Semantic guardians for our computers?
If your computer has never crashed, it's because it has been built on another planet. The microprocessors we use are faster and more complex year after year, increasing the risks of being hit by 'functional bugs.' This is why University of Michigan (U-M) researchers have started to develop a system that lets chips work around all functional bugs, even those that haven't been detected. Their 'semantic guardians' will continuously monitor what your computer processor is asked to do -- and by which piece of software. Right now, the researchers have developed a software-based chip simulator, but they want to create a real programmable chip to control our computers. Read more...
The figure above describes how this trusted hardware design flow. "The safe mode is verified thoroughly with formal tools, while the normal mode is validated with focus on the most common functionality. A semantic guardian is then automatically generated and manufactured with the design. The guardian, together with a recovery controller switches the design into the safe mode when any non-validated scenario is observed at runtime." (Credit: Bertacco and Wagner, U-M)
This research work has been led by Valeria Bertacco, an assistant professor in the Department of Electrical Engineering and Computer Science of U-M, with the help of Ilya Wagner, a doctoral student working in the same department. Both belong to the Advanced Computer Architecture Laboratory (ACAL) and have been working on these semantic guardians during the last two years.
How will these guardians work? "The U-M researchers' system would eliminate this risk by building a virtual fence that prevents a chip from operating in untested configurations. The approach keeps track of all the configurations the firm did test, and loads that information onto a miniscule monitor that would be added to each processor. The monitor, called a semantic guardian, keeps the chip operating within its virtual fence. It works by switching the processor into a slower, bare-bones, safe mode when the chip encounters a configuration that has not been validated. In this way, the monitor would treat all untested configurations as potential threats."
Here are some quotes from Bertacco about this system. "If you consider all the possible configurations of the processor, only a tiny fraction of them is verified. But that tiny portion accounts for the configurations that occur 99.9 percent of the time. Users wouldn't even notice when their processor switched to safe mode. It would happen infrequently, and it would only last momentarily, to get the computer through the uncharted territory. Then the chip would flip back to its regular mode."
Will these monitors affect the performance of our computers? The answer is a clear no according to the researchers. "The guardian would take only a small fraction of the microprocessor's area with a imperceptible performance impact, which the researchers assert is a small price to pay to eliminate the risks of buggy hardware." According to IDG News Service (see below), "In their current design, the monitor takes up about 3 percent of the chip's real estate, but they expect that it would be much smaller if ever developed commercially. 'If any commercial company decides to do this it would be much less than 1 percent,' Bertacco said."
Early results of this project have been presented at the Design Automation and Test in Europe Conference in April 2007 in a paper called "Engineering Trust with Semantic Guardians" (PDF format, 6 pages, 597 KB). The above illustration has been extracted from this document. You'll have to read this article by yourself, because even the abstract and the conclusions are too long to post here.
Let's finish by an article from Robert McMillan, "Researchers develop bug-blocking chip monitor" (IDG News Service, September 29, 2008). McMillan looks at last year delays of AMD Barcelona chip because of flaws discovered after launch. "Insight 64 analyst Nathan Brookwood is unconvinced that a semantic guardian would have helped AMD with its Barcelona problem. According to him, there are at least two big problems with this approach: First, it would be hard to keep track of all the tested states on a commercial processor. 'There are a very large number of legitimate states, so I really question whether this is anything that could ever be made to be a practical solution,' he said."
According to McMillan, "security concerns may soon cause chip makers to take a close look at the University of Michigan work. That's because some security experts think that microprocessor bugs may enable a new wave of hacking attacks. [And] Bertacco believes that security concerns could make her semantic guardian more attractive to chip makers. 'The general public is much more sensitive to security,' she said."
Sources: University of Michigan news release, September 29, 2008; and various websites
You'll find related stories by following the links below.