Publications & Deliverables
"Computing Safe Contention Bounds for Multicore Resources with Round-Robin and FIFO Arbitration", Gabriel Fernandez, Javier Jalle, Jaume Abella, Eduardo Quiñones, Tullio Vardanega, Francisco J. Cazorla, IEEE Transactions on Computers, 2016
One of Numerous researchers have studied the contention that arises among tasks running in parallel on a multicore processor. Most of those studies seek to derive a tight and sound upper-bound for the worst-case delay with which a processor resource may serve an incoming request, when its access is arbitrated using time-predictable policies such as round-robin or FIFO. We call this value upper-bound delay (ubd). Deriving trustworthy ubd statically is possible when sufficient public information exists on the timing latency incurred on access to the resource of interest. Unfortunately however, that is rarely granted for commercial-of-the-shelf (COTS) processors. Therefore, the users resort to measurement observations on the target processor and thus compute a “measured” ubdm. However, using ubdm to compute worst-case execution time values for programs running on COTS multicore processors requires qualification on the soundness of the result. In this paper, we present a measurementbased methodology to derive a ubdm under round-robin (RoRo) and first-in-first-out (FIFO) arbitration, which accurately approximates ubd from above, without needing latency information from the hardware provider. Experimental results, obtained on multiple processor configurations, demonstrate the robustness of the proposed methodology.
Access open research data.
"Formal Worst-Case Performance Analysis of Time-Sensitive Ethernet with Frame Preemption", Daniel Thiele, Rolf Ernst, 21st IEEE International Conference on Emerging Technologies and Factory Automation, Berlin (Germany), September 6-9 2016
Abstract: One of the key challenges in future Ethernet-based automotive and industrial networks is the low-latency transport of time-critical data. To date, Ethernet frames are sent nonpreemptively. This introduces a major source of delay, as, in the worst-case, a latency-critical frame might be blocked by a frame of lower priority, which started transmission just before the latency-critical frame. The upcoming IEEE 802.3br standard will introduce Ethernet frame preemption to address this problem. While high-priority traffic benefits from preemption, lowerpriority (yet still latency-sensitive) traffic experiences a certain overhead, impacting its timing behavior. In this paper, we present a formal timing analysis for Ethernet to derive worst-case latency bounds under preemption.We use a realistic automotive Ethernet setup to analyze the worst-case performance of standard Ethernet and Ethernet TSN under preemption and also compare our results to non-preemptive implementations of these standards.
"INVITED: Towards Fail-Operational Ethernet Based In-Vehicle Networks", Mischa Möstl, Daniel Thiele, Rolf Ernst, Design Automation Conference (DAC), Austin (USA), June 05-09 2016
Abstract: In the future, vehicles are expected to act more and more autonomously. The transition towards highly automated and autonomous driving will push the safety requirements for in-vehicle networks. Such networks must support isolation between mixed-critical trac (e.g. critical control and non-critical infotainment) and must be fail-operational. This paper will present new concepts and mechanisms to achieve these goals in Ethernet-based networks. It will cover advanced topics such as software dened networking (SDN) to implement isolation, fault recovery, and controlled degradation, e.g. to maintain (degraded) operation until the driver takes over or to reach a safe stop.
"On the Capacity of Thermal Covert Channels in Multicores", Davide Bartolini, Philipp Miedl, Lothar Thiele, EuroSys'16, London (Great Britain), April 18-21 2016
Modern multicore processors feature easily accessible temperature sensors that provide useful information for dynamic thermal management. These sensors were recently shown to be a potential security threat, since otherwise isolated applications can exploit them to establish a thermal covert channel and leak restricted information. Previous research showed experiments that document the feasibility of (lowrate) communication over this channel, but did not further analyze its fundamental characteristics. For this reason, the important questions of quantifying the channel capacity and achievable rates remain unanswered. To address these questions, we devise and exploit a new methodology that leverages both theoretical results from information theory and experimental data to study these thermal covert channels on modern multicores. We use spectral techniques to analyze data from two representative platforms and estimate the capacity of the channels from a source application to temperature sensors on the same or different cores. We estimate the capacity to be in the order of 300 bits per second (bps) for the same-core channel, i.e., when reading the temperature on the same core where the source application runs, and in the order of 50 bps for the 1-hop channel, i.e., when reading the temperature of the core physically next to the one where the source application runs. Moreover, we show a communication scheme that achieves rates of more than 45 bps on the same-core channel and more than 5 bps on the 1-hop channel, with less than 1% error probability. The highest rate shown in previous work was 1.33 bps on the 1-hop channel with 11% error probability.
Access open research data.
"Moving from single-core to multicore: initial findings on a fuel injection case study", M. di Natale, A. Biondi, Y. Sun, S. Botta, SAE Conference, April 2016
Abstract: Several application developers are currently faced with the problem of moving a complex system from a single-core to a multicore platform. The problem encompasses several issues that go from modeling issues (the need to represent the system features of interest with sufficient accuracy) to analysis and optimization techniques, to the selection of the right formulations for constraints that relate to time. We report on the initial findings in a case study in which the application of interest is a fuel injection system. We provide an analysis on the limitations of AUTOSAR and the existing modeling tools with respect to the representation of the parameters of interest for timing analysis, and we discuss applicable optimization methods and analysis algorithms.
"Formal Analysis Based Evaluation of Software Defined Networking for Time-Sensitive Ethernet", Daniel Thiele, Rolf Ernst, DATE Conference, Dresden, March 18 2016
Abstract: Software defined networking (SDN) aims to standardize the control and configuration of network infrastructure. It consolidates network control by moving the network’s control plane to a (logically) centralized controller and downgrading switches to simple forwarding devices. This offers huge advantages for future automotive Ethernet networks, including admission control (e.g. to prevent/limit congestion) or network reconfiguration (e.g. in case of faults), both based on a centralized view of the current network state. SDN’s centralized architecture, however, requires additional communication, which entails a certain overhead. If SDN is used in safety-critical realtime networks, this communication is subject to strict timing requirements. In this paper, we present a formal analysis based evaluation of the general suitability of SDN for time-sensitive networks including overhead, scalability, and timing guarantees by using a realistic automotive setup.
"Formal Worst-Case Timing Analysis of Ethernet TSN’s Burst-Limiting Shaper", Daniel Thiele, Rolf Ernst, DATE Conference, Dresden, March 18 2016
Abstract: Future in-vehicle networks will use Ethernet as their communication backbone. As many automotive applications are latency-sensitive and have strict real-time requirements, a key challenge in automotive network design is the deterministic low-latency transport of latency-critical Ethernet frames. Timesensitive networking (TSN) is an upcoming set of Ethernet standards, which address these requirements by specifying new quality of service mechanisms in the form of different traffic shapers. One of these traffic shapers is the burst-limiting shaper (BLS). In this paper, we evaluate whether BLS is able to fulfill these strict timing requirements. We present a formal timing analysis for BLS in order to compute worst-case latency bounds. We use a realistic automotive Ethernet setup to compare BLS against Ethernet AVB and Ethernet following IEEE 802.1Q.
"Safety considerations for WCET evaluation methods in avionic equipment", Xavier Jean, Sylvain Girbal, Anthony Roger, Thomas Megel, Vincent Brindejonc, 34th Digital Avionics Systems Conference (DASC) 2015
Abstract: Most safety-critical avionics systems are defined as "hard real time". That means they must deliver their function within pre-defined deadlines. Missing a single deadline at system level is considered as a failure condition that may be catastrophic. At software level, this is a single failure that must be mitigated with appropriate means to prevent that failure condition. Real-time requirements are addressed in software components by Worst Case Execution Time (WCET) evaluations. Several methods have been explored in the literature, for which classifications have been proposed according to their techniques and precision of their results. However, these classifications do not consider the contribution of WCET evaluation techniques to safety processes. In this paper, we present a safety process that integrates WCET evaluation on embedded software. This process allows us to highlight the benefits and limits that WCET evaluation methods bring in industrial practices.
"Formal Worst-Case Timing Analysis of Ethernet TSN’s Time-Aware and Peristaltic Shapers", Daniel Thiele, Rolf Ernst, Jonas Diemer, Vehicular Networking Conference (VNC), Kyoto (Japan), December 16-18 2015
Abstract: Ethernet is considered as a future communication standard for distributed embedded systems in the automotive and industrial domains. A key challenge is the deterministic low-latency transport of Ethernet frames, as many safety-critical real-time applications in these domains have tight timing requirements. Time-sensitive networking (TSN) is an upcoming set of Ethernet standards, which (among other things) address these requirements by specifying new quality of service mechanisms in the form of different traffic shapers. In this paper, we consider TSN’s time-aware and peristaltic shapers and evaluate whether these shapers are able to fulfill these strict timing requirements. We present a formal timing analysis, which is a key requirement for the adoption of Ethernet in safety-critical real-time systems, to derive worst-case latency bounds for each shaper. We use a realistic automotive Ethernet setup to compare these shapers to each other and against Ethernet following IEEE 802.1Q.
"Formal timing analysis of CAN-to-Ethernet gateway strategies in automotive networks", Daniel Thiele, Johannes Schlatow, Philip Axer, Rolf Ernst, Real-Time Systems Journal, Braunschweig (Germany), October 7 2015
Abstract: Due to increased bandwidth and scalability demands, Ethernet technology is finding itsway into recent in-vehicle networks. Tomorrow’s heterogeneous networks will feature legacy buses [e.g. controller area network (CAN) or FlexRay] as well as high-speed Ethernet devices, connected by switches and gateways. As Ethernet offers significantly larger frame sizes than CAN, the efficient transmission of CAN data over an Ethernet backbone depends heavily on theway this data is multiplexed into Ethernet frames. This article focuses on the timing impact introduced by various CAN/Ethernet multiplexing strategies at the gateways.We present a formal analysis method to derive upper bounds on end-to-end latencies for complex multiplexing strategies, which is key for the design of safety-critical real-time systems. We capture complex interdomain signal paths spanning multiple buses, gateways, and switches and show the applicability in a realistic automotive setup.
"Deterministic Platform Software for Hard Real-Time systems using Multi-core COTS", Sylvain Girbal, Xavier Jean, Jimmy Le Rhun,Daniel Gracia Pérez, Marc Gatti, Digital Avionics System Conference (DASC 2015) Best Paper Award, Prague, September 13-17 2015
Abstract: Future generations of avionic equipments are expected to embed multi-core processors. Using Components Off-The-Shelf (COTS) processors is considered both by the industrial and academic communities, as well as certification authorities. However, in the safety-critical domain, a common issue with COTS multi-core processors is their lack of predictability, directly linked to the difficulty to foresee and manage inter-core interferences due to shared hardware resources. A possible solution consists in defining a Usage Domain that constrains the use of shared resources down to a level for which interference situations are known and their impact on software execution time is acceptable. Nevertheless, COTS processors have not been designed to see their behavior restricted by such usage domains, and do not provide dedicated mechanisms for that purpose. Hence the usage domains are enforced by more complex mechanisms implemented in dedicated pieces of software running below the applicative level. We call them Deterministic Platform Software (DPS). The objective of this paper is to propose an overview of existing DPS solutions, and propose criteria leading to a uniform classification. Additionally, we propose a mapping of these solutions to a selection of avionic use cases.
"A Complete Toolchain for an Interference-free Deployment of Avionic Applications on Multi-core Systems", Sylvain Girbal, Daniel Gracia Perez, Madeleine Faugèere, Claire Pagetti, Guy Durrieu, Digital Avionics System Conference (DASC'2015), September 17 2015
Abstract: In the safety critical domain such as in avionics, existing embedded solutions based on single-core COTS processors are very unlikely to handle the new level of performance requirement of next generation safety-critical applications. One alternative would be to use multi-core COTS computers, but the predictability versus performance trade-off remains an obstacle for their use in a safety critical context: concurrent accesses to shared hardware resources are generating inter-task or interapplication interferences, breaking the isolation principles required by such critical software. To enable the usage of multi-core processors on safety critical systems, interferences need to be controlled and techniques need to be developed to exploit multi-core performance benefits. In this paper, we have developed an approach and an associated tool suite able to enforce an interference-free system execution while emphasizing task parallelization to benefit from multi-core systems inherent performance. Providing strong certification guarantees of interference-free multi-core systems would require us to identify all potential sources of interference. This is beyond the scope of this paper. While restricting ourselves to the memory subsystems and the I/Os, our goal is to ensure an interference-free execution of a safety critical application deployed on a multicore architecture, by proposing an approach avoiding interference scenarios. Our proposed approach couples hardware configurations minimizing interferences with a software execution model decoupling communication phases from execution phases. We are relying on a constraint problem solving (CPS) approach to build an interference-free multi-core deployment. This approach has been fully automated and is supported by a toolchain from the problem formulation to the code generation. It has been experimented on an avionic application, and both the absence of interference and the performance benefits have been evaluated. With this approach, large safety-critical applications can be ported to multi-core COTS processors while preserving single-core based analysis methodologies.
"Deterministic Ethernet - High-speed communications with real-time guarantees", M. Jakovljevic and M. Plankensteiner, Forum Funktionale Sicherheit, Vienna, July 8-9 2015
Abstract: Currently, IEEE802 Ethernet standardization is creating a deterministic networking solution for a broad range of high-volume applications including automotive in-vehicle communication and factory automation. New deterministic Ethernet capabilities are based on time-multiplexed bandwidth sharing and defined in the IEEE802.1 TSN (Time-Sensitive Networking) task group. These capabilities enable the design of different classes of industrial and transportation systems and advanced integrated architectures communicating over a single switched Ethernet infrastructure. Together with other industry–specific open standards implemented in network devices, deterministic Ethernet solutions can be designed to satisfy real-time and reliability communication requirements for industrial applications which were constrained by isolated or proprietary networking solutions in the past. With increasing requirements on high availability, safety, and fail-operational system performance, the network becomes a core component of an embedded platform and determines, and sometimes limits, platform performance and capabilities. Therefore Deterministic Ethernet can be considered a core technology for the design of advanced integrated systems with both synchronous and asynchronous communication. Deterministic full-duplex switched Ethernet networks with time-driven communication capabilities support hard real-time communication, robust synchronization, time-sensitive traffic shaping and policing, and time-partitioning of the network bandwidth. Integrated systems designed with Deterministic Ethernet can host critical and non-critical, or soft-time functions. This enables the design of open and closed systems with critical and hard-real time distributed functions.
"Resource usage templates and signatures for COTS multicore processors", Gabriel Fernandez, Javier Jalle, Jaume Abella, Eduardo Quiñones, Tullio Vardanega, Francisco J. Cazorla, 52nd Design Automation Conference (DAC), San Francisco (California), June 7-11 2015
Upper bounding the execution time of tasks running on multicore processors is a hard challenge. This is especially so with commercial-off-the-shelf (COTS) hardware that conceals its internal operation. The main difficulty stems from the contention effects on access to hardware shared resources (e.g., buses) which cause task's timing behavior to depend on the load that co-runner tasks place on them. This dependence reduces time composability and constrains incremental verification. In this paper we introduce the concepts of resource-usage signatures and templates, to abstract the potential contention caused and incurred by tasks running on a multicore. We propose an approach that employs resource-usage signatures and templates to enable the analysis of individual tasks largely in isolation, with low integration costs, producing execution time estimates per task that are easily composable throughout the whole system integration process. We evaluate the proposal on a 4-core NGMP-like multicore architecture.
Access open research data.
"Increasing Confidence on Measurement-Based Contention Bounds for Real-Time Round-Robin Buses", Gabriel Fernandez, Javier Jalle, Jaume Abella, Eduardo Quiñones, Tullio Vardanega, Francisco J. Cazorla, 52nd Design Automation Conference (DAC), San Francisco (California), June 7-11 2015
Contention among tasks concurrently running in a multicore has been deeply studied in the literature specially for on- chip buses. Most of the works so far focus on deriving exact upper-bounds to the longest delay it takes a bus request to be serviced (ubd), when its access is arbitrated using a time- predictable policy such as round-robin (RR). Deriving ubd for a bus can be done accurately when enough timing information is available, which is not often the case for commercial-of-the-shelf (COTS) processors. Hence, ubd is approximated (ubdm) by directly experimenting on the target processor, i.e by measurements. However, using ubdm makes the timing analysis technique to resort on the accuracy of ubdm to derive trustworthy worst-case execution time (WCET) estimates. Therefore, accurately estimating ubd by means of ubdm is of paramount importance. In this paper, we propose a systematic measurement-based methodology to accurately approximate ubd without knowing the bus latency or any other latency information, being only required that the underlying bus policy is RR. Our experimental results prove the robustness of the proposed methodology by testing it on different bus and processor setups.
Access open research data.
"Seeking Time-Composable Partitions of Tasks for COTS Multicore Processors", Gabriel Fernandez, Jaume Abella, Eduardo Quiñones, Luca Fossati, Marco Zulianello, Tullio Vardanega, Francisco J. Cazorla, 18th International Symposium on Real-Time Distributed Computing, Auckland, April 13-17 2015
The timing verification of real-time singlecore systems involves a timing analysis step that yields an Execution Time Bound (ETB) for each task, followed by a schedulability analysis step, where the scheduling attributes of the individual tasks, including the ETB, are studied from the system level perspective. The transition between those two steps involves accounting for the interference effects that arise when tasks contend for access to shared resource. The advent of multicore processors challenges the viability of this two-step approach because several complex contention effects at the processor level arise that cause tasks to be unable to make progress while actually holding the CPU, which are very difficult to tightly capture by simply inflating thetasks’ ETB. In this paper we show how contention on access to hardware shared resources creates a circular dependence between the determination of tasks’ ETB and their scheduling at run time. To help loosen this knot we present an approach that acknowledges different flavors of time composability, examining in detail the variant intended for partitioned scheduling, which we evaluate on two real processor boards used in the space domain.
Access open research data.
This document performs a technology watch report related to the SAFURE Framework methodology to build Safe and Secure solutions on multi-core platforms for mixed-criticality markets.
The report will provide the design guidelines for ensuring the integrity of safe and secure systems based on the analysis methods and protection mechanisms developed in WP3.
This document will cover final results regarding the extension of tem- perature, data, and timing integrity to safe and secure systems. The report describes integrity methods and protection mechanisms related to data management, timing and thermal analysis for safe and secure systems as developed in WP3 and is the follow-up deliverable of D3.1.
This deliverable is the final and complete version of the description of the selected modelling languages, it will also include the definition of possible extensions or customization of existing standard languages (including stereotypes, domain profiles and possibly dedicated meta-models) and an assessment of the applicability of analysis methods.
The document is a report complementing D4.1 Alpha demonstrator. It describes the amount of work done, the demonstrated achievements also future plans of WP4.
D3.1 gives an overview on existing thermal, data and timing integrity algorithms. Furthermore, it covers first results regarding the extension of these methods to safe and secure systems
D2.1 is a preliminary report describing the selection of the modelling languages and tools fort he definition of the automotive and telecommunication architectures of interest and the constraints that must be addressed to specify safety and security requirements and enable thier automatic analysis.
This deliverable defines the initial specifications for the SAFURE Framework, while a final version of the specifications will be released at the end of the project.
This deliverable includes the specification of the Use Case for each of the targeted industry domains, as well as the platforms that will be targeted to support typical embedded applications development in each domain.
Deliverable D1.2 categorizes groups and prioritizes the requirements in order to guide development in other SAFURE work packages. It illustrates the mapping between requirements and how they are reflected in the detailed Use Cases.