Control Flow Error Detection Research Articles

Generic Soft Error Data and Control Flow Error Detection by Instruction Duplication

Transient faults or soft errors are considered one of the most daunting reliability challenges for microprocessors. Software solutions for soft error protection are attractive because they can provide flexible and effective error protection. For instance, nZDC [1] state-of-the-art instruction duplication error protection scheme achieves a high degree of error detection by verifying the results of memory write operations and utilizes an effective control-flow checking mechanism. However, nZDC control-flow checking mechanism is architecture-dependent and suffers from some vulnerability holes. In this work, we address these issues by substituting nZDC control-flow checking mechanism with a general (ISA-independent) scheme and propose two transformations, coarse-grained scheduling, and asymmetric control-flow signatures, for hard-to-detect control flow errors. Fault injection experiments on different hardware components of synthesizable Verilog description of an OpenRISC-based microprocessor reveal that the proposed transformation shows 85% less silent data corruptions compared to nZDC. In addition, programs protected by the proposed scheme run on average around 37% faster than nZDC-protected programs.

A configurable control flow error detection method based on basic block repartition

Radiation-induced soft errors have emerged as a critical issue that must be addressed in fields such as aerospace, where control flow errors they cause could lead to catastrophic consequences. However, existing control flow errors detection methods based on signature analysis typically use a single type of signature to record predecessor–successor relationships, which has limited expressive power and struggles to balance program residual failure rate and time overhead. In response to this, we employ a basic block repartitioning technique to adjust the control flow graph of a program to conform to jump rules we set, and design a novel signature analysis scheme that combines node type signatures with predecessor–successor signatures to detect control flow errors inter basic block. We also improve the signatures mechanism to detect control flow errors intra basic block and inter procedures, thus providing the ability to detect these two types of control flow errors and allowing for flexible configuration based on the reliability requirements of the program. Experimental results show that compared to baselines, the proposed method can ensure a low residual failure rate while maintaining a low time overhead.

Investigating real-time control-flow error detection in hardware: How fast can we detect errors and take action?

Control-flow monitoring is a promising approach to detect early anomalies and program execution deviations in safety and security domains. Many techniques based on branch tracing have been proposed, but there is no model to identify such methods' timing bounds. Critical systems and detection mechanisms operate with real-time constraints, and such a model is sorely needed. We propose here a novel model to estimate latency bounds on trace-based monitoring techniques. We evaluate our trace-based method's detection capabilities and real-time model through two fault injection campaigns. We can detect 98% of all branch opcode faults and 100% of all explicit control-flow errors, providing clearly defined latency bounds.

REPAIR: Control Flow Protection based on Register Pairing Updates for SW-Implemented HW Fault Tolerance

Safety-critical embedded systems may either use specialized hardware or rely on Software-Implemented Hardware Fault Tolerance (SIHFT) to meet soft error resilience requirements. SIHFT has the advantage that it can be used with low-cost, off-the-shelf components such as standard Micro-Controller Units. For this, SIHFT methods apply redundancy in software computation and special checker codes to detect transient errors, so called soft errors, that either corrupt the data flow or the control flow of the software and may lead to Silent Data Corruption (SDC). So far, this is done by applying separate SIHFT methods for the data and control flow protection, which leads to large overheads in computation time. This work in contrast presents REPAIR, a method that exploits the checks of the SIHFT data flow protection to also detect control flow errors as well, thereby, yielding higher SDC resilience with less computational overhead. For this, the data flow protection methods entail duplicating the computation with subsequent checks placed strategically throughout the program. These checks assure that the two redundant computation paths, which work on two different parts of the register file, yield the same result. By updating the pairing between the registers used in the primary computation path and the registers in the duplicated computation path using the REPAIR method, these checks also fail with high coverage when a control flow error, which leads to an illegal jumps, occurs. Extensive RTL fault injection simulations are carried out to accurately quantify soft error resilience while evaluating Mibench programs along with an embedded case-study running on an OpenRISC processor. Our method performs slightly better on average in terms of soft error resilience compared to the best state-of-the-art method but requiring significantly lower overheads. These results show that REPAIR is a valuable addition to the set of known SIHFT methods.

Impact of selectively implementing control flow error detection techniques

Many software-implemented control flow error detection techniques have been proposed over the years. In an effort to reduce their overhead, recent research has focused on selective approaches. However, correctly applying these approaches can be difficult because their respective literature gives little guidance on the practical implementation. This paper aims to address this concern and proposes a new approach. Our new approach is easier to implement and is applicable on any existing control flow error detection technique. To prove its validity, we apply our new approach to five different control flow error detection techniques and perform fault injection experiments. The results show that the selective implementation, while decreasing the imposed overhead, can have a negative impact on error detection ratio.

The method of software reliability increasing for the microprocessors with multi-byte command system

The article considers an original way of software reliability improvement of microprocessor systems with multi-byte command system in case of errors due to accidental failure while execution of the program. Program running errors (control flow errors) mean a discrepancy in the sequence of command codes executed by the microprocessor after the failure occurrence, with the working sequence of commands. The method is based on the preliminary marking of the program memory codes with the help of an additional parity/odd bit and the formation of the signal of the command code reading by microprocessor when accessing the program memory. The article proposes the analytical relations to predict the probability of detection of control flow errors for CISC-processors with any multibyte system of commands based on statistics of commands of different byteness which is contained in the code of the executable program. Along with the detection of control flow errors, all odd errors are also detected while reading the content of any program memory cell.

Dual-Core Lockstep enhanced with redundant multithread support and control-flow error detection

This work presents a new Dual-Core LockStep approach to enhance fault tolerance in microprocessors. The proposed technique is based on the combination of software-based data checking and trace-based control-flow checking through an external hardware module. The hardware module is connected to the trace interface and is able to observe the execution of all the processors in the architecture. The proposed approach has been implemented for a dual core commercial processor. Experimental results demonstrate that the proposed technique has a high error detection capability with up to 99.63% error coverage.

SSCFM: Separate Signature-Based Control Flow Error Monitoring for Multi-Threaded and Multi-Core Environments

Soft error is a key challenge in computer systems. Without soft error mitigation, control flow error (CFE) can lead to system crash. Signature-based CFE monitoring scheme is a representative technique for detecting CFEs during runtime. However, most of the signature-based CFE monitoring schemes proposed thus far are based on a single thread. Currently, the widely used multi-threaded and multi-core environments have greatly improved the performance of the computing system, but, if the these schemes are applied in these environments, performance improvement is difficult to achieve, or rather performance degradation may occur. In this paper, we propose a separate signature-based CFE monitoring (SSCFM) scheme that separates the signature update and the signature verification on the thread level. The signature update is combined with application thread and signature verification and executed on separate monitor threads, so that we can expect performance improvements in multi-threaded or multi-core environments. Furthermore, the SSCFM scheme can fully cover inter-procedural CFE not covered by many signature-based CFE monitoring schemes by using inter-procedural control flow analysis. With the proposed SSCFM scheme, the execution time overhead is reduced by approximately 26.67% on average from the SEDSR scheme, and the average CFE detection rate with SSCFM is approximately 93.69%. In addition, this paper also introduces the LLVM compiler-based SSCFM generator that makes it easy to apply the SSCFM scheme to software applications.

Detecting FNE in Sound Free-choice Petri Net with Data

Nowadays, the development of a third-party service (Express industry) and a third-party payment (Alipay) are very fast in online shopping. Despite there are many technologies to detect control flow errors in business process, the soundness verification in data flow is very hard. To support the design of a workflow, we usually consider the correct control flow structure. However, information about data flow should also be ensured correct. The operation of the system may suffer some external attacks, which makes the task change the read and write operations, which result in changing of control flow structure which would lead to the emergence of unusual system. As a result, our approach provides a new technology to analysis the correctness of sound free-choice Petri net with data (SCDN). With the strong concealment of this attack, the system may suffer false-negative data flow errors (FNE), which would bring some loses to the participants. On the basis of behavioral profiles (BP), redundant data flow errors (RDE) and missing data flow errors (MDE), we provide the theory of FNE to demonstrate the stability, effectiveness and adaptation of our detection methods. Finally, a real E-commerce business system is used to illustrate the practicability of the method provided in this paper.

Random Additive Signature Monitoring for Control Flow Error Detection

Due to harsher working environments, soft errors or erroneous bit-flips occur more frequently in microcontrollers during execution. Without mitigation, such errors result in data corruption and control flow errors. Multiple software-implemented mitigation techniques have already been proposed. In this paper, we evaluate seven signature monitoring techniques in seven different test cases. We measure and compare their detection ratios, execution time overhead, and code size overhead. From the gathered results, we derive five requirements to develop an optimal signature monitoring technique. Based on these requirements, we propose a new signature monitoring technique called random additive signature monitoring (RASM). RASM uses signature updates with random values and optimally placed validity checks to detect interblock control flow errors. RASM has a higher detection ratio, lower execution time overhead, and lower code size overhead than the studied techniques.

Global Optimization of Fixed-Priority Real-Time Systems by RTOS-Aware Control-Flow Analysis

Cyber--physical systems typically target a dedicated purpose; their embedded real-time control system, such as an automotive control unit, is designed with a well-defined set of functionalities. On the software side, this results in a large amount of implicit and explicit static knowledge about the system and its behavior already at compile time. Compilers have become increasingly better at extracting and exploiting such static knowledge. For instance, many optimizations have been lifted up to the interprocedural or even to the whole-program level. However, whole-program optimizations generally stop at the application--kernel boundary: control-flow transitions between different threads are not yet analyzed. In this article, we cross the application--kernel boundary by combining the semantics of a real-time operating system (RTOS) with deterministic fixed-priority scheduling (e.g., OSEK/AUTOSAR, ARINC 653, μITRON, POSIX.4) and the explicit application knowledge to enable system-wide, flow-sensitive compiler optimizations. We present two methods to extract a cross-kernel, control-flow--graph that provides a global view on all possible execution paths of a real-time system. Having this knowledge at hand, we tailor the operating system kernel more closely to the particular application scenario. For the example of a real-world safety-critical control system, we present three possible use cases. (1) Runtime optimizations, by means of specialized system calls for each call site, allow one speed up the kernel execution path by 28% in our benchmark scenario. Furthermore, we target transient hardware fault tolerance with two automated software-based countermeasures: (2) generation of OS state assertions on the expected system behavior, and (3) a system-wide dominator-region based control-flow error detection, both of which leverage significant robustness improvements.

Parallel execution tracing: An alternative solution to exploit under-utilized resources in multi-core architectures for control-flow checking

In this paper, a software behavior-based technique is presented to detect control-flow errors in multi-core architectures. The analysis of a key point leads to introduction of the proposed technique: employing under-utilized CPU resources in multi-core processors to check the execution flow of the programs concurrently and in parallel with the main executions. To evaluate the proposed technique, a quad-core processor system was used as the simulation environment, and the behavior of SPEC CPU2006 benchmarks were studied as the target to compare with conventional techniques. The experimental results, with regard to both detection coverage and performance overhead, demonstrate that on average, about 94% of the control-flow errors can be detected by the proposed technique, with less performance overhead compared to previous techniques. <br><br><font color="red"><b> This article has been retracted. Link to the retraction <u><a href="http://dx.doi.org/10.2298/FUEE1801155E">10.2298/FUEE1801155E</a><u></b></font>

A New Hybrid Nonintrusive Error-Detection Technique Using Dual Control-Flow Monitoring

Hybrid error-detection techniques combine software techniques with an external hardware module that monitor st he execution of a microprocessor. The external hardware module typ- ically observes the control flow at the input or at the output of the microprocessor and compares it with the expected one. This paper proposes a new hybrid technique that monitors the control flow at both points and compares them to detect possible errors. The proposed approach does not require any software modifica- tion to detect control-flow errors. Fault-injection campaigns have been performed on an LEON3 microprocessor. The results show full control-flow error detection with no performance degradation and small area overhead. A complete solution can be obtained by complementing the proposed approach with software fault-toler- ance techniques for data errors.

Software control flow error detection and correlation with system performance deviation

Detecting runtime errors helps avoid the cost of failures and enables systems to perform corrective actions prior to failure occurrences. Control flow errors are major impairments of system dependability during component interactions. Existing control flow monitors are susceptible to false negatives due to possible inaccuracies of the underlying control flow representations. Moreover, avoiding performance overhead and program modifications are major challenges in these monitoring techniques. In this paper, we construct a connection-based signature approach for detecting errors among component interactions. We analyze the monitored system performance and examine the relationship of the captured error state parameters with the system performance deviation. Using the PostgreSQL 8.4.4 open-source database system with randomly injected errors, the experimental evaluation results show a decrease in false negatives using our approach relative to the existing techniques. It also demonstrates a significant ability of identifying the responsible components and error state patterns for system performance deviation.

Software-Based Control Flow Checking Against Transient Faults in Industrial Environments

Mechatronic systems operating in industrial environments are subject to a variety of threats because of harsh conditions. Industrial systems usually use commercial off-the shelf (COTS) equipment which are not robust and safe against hostile conditions and therefore require fault-tolerance considerations. This paper presents a novel and efficient method for online detection of control flow errors, called software-based control flow checking (SCFC). It is implemented purely in software and does not manipulate the hardware architecture of the system. Redundant instructions and signatures are embedded into the program at compile time and are utilized for control flow checking at run time. The signatures of the basic blocks are derived from the program graph. It is shown in the paper that SCFC method can increase single detection capability to 14.7% and the fault coverage to 6.12% averagely in comparison with other methods without any increase in memory and performance overheads. In the paper, besides experimental evaluations, analytical evaluations are also carried out, based on probability principles. The detection ability of each method used is thus computed. These computations verify the experimental results and show that SCFC can detect more errors than other methods suggested in literature. Considering the memory limitations in some (such as space) applications and the trend towards the requirement for faster execution of programs, we suggest a novel metric called fitness parameter which incorporates these. It is a better measure than the previously proposed ones since it considers the fault coverage, the memory overhead and the execution time (performance overhead) of each method simultaneously, as well as the detection capability.

AN EFFECTIVE CONTROL FLOW CHECKING METHOD FOR MULTITASK PROCESSING IN HARSH ENVIRONMENTS

Electronic equipment used in harsh environments such as space has to cope with many threats. One major threat is the intensive radiation which gives rise to Single Event Upsets (SEU) that lead to control flow errors and data errors. In the design of embedded systems to be used in space, the use of radiation tolerant equipment may therefore be a necessity. However, even if the higher cost of such a choice is not a problem, the efficiency of such equipment is lower than the COTS equipment. Therefore, the use of COTS with appropriate measures to handle the threats may be the optimal solution, in which a simultaneous optimization is carried out for power, performance, reliability and cost. In this paper, a novel method is presented for control flow error detection in multitask environments with less memory and performance overheads as compared to other methods seen in the literature.

Intelligent fault-tolerant control for swing-arm system in the space-borne spectrograph

Fault-tolerant control (FTC) for the space-borne equipments is very important in the engineering design. This paper presents a two-layer intelligent FTC approach to handle the speed stability problem in the swing-arm system suffering from various faults in space. This approach provides the reliable FTC at the performance level, and improves the control flow error detection capability at the code level. The faults degrading the system performance are detected by the performance-based fault detection mechanism. The detected faults are categorized as the anticipated faults and unanticipated faults by the fault bank. Neural network is used as an on-line estimator to approximate the unanticipated faults. The compensation control and intelligent integral sliding mode control are employed to accommodate two types of faults at the performance level, respectively. To guarantee the reliability of the FTC at the code level, the key parts of the program codes are modified by control flow checking by software signatures (CFCSS) to detect the control flow errors caused by the single event upset. Meanwhile, some of the undetected control flow errors can be detected by the FTC at the performance level. The FTC for the anticipated fault and unanticipated fault are verified in Synopsys Saber, and the detection of control flow error is tested in the DSP controller. Simulation results demonstrate the efficiency of the novel FTC approach.

CEDA: Control-Flow Error Detection Using Assertions

This paper presents an efficient software technique, control-flow error detection through assertions (CEDA), for online detection of control-flow errors. Extra instructions are automatically embedded into the program at compile time to continuously update runtime signatures and to compare them against preassigned values. The novel method of computing runtime signatures results in a huge reduction in the performance overhead, as well as the ability to deal with complex programs and the capability to detect subtle control-flow errors. The widely used C compiler, GCC, has been modified to implement CEDA, and the SPEC benchmark programs were used as the target to compare with earlier techniques. Fault injection experiments were used to demonstrate the effect of control-flow errors on software and to evaluate the fault detection capabilities of CEDA. Based on a new comparison metric, method efficiency, which takes into account both error coverage and performance overhead, CEDA is found to be much better than previously proposed methods.

On Detecting Data Flow Errors in Workflows

When designing a business workflow, it is customary practice to create the control flow structure first and to ensure its correctness. Information about the flow of data is introduced subsequently into the workflow and its correctness is independently verified. Improper specification of data requirements of tasks and XOR splits can cause problems such as wrong branching at XOR splits and the failure of tasks to execute. Here we present a graph traversal algorithm called GTforDF for detecting data flow errors in both nested and unstructured workflows, and illustrate its operation on realistic examples. Two of these have interconnected loops and are free of control flow errors, and the third one is an unstructured loop-free workflow. Our approach extends and generalizes data flow verification methods that have been recently proposed. It also makes use of the concept of corresponding pairs lately introduced in control flow verification. It thus has the potential for development into a unified algorithmic procedure for the concurrent detection of control flow and data flow errors. The correctness of the algorithm has been proved theoretically. It has also been tested experimentally on many examples.

On-line control flow error detection using relationship signatures among basic blocks

Computer systems operating in space environment are subject to different radiation phenomena, whose effects may lead to a control flow fault occurring in software system, which can cause unpredictable behaviors of computer-based systems. According to the specialty of space environment, We propose a technique called RSCFC (Relationship Signatures for Control Flow Checking) which is based on the partition of programs into basic blocks. Firstly, it exploits the relationship among the blocks, then assigns a signature, into which the relationship is coded, to each basic block. Control flow faults are detected through taking AND operation between the run-time signature and the location info of the current block with extra instructions induced at the beginning and the end of each block. A fault injection experiment was performed with several C benchmark programs. The result suggests that about 33% (20.7–68.8%) of the injected branching faults produced undetected incorrect outputs without RSCFC; however, with RSCFC, the above number declines to 11% (2.8–20.4%). Compared with previous techniques, RSCFC has the characteristics of both high fault coverage and low memory and performance overhead.