow errors can be detected by the proposed technique, with less performance overhead compared to previous techniques.
This article has been retracted. Link to the retraction 10.2298/FUEE1801155E
... However, soft errors may cause false branch decisions or incorrect values to be stored in temporary variables. In order to guarantee the correctness of the execution and the control flow of the voting procedure itself, we employ the encoded voter concept which combines the ANBD-Code with signatured instruction streams [27]. In this approach, each possible path in the program's control flow is characterized by an offline generated unique static signature S. At runtime, a dynamic signature D is generated depending on the control flow. ...
Commercial-of-the-shelf (COTS) many-core processors are increasingly attractive in the embedded domain due to their low costs. However, while these highly integrated consumer-grade processors can meet the increasing computational demand of mixed-critical real-time applications such as autonomous driving, they are increasingly susceptible to soft errors.
We present a software fault-tolerance mechanism for mixed-critical task sets on many-core processors without specialized hardware support. Our approach is based on N modular redundancy (NMR) combined with a state-preserving repair mechanism, which considers failures in the OS as well. To remedy the voter as a single point of failure, we employ two fail-silent voters that check and repair each other. Our fail-silent voter is created in software by extending the existing encoded voting approach. A discrete-time Markov chain model of our mechanism allows to determine the resulting reliability and availability.
... Data errors may cause unexpected results, while control flow errors (CFE) are generally more serious than data errors since they can cause the program jump to unexpected locations and lead to unpredictable behavior and system crashes, which are security breaches of satellites. Additionally, experiments show that 33%-77% (depending on the type of the processor) of SEU-induced errors are CFEs 4,5 . Therefore, to improve the reliability and security of small satellites, fault tolerant techniques are necessary for detecting and blocking CFEs before damages occur 6 . ...
Single event upset (SEU) effect, caused by highly energized particles in aerospace, threatens the reliability and security of small satellites composed of commercial-off-the-shelves (COTS). SEU-induced control flow errors (CFE) may cause unpredictable behavior or crashes of COTS-based small satellites. This paper proposes a generic software-based control flow checking technique and bipartite graph-based control flow checking (BGCFC). To simplify the types of illegal branches, it transforms the conventional control flow graph into the equivalent bipartite graph. It checks the legality of control flow at runtime by comparing a global signature with the expected value and introduces consecutive IDs and bitmaps to reduce the time and memory overhead. Theoretical analysis shows that BGCFC can detect all types of inter-node CFEs with constant time and memory overhead. Practical tests verify the result of theoretical analysis. Compared with previous techniques, BGCFC achieves the highest error detection rate, lower time and memory overhead; the composite result in evaluation factor shows that BGCFC is the most effective one among all these techniques. The results in both theory and practice verify the applicability of BGCFC for COTS-based small satellites.
... Since each subgraph is a tree, they have only one entry point (root node) and there is a unique path, and hence a unique sequence of instructions, from entry point to each of the exit points. Now the CFG can be constructed where each subgraph of the program graph is represented as a single node and the arcs represent valid control flow between subgraphs [24], [25]. From the CFG the set of elementary paths in a subprogram are identified as follows. ...
Bank switching in embedded processors having partitioned memory architecture results in code size as well as run time overhead. An algorithm and its application to assist the compiler in eliminating the redundant bank switching codes introduced and deciding the optimum data allocation to banked memory is presented in this work. A relation matrix formed for the memory bank state transition corresponding to each bank selection instruction is used for the detection of redundant codes. Data allocation to memory is done by considering all possible permutation of memory banks and combination of data. The compiler output corresponding to each data mapping scheme is subjected to a static machine code analysis which identifies the one with minimum number of bank switching codes. Even though the method is compiler independent, the algorithm utilizes certain architectural features of the target processor. A prototype based on PIC 16F87X microcontrollers is described. This method scales well into larger number of memory blocks and other architectures so that high performance compilers can integrate this technique for efficient code generation. The technique is illustrated with an example.
... In case the service discontinues the watchdog may perform a counter-measure, e.g., initiate a system-wide reset in hope of re-establishing the correct operation of the system. Watchdog processors provide a somewhat more sophisiticated check, most often of the control flow [5], [9]. ...
In this paper, we advocate the idea of a runtime verification unit that complements the standard concept of a watchdog unit commonly employed on a microcontroller. Such a unit provides ways to trigger counter-measures by more expressive conditions than typical watchdog conditions, such as propositions stated in temporal logics. We show a possible application of this unit in a case study where we apply our approach to a real-life example.
Rapid progress in the CMOS technology for the past 25 years has increased the vulnerability of processors towards faults. Subsequently, focus of computer architects shifted towards designing fault-tolerance methods for processor architectures. Concurrently, chip designers encountered high order challenges for designing fault tolerant processor architectures. For processor cores, redundancy-based fault tolerance methods for fault detection at core level, micro-architectural level ,thread level , and software level are discussed. Similar applicable redundancy-based fault tolerance methods for cache memory, and hardware accelerators are presented in the article. Recent trends in fault tolerant quantum computing and quantum error correction are also discussed. The classification of state-of-the-art techniques is presented in the survey would help the researchers to organize their work on established lines.
Error detection is the most important aspect of fault tolerance because a processor cannot tolerate a problem of which it is not aware. Even if the processor cannot recover from a detected error, the processor can still alert the user that an error has occurred and halt. Error detection thus provides, at the minimum, a measure of safety. A safe processor does not do anything incorrect. Without recovery, the processor may not be able to make forward progress, but at least it is safe. It is far preferable for a processor to do nothing than to silently fail and corrupt data.
Computing systems demand stringent security checks to guard themselves against powerful attack vectors. Deployment of the Control Flow Integrity(CFI) checks limit the control flow of a program to a set of valid destinations, derived from the static analysis of the code. CFI checks guarantee the integrity of the executed code, but, they do not guarantee the integrity of execution, as sophisticated attack vectors create attacks that comply with the normal control flow of the program. This paper proposes an application specific, dynamic, execution integrity verification scheme, to detect static and dynamic integrity breaches. The system builds a behaviour model consisting of function call sequences and memory access graphs, to verify the semantic behaviour exhibited by the application. Dynamic variation of the function behaviour is further recorded as Access Graph Variance Vector (AGVV). Temporal sequencing of function calls, together with the memory access graph comparison, yields a two-level integrity verification system. Apart from detecting the deviations from normal behaviour, our proposed method limits the abnormal behaviour from being propagated. Experimental evaluation of the proposed method using applications from MiBench benchmark suite against static integrity breaches shows cent percent verification accuracy with less than 5% false positive rate. The system also identifies the dynamic integrity violation caused by ROP based attacks from the RIPE benchmark suite, indicating an accuracy of 94.44% against dynamic integrity breaches.
Monolithic fault detection methods have low accuracy for comprehensive faults detection, because they can only detect specific type of faults. Therefore, it is necessary to study the combination of fault detection methods to improve the detection accuracy. In this paper, based on the fault propagation on component-based aerospace embedded software architecture, we analyze occur reasons, manifestations and effects of instruction-, component- and system-level faults whose root cause is single event upset (SEU) which is the main reason of aerospace embedded software, and propose a hierarchical fault model to specify characteristics of the three levels faults. And based on the hierarchical fault model, a hierarchical detection method is proposed to combine the three levels monolithic fault detection methods. The experimental results show that the hierarchical fault detection method has higher fault detection accuracy than the monolithic fault detection methods for comprehensive faults detection.
This paper presents a comprehensive software-based technique that is capable of detecting soft errors in embedded systems. Soft errors can be categorized into Control Flow Errors (CFEs) and data errors. The CFEs change the flow of the program erroneously and data errors also change the results. In this paper, a new comprehensive method is presented to detect both (based on combination of authors’ previous works). In order to evaluate the proposed method, a new factor is defined that considers three main parameters simultaneously; namely fault coverage, memory overhead, and performance overhead. Since these parameters are very important in safety critical applications, they should be improved concurrently. The experimental results on SPEC2000 benchmarks show that the Evaluation Factor of the proposed method is 50% better than the Relationship Signatures for Control Flow Checking with Data Validation (RSCFCDV) methods, which are suggested in the literature.
A new simple, inexpensive and time/space efficient signature technique for process monitoring is presented. In this technique, signatures are accumulated to form an m-out-of-n code and the corresponding locations in the memory are tagged. During the run-time, the generated signatures at the tagged locations are monitored using a simple hardware to determine whether they form m-out-of-n codes. This approach offers flexible error latency and high coverage. Results of an experiment conducted to verify the latency are presented. The main advantage of our approach is the requirement of no reference signatures unlike existing techniques leading to both memory and run-time execution time savings. The flexible latency and the low cost hardware will make this technique suitable for critical applications where quick detection of errors is deemed important.
Runtime attacks on memory, such as buffer overflow based stack smashing and code reuse attacks, are common in embedded systems. Control flow integrity (CFI) has been acknowledged as one promising approach to protect against such runtime attacks. However, previous CFI implementations suffer from coarse granularity (which can be circumvented by an advanced attack model) and high-performance overhead. In this paper, first, we present an approach to enforce fine-grained CFI at a basic block level, named basic block CFI (BB-CFI), which aims to defend against aforesaid attacks. The key idea is to verify the target address (TA) of control flow instructions (CFINs) (e.g., call, ret, and jmp), which may be modified by the adversary. BB-CFI contains two stages: 1) offline profiling of the program-to extract the control flow information and 2) runtime control flow checking-to verify the TA of CFINs using the extracted information. We also handle the exceptional cases (e.g., multithreading, C++ exception, and longjump) that are found in complex binaries. Second, we propose an architectural design of control flow checker (CFC), which monitors the program execution during runtime to enforce BB-CFI. For proof of concept, we implement the CFC in field-programmable gate array (FPGA). Our method does not require the modification of the source code or the instruction set architecture. The experimental results demonstrate that BB-CFI is effective against runtime attacks, with 100% verification accuracy. The CFC implementation on FPGA shows <1% performance overhead and a small dynamic power consumption of 78 mW, with very small area footprint.
Object-based distributed systems are becoming increasingly popular since objects provide a secure and easy means of using the abstraction of shared memory. In this paper we develop a new object-based control flow checking technique called (COTM) to detect errors due to hardware faults in such systems. The proposed technique monitors objects and thread flow across objects in two stages. The first stage applies control flow checking for every object invocation. In the second stage, the legality of a terminating thread is examined. Results of fault injection experiments on several applications written in C++ and modified to incorporate the object-based checks show that the proposed technique achieves high fault coverage with low performance overhead.
In this study, we present a new concurrent error-detection scheme by hybrid signature to the on-line detection of control flow errors caused by transient and intermittent faults. The proposed hybrid signature monitoring technique combines the vertical signature scheme with the horizontal signature scheme. We first develop a new vertical signature scheme. The length of vertical signature is adjustable. The attribute of adjustable length can be employed to reduce the length of vertical signature, but at meantime it also decreases the coverage. The rest of signature word can be utilized for the horizontal signature and recording the block length. The horizontal signature can offset the coverage degradation due to the reduction of vertical signature length, and decrease the latency significantly. The simulation is conducted to justify the effectiveness of the proposed technique and compared with the previous schemes.
The main contribution of this research is to integrate the vertical signature, horizontal signature and watchdog timer techniques into a single signature word, and without the using of the memory system equipped with the SECDED code. Therefore, with no increase or even lower of memory space overhead and watchdog processor complexity, our scheme has higher errordetection coverage and much shorter error-detection latency compared with the previous representative techniques.
An approach for assessing the impact of physical injection of transient faults on control flow behaviour is described and evaluated. The fault injection is based on two complementary methods using heavyion radiation and power supply disturbances. A total of 6,000 transient faults was injected into the target microprocessor, an MC6809E 8-bit CPU, running three different benchmark programs. In the evaluation, the control flow errors were distinguished from those that had no effect on the correct flow of control, vis. the control flow OKs. The errors that led to wrong results are separated from those that had no effect on the correct results. The errors that had no effect on either the correct flow or the correct result are specified. Three error detection techniques, namely two software-based techniques and one watchdog timer, were combined and used in the test in order to characterize the detected and undetected errors. It was found that more than 87% of all errors and 93% of the control flow errors could be detected.
This paper presents a new approach to concurrent error detection in multiple processor systems using on-line signature analysis. In this new technique, called On-line Signature Learning and Checking (OSLC), the block identification and the reference signature generation are performed at run time. Many hardware control signals are included in the signatures, which improves the error detection coverage, and the alterations and/or extensions in the compilers, assemblers and loaders are avoided. In OSLC the signatures are stored in the local memory of a watchdog processor, the Checker, which is based on a new principle that reduces the storage requirements of control flow information to less than 2% of the signature overhead. Furthermore, the Checker is very simple and can check several processors concurrently. A demonstration system of this technique has been designed and built. Results of fault injection experiments have shown that 99.4% of instruction type faults can be detected by OSLC with a very short latency (26 μSec). The coverage for general faults is 94.5% and the average latency is 464 sec.
This paper presents an efficient approach to concurrent detection of program execution errors that combines signature monitoring with program encryption. Sources of detectable errors include permanent and transient hardware faults, software and hardware design faults, and computer viruses. Errors are detected by a simple monitor that uses signatures embedded in a compatibly encrypted program. The monitor concurrently decrypts the program using the processor control-bit sequences that are included in the signatures. Computer virus attacks are difficult because details of the processor’s internal operation are needed to attach compatibly encrypted code. Encryption and a small signature cache added to the monitor allow the lowest memory overhead of any proposed signature-monitoring technique. Encryption and the program memory’s error correction/detection code are combined to reduce signature-error detection latency by more than 60 times, while maintaining memory error correction/detection.
Dependability and robustness are essential requirements of embedded systems. It is necessary to develop and integrate mechanisms for a reliable fault detection. Regarding the context of hard real-time computing, such a mechanism should also focus on the correct timing behavior. In this paper, we present results of the fault detection capabilities, i.e., the fault coverage and detection latencies, of a novel timing and control flow checker designed for hard real-time systems. An experimental evaluation shows that more than 65% of injected faults uncaught by processor exceptions can be detected by our technique - at an average detection latency of only 22.1 processor cycles. Errors leading to endless loops can even be reduced by more than 90 %, while the check mechanism causes only very low overhead concerning additional memory usage (15.0% on average) and execution time (12.2% on average). Copyright © (2012) by International Academy, Research, and Industry Association (IARIA).
In recent years, computer systems belonging to large companies, governments as well as personal computers have been experiencing an increasing wave of attacks that disrupt their normal operation or leak sensitive data. This implies in loss of privacy, financial and national security damages. In this context, "computer security" is no longer an afterthought. Dynamic integrity checking has emerged as a possible solution to protect computer systems by thwarting various attacks. In this context, this paper presents ShadowStack, a new dynamic integrity checking technique based on a watchdog implemented in hardware. The watchdog observes specific instructions in the code being executed through the processor pipeline, compares them against reference values generated at runtime and in the event of detecting a tentative of intrusion, the pipeline is stalled and the instructions are not allowed to commit by flushing them from the pipe. The attack type is stack smashing buffer overflow. This threatening type is by far the most common found in the literature. Experimental results obtained throughout simulations demonstrate the technique's efficiency and the corresponding overheads incurred by the use of the proposed approach.
Because majority voting provides both dependability and availability without any noticeable problem with validation, TMR (Triple Modular Redundancy) architectures are often used in highly dependable systems. However, these architectures have several drawbacks for onboard equipments: cost, weight, volume, power consumption and dissipation often lead to difficult problems. In other respects, if duplex architectures allow to reduce some of these problems, they do not provide the same availability characteristics.
In this paper, a software behaviour-based technique is presented to detect control-flow errors in multi-core architectures. The analysis of two key points leads to introduce the proposed technique: (i) employing under-utilized CPU resources in multi-core processors to check the execution flow of the programs in parallel with their executions to moderate the performance overhead of previous software-based techniques, and to enhance the applicability of them in current architectures. (ii) Adjusting the locations of additional statements in a given program in order to increase the ability of detecting possible control-flow errors along with significant reduction in overheads. To evaluate the proposed technique, a quad-core processor system is used as the simulation environment, and the behaviour of several well-known single-and multi-threaded benchmarks have been studied. The experimental results, regarding to both detection coverage and performance overhead, demonstrate that on average about 90% of the control-flow errors can be detected by the proposed technique with just about 10% performance overhead, compared to at least 30% imposed by the previous techniques. Abstract In this paper, a software behaviour-based technique is presented to detect control-flow errors in multi-core architectures. The analysis of two key points leads to introduce the proposed technique: (i) employing under-utilized CPU resources in multi-core processors to check the execution flow of the programs in parallel with their executions to moderate the performance overhead of previous software-based techniques, and to enhance the applicability of them in current architectures. (ii) Adjusting the locations of additional statements in a given program in order to increase the ability of detecting possible control-flow errors along with significant reduction in overheads. To evaluate the proposed technique, a quad-core processor system is used as the simulation environment, and the behaviour of several well-known single-and multi-threaded benchmarks have been studied. The experimental results, regarding to both detection coverage and performance overhead, demonstrate that on average about 90% of the control-flow errors can be detected by the proposed technique with just about 10% performance overhead, compared to at least 30% imposed by the previous techniques.
This book describes fault tolerance techniques based on software and hardware to create hybrid techniques. They are able to reduce overall performance degradation and increase error detection when associated with applications implemented in embedded processors. Coverage begins with an extensive discussion of the current state-of-the-art in fault tolerance techniques. The authors then discuss the best trade-off between software-based and hardware-based techniques and introduce novel hybrid techniques. Proposed techniques increase existing fault detection rates up to 100%, while maintaining low performance overheads in area and application execution time. © Springer International Publishing Switzerland 2014. All rights are reserved.
Sicherheit und Zuverlässigkeit sind in vielen Einsatzgebieten entscheidende Anforderungen an eingebettete Systeme. Jede Fehlfunktion kann negative, wenn nicht gar katastrophale Konsequenzen nach sich ziehen. Es genügt nicht, die funktionale Korrektheit im Vorfeld formal zu beweisen oder durch systematische Testläufe zu überprüfen. Vielmehr ist es nötig, auch jedes Fehlverhalten, das durch Umwelteinflüsse wie Strahlung oder Temperaturschwankungen hervorgerufen wird, durch speziell integrierte Mechanismen zur Laufzeit zu erkennen und eine entsprechende Fehlerbehandlung zu ermöglichen. Im Hinblick auf harte Echtzeitsysteme, in welchen eine verspätete Berechnung wertlos ist, spielt dabei neben der logischen auch die zeitliche Korrektheit der Ausführung eine essenzielle Rolle.
Ziel dieser Arbeit ist es, einen Mechanismus zur Erkennung von logischen und zeitlichen Kontrollflussfehlern in Echtzeitsystemen zu entwickeln. Durch eine besonders feingranulare Arbeitsweise soll die Fehlererkennung möglichst früh stattfinden, um eventuelle Gegenmaßnahmen rechtzeitig vor dem Überschreiten der geforderten Zeitschranken einleiten zu können. Die entworfene Technik verfolgt dazu einen hybriden Ansatz: Der Programmcode wird bereits im Vorfeld mit Kontrollpunkten, sog. Checkpoints instrumentiert, welche sowohl logische als auch temporale Informationen zum Kontrollfluss beinhalten. Zur Laufzeit wertet eine spezielle, an den Prozessor angeschlossene Hardware-Einheit diese Daten aus, um die Korrektheit der Ausführung zu prüfen. Auf diese Weise kann eine rasche Erkennung einer Vielzahl transienter Fehler erfolgen.
Neben einer detaillierten Beschreibung der entwickelten Technik präsentiert diese Arbeit auch eine Referenzimplementierung auf Basis eines echtzeitfähigen Prozessormodells. Anhand von Evaluierungen mit künstlich erzeugten Fehlerfällen kann einerseits die Wirksamkeit des Erkennungsmechanismus, andererseits dessen geringfügiger Zusatzaufwand nachgewiesen werden. Abschließend werden verschiedene Optimierungstechniken vorgestellt und evaluiert, mit deren Hilfe es möglich wird, sowohl die Erkennungsrate zu erhöhen als auch den benötigten Aufwand weiter zu reduzieren.
Security and reliability have become important concerns in the design of computer systems. On one hand, microarchitectural enhancements for security (such as for dynamic integrity checking of code at runtime) have been proposed. On the other hand, independently, microarchitectural enhancements for reliability to detect and tolerate natural faults have also been proposed. A fault in these security enhancements due to alpha particles or aging might potentially pass off maliciously modified instructions as safe, rendering the security enhancements useless. Deliberate fault attacks by attackers can be launched to disable the security enhancements and then launch the well-known security attacks that would otherwise have been detected by these enhancements. We report an integrated microarchitecture support for security and reliability in multicore processors. Specifically, we add integrity checkers to protect the code running on the multiple cores in a multicore processor. We then adapt these checkers to check one another periodically to ensure reliable operation. These checkers naturally can check the other parts of the core. The average performance, power, and area costs for these security-reliability enhancements are 6.42%, 0.73%, and 0.53%, respectively.
Trusted Platform Module (TPM) has gained its popularity in computing systems as a hardware security approach. TPM provides the boot time security by verifying the platform integrity including hardware and software. However, once the software is loaded, TPM can no longer protect the software execution. In this work, we propose a dynamic TPM design, which performs control flow checking to protect the program from runtime attacks. The control flow checker is integrated at the commit stage of the processor pipeline. The control flow of program is verified to defend the attacks such as stack smashing using buffer overflow and code reuse. We implement the proposed dynamic TPM design in FPGA to achieve high performance, low cost and flexibility for easy functionality upgrade based on FPGA. In our design, neither the source code nor the Instruction Set Architecture (ISA) needs to be changed. The benchmark simulations demonstrate less than 1% of performance penalty on the processor, and an effective software protection from the attacks.
The incorporation of error detection and recovery mechanisms becomes mandatory as the probability of the occurrence of transient faults increases. The detection of control flow errors has been extensively investigated in literature. However, only few works have been conducted towards recovery from control-flow errors. Generally, a program is re-executed after error detection. Although re-execution prevents faults from corrupting data, it does not allow the application to run to completion correctly in the presence of an error. Moreover, the overhead of re-execution increases prominently. The current study presents a pure-software method based on encoded signatures to recover from control-flow errors. Unlike general signature monitoring techniques, the proposed method targets not only interblock transitions, but also intrablock and inter-function transitions. After detecting the illegal transition, the program flow transfers back to the block where the error occurred, and the data errors caused by the error propagation are recovered. Fault injection and performance overhead experiments are performed to evaluate the proposed method. The experimental results show that most control flow errors can be recovered with relatively low performance overhead.
Transient faults can affect the behavior of electronic systems, and represent a major issue in many safety-critical applications. This paper focuses on Control Flow Errors (CFEs) and extends a previously proposed method, based on the usage of the debug interface existing in several processors/controllers. The new method achieves a good detection capability with very limited impact on the system development flow and reduced hardware cost: moreover, the proposed technique does not involve any change either in the processor hardware or in the application software, and works even if the processor uses caches. Experimental results are reported, showing both the advantages and the costs of the method.
Increasing use of commercial off-the-shelf (COTS) superscalar processors in industrial, embedded, and real-time systems necessitates the development of error detection mechanisms for such systems. This paper presents an error detection scheme called Committed Instructions Counting (CIC) to increase error detection in such systems. The scheme uses internal Performance Monitoring features and an external watchdog processor (WDP). The Performance Monitoring features enable counting the number of committed instructions in a program. The scheme is experimentally evaluated on a 32-bit Pentium® processor using software implemented fault injection (SWIFI). A total of 8181 errors were injected into the Pentium® processor. The results show that the error detection coverage varies between 90.92 and 98.41%, for different workloads. To verify the experimental results an analytical evaluation of the coverage is also performed.
We propose and experimentally evaluate a technique of authenticating the execution of a program through the continuous run-time validation of control flow. Control flow authentication is useful in detecting security violations that alter the normal flow of control at run time through techniques such as call stack smashing, return and jump-oriented programming. Our technique relies on the use of existing support for branch tracing in contemporary processors, typified by the branch trace store (BTS) mechanism of contemporary Intel x86 server Platforms. In contrast to existing techniques that require code modification, either statically or at run-time, our technique requires no modifications to the binaries, thus preserving binary compatibility. In this paper, we demonstrate how the existing hardware support for branch tracing can be used to perform control flow validation covering each and every executed control flow instruction in an application or the kernel as they run. Although the performance overhead for full and continuous control flow authentication for an entire application is significant, we show how the technique can be used judiciously to selectively perform full and continuous control flow validation of critical functions with a tolerable overhead. As an example of this selective approach, we show how our technique detects security compromises introduced by kernel rootkits with a tolerable overhead.
Robustness and reliability are essential requirements of today's embedded systems. Especially errors in the control flow of a program, e.g. caused by transient errors, may lead to a faulty system behavior potentially with catastrophic consequences. Several methods for control flow checking have been proposed during the last decades. However, these techniques mostly focus on a correct sequence of application parts but not on the correct timing behavior of the control flow, which is essential for hard real-time systems. In this paper, we present a new approach which introduces fine-grained on-line timing checks for hard real-time systems combined with a lightweight control flow monitoring technique. The proposed approach is a hybrid hardware-software technique: We instrument the application code at compile-time by adding checkpoints, which contain temporal and logical information of the control flow. During run-time, a small hardware check unit connected to the core reads the instrumented data in order to verify the correctness of the application's control flow and timing behavior. The finegrained functionality of our mechanism allows a detection of many transient errors, associated with very low detection latency. It is no longer necessary to redundantly execute code in order to monitor anomalies. The hardware overhead is limited to a small check unit (only 0.5 % of chip space compared to the processor core); according to experimental results, the execution time overhead is only 10.6 % in the average case while the memory overhead is 12.3 %.
The enormous growth in integration density enables to build processors with more and more cores on a single die, but also makes them orders of magnitude more vulnerable to faults due to voltage fluctuation, radiation, and process variations [4] etc. Since this trend will continue in the future, fault-tolerance mechanisms must be an essential part of such future systems if the computations are to be carried out on a reliable basis. Already, chip manufacturers have taken measures to handle faults in current multi-core processors such as error correcting codes for busses, caches etc. With a huge number of cores, common strategies like dual modular and triple modular redundant processing [5] along with massive parallel computing are possible. Threaded dataflow execution models are one way to exploit the parallelism of future 1000 core systems. Current GPU architectures reflect that [3]. The side-effect free execution of threads within the dataflow execution model can not only be used to provide massive parallel computational capacity, but also enables simple and efficient rollback mechanisms [16]. In this paper, we describe fault detection and tolerance mechanisms investigated within the TERAFLUX EC project [17], which offers a solution to exploit the massive parallelism offered by dataflow architectures at all abstraction levels.
Dependability is a crucial requirement of today's embedded systems. To achieve a higher level of fault tolerance, it is necessary to develop and integrate mechanisms for a reliable fault detection. In the context of hard real-time computing, such a mechanism should also guarantee correct timing behavior, an essential requirement for these systems. In this paper, we present results of the fault coverage of a lightweight timing and control flow checker for hard real-time systems. An experimental evaluation shows that more than 30% of injected faults can be detected by our technique, while the number of errors leading to an endless loop is reduced by around 80 %. The check mechanism causes only very low overhead concerning additional memory usage (15.0% on average) and execution time (12.2% on average).
The number of attacks on embedded processors is on the rise. Attackers exploit vulnerabilities in the software to launch new attacks and get unauthorized access to sensitive information stored in these devices. Several solutions have been proposed by both the academia and the industry to protect the programs running on these embedded-processor based computer systems. After a description of the several attacks that threaten a computer system, this paper surveys existing defenses - software-based and hardware-based (watchdog checkers, integrity trees, memory encryption, and modification of processor architecture), that protect against such attacks. This paper also provides a comparative discussion of their advantages and disadvantages.
High performance and low power consumption have traditionally been the primary design goals for computer architects. With computer systems facing a wave of attacks that disrupt their normal execution or leak sensitive data, computer security is no longer an afterthought. Dynamic integrity checking has emerged as a possible solution to protect computer systems by thwarting various attacks. Dynamic integrity checking involves calculation of hashes of the instructions in the code being executed and comparing these hashes against corresponding precomputed hashes at runtime. The processor pipeline is stalled and the instructions are not allowed to commit until the integrity check is complete. Such an approach has severe performance implications as it stalls the pipeline for several cycles. In this paper, we propose a hardware-based dynamic integrity checking approach that does not stall the processor pipeline. We permit the instructions to commit before the integrity check is complete, and allow them to make changes to the register file, but not the data cache. The system is rolled back to a known state if the checker deems the instructions as modified. Our experiments show an average performance overhead of 1.66%, area overhead of 4.25%, and a power overhead of 2.45% over a baseline processor.
This paper describes a software redundancy technique allowing run time checking of the control structure of concurrent processes. The proposed idea leads to implementing the system in two distinct parts: an ″observer″ and a ″worker″ . The observer implements a Petri net-based abstract model of high level control specifications. The worker is composed of the set of running processes, implemented by standard methods. The basic principle consists of comparing at run time the current control states of both worker and observer through checkpoints. Both formal description and actual implementation are analyzed.
N-version programming is defined as the independent generation of N greater than equivalent to 2 functionally equivalent programs from the same initial specification. A methodology of N-version programming has been devised and three types of special mechanisms have been identified that are needed to coordinate the execution of an N-version software unit and to compare the correspondent results generated by each version. Two experiments have been conducted to test the feasibility of N-version programming. The results of these experiments are discussed. In addition, constraints are identified that must be met for effective application of N-version programming.
This paper presents a new concept of on-line control flow monitoring called Roving Monitoring. This technique utilizes a special purpose roving monitoring processor in order to provide continuous and concurrent checking of instruction level control flow in multiple processor systems. The roving monitoring processor is time shared among several application processors to reduce overall monitoring overhead. The design and implementation of a roving monitoring processor with a novel architecture is presented. The roving monitoring concept is shown to be quite feasible.
A control flow checking scheme capable of detecting control flow errors of programs resulting from software coding errors, hardware malfunctions, or memory mutilation during the execution of the program is presented. In this approach, the program is partitioned into loop-free intervals and a database containing the path information in each of the loop-free intervals is derived from the detailed design. The path in each loop-free interval actually traversed at run time is recorded and then checked against the information provided in the database, and any discrepancy indicates an error. This approach is general, and can detect all uncompensated illegal branches. Any uncompensated error that occurs during the execution of a loop-free interval and manifests itself as a wrong branch within the loop-free interval or right after the completion of execution of the loop-free interval is also detectable. The approach can also be used to check the control flow in the testing phase of program development. The capabilities, limitations, implementation, and the overhead of using this approach are discussed.
This paper specifies procedures for defining a monitor circuit that can detect faults in microprogram sequencers. The monitor and the sequencer operate in parallel and errors are detected by comparing outputs from the monitor circuit with outputs from the sequencer. Faults that cause errors in the flow of control are detectable, as well as some faults that cause errors only in the microinstruction fields. The design procedure presented for monitors consists of four parts. First, a model of the program flow is constructed that only retains the information required to define a monitor. Second, faults in a specified fault set are modeled by the errors they cause in the program flow model. Third, the functional requirements of the monitor are specified in terms of partitions on the states of the program flow model. Fourth, the logic design of the monitor is completed.
The use of watchdog processors in the implementation of Structural Integrity Checking (SIC) is described. A model for ideal SIC is given in terms of formal languages and automata. Techniques for use in implementing SIC are presented. The modification of a Pascal compiler into an SIC Pascal preprocessor is summarized.
Backward error recovery is an integral part of the recovery block scheme that has been advanced as a method for providing tolerance against faults in software; the recovery cache has been proposed as a mechanism for providing this error recovery capability. This correspondence describes a recovery cache that has been built for the PDP-11 family of machines. This recovery cache has been designed to be an "add-on" unit which requires no hardware alterations to the host CPU but which intersects the bus between the CPU and the memory modules. Specially designed hardware enables concurrent operation of the recovery cache and the host system, and aims to minimize the overheads imposed on the host.
Concurrent system-level error detection techniques using a watchdog processor are surveyed. A watchdog processor is a small and simple coprocessor that detects errors by monitoring the behavior of a system. Like replication, it does not depend on any fault model for error detection. However, it requires less hardware than replication. It is shown that a large number of errors can be detected by monitoring the control flow and memory-access behavior. Two techniques for control-flow checking are discussed and compared with current error-detection techniques. A scheme for memory-access checking based on capability-based addressing is described. The design of a watchdog for performing reasonable checks on the output of a main processor by executing assertions is discussed.< >
This paper is intended to be both a tutorial on hardware testing and a brief survey of existing techniques. Testing is discussed at all levels in the digital system hierarchy as well as at every stage of a system's life. The paper is organized into three parts. In the first part, fundamental concepts are presented. The second part reviews various testing techniques, with special emphasis on those that have gained wide acceptance. Finally, design techniques which promise to produce "easily testable" hardware are explored.
Possibilities and boundaries for the use of control sequence checking
- S Bologna
- W Ehrenberger
S. Bologna and W. Ehrenberger, "Possibilities and boundaries for the use of control sequence checking," in Proc. 8th Int. Fault-Tolerant Comput. Symp., June 1978, p. 226.
Concurrent error detection and recovery using signatured instruction streams
- B Aglietti
- M A Schuette
- J P Shen
B. Aglietti, M. A. Schuette, and J. P. Shen, "Concurrent error detection and recovery using signatured instruction streams," Dep. Elec. Comput. Eng., Carnegie-Mellon Univ., May, 1985, Pittsburgh, PA, Tech. Rep.