f t -u nshades a design analysis tool based on emulation technologies esa-estec/17540 university of...

FT-UNSHADES

A design analysis tool based on Emulation Technologies

ESA-ESTEC/17540University of Sevilla-AICIA-ESA

Summary

Fault Injection in generalWhat is FT-UNSHADES?What is not FT-UNSHADES?Main featuresModels for design analysis

◦ Cycle accurate◦ Smart table

FT-UNSHADES for FPGA analysisWhat can FT-UNSHADES do for you?Using FT-UNSHADESAccessing to FTUNSHADES

11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk

Fault Injection in general Certain Radiation Effects over digital circuits mainly

affect to the stored information in Registers and Memories.

These radiation effects are:◦ Single Event Upset (one register is attacked)

◦ Single Event Transient (Due to propagation, one or several registers are attacked)

◦ Multi Bit Upsets (Several registers simultaneously due to Layout adjacence)

These effects corrupt temporally the information processed by the silicon design.

The corruption of the information due to these effects is because 0 changes into 1 or viceversa.

This model is named bit-flip. FAULT INJECTION means reproduce the bit-flip in a

dynamic execution of the circuit in order to analyze its behavior

FAULT INJECTION needs two mechanisms:◦ A platform that executes the circuit

◦ A method for producing a bit-flip in time.


Using Run-Time reconfiguration for FAULT INJECTION The execution is made using an SRAM-FPGA from

Xilinx The injection is performed using the configuration

circuit The injection is made modifying either the REGISTER

CONTENTS or THE CONFIGURATION CIRCUIT


Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Configuration memory

Implemented design

Configured elements

Modify the register content

Modify the design behavior

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Q

QGRB

CLR

D

Injection over user registers

Injection over Config memory

What is FTUNSHADES? A Fault Injection system based on the concepts related

to hardware debugging: observability and controlability*.

The method is non intrusive. The design is analyzed with little modifications.

Deterministic procedure of bit-flip insertion. The design is analyzed using a stimuli set or application

(workload) Analysis of a design reliability attacking register,

memory elements or configuration bits. The results are analyzed form design behavior point of view.

A hardware accelerator allows to speed up the analysis. (This is the meaning of emulation, instead of simulation)

Massive injection campaign and detailed analysis of the design are performed in the same platform.


* in this context observability means accessing to internal values of the registers, at every clock cycle. Controlability is the possibility of perturbing the circuit at any time of the workload.

What is not FTUNSHADES?It is not a tool for technological

analysis. The effects are not treated as physical phenomena.

It is not exactly a tool for FPGA implementation analysis (but maybe…)

It is not a system for setting up experiments inside a beam (but maybe...)


FTUNSHADES is a tool for reliability analysis over a logic description of a design, so it is technology

independent.

Main featuresA design is treated using the Xilinx standard

tools.The design flow can preserve the

confidentiality of the design.The analysis is made by means of a time-

location model:◦ Time is a clock cycle of the application ◦Location is the user register (DFF, or bit of

memory or SRL16) where the bit flip will be inserted.

The register selection is based on the hierarchical tree, allowing selective injection.


How it works...

DESIGNINPUT VECTORS

(APPLICATION)

OUTPUTS

DESIGNWORKLOAD


The starting point is a traditional simulation scheme over the structural netlist of the design.

Input vectors are stored and inserted in a database. They will form the so called “workload”

The design is converted to a fully equivalent netlist in a Xilinx technology. This step is extremely critical

As an RTL equivalent netlist the consequences of the injections over the Xilinx netlist can be assumed in the original design

The model is similar to a system in an accelerator.

Two identical instances of the design are implemented

The inputs are stored in external memories and the outputs are compared between both instances

The clock is the same. Both instances work in parallel

The injection is always to the same instance. The other works for comparison.

The register selection is made using a demapping information provided by Xilinx

Time variable is also controlled

Deterministic attack using the design hierarchical organization

Standard modelDESIGN

DESIGN

WORKLOAD

Emulator (FPGA)

Comparator

Gold

FaultyFaulty


Comparator

System Clock

Workload inputs

The model is dedicated to microprocessor analysis.

Outputs are stored in a memory: The table

Inputs are stored in external memories

Comparison are made using the table as a reference

The injection is on the microprocessor netlist.

Software redundancy techniques would recover the system using clock cycles

The recovering is made using several extra instructions and the comparison is made using some recovery time.

The clock accurate comparison would be relaxed using the smart controller module

Smart Table Model

μPROC

Software

Emulator (FPGA)

Comparator

Faulty

SMART CONTROLLER

REFERENCE

TABLE


Comparator

System Clock

Workload inputs

Structure of the systemFT-UNSHADES

TNT

INPUT VECTOR DATABASE

BITSTREAM

BIT ALLOCATION

UserCommand

s(Scripts)

VCD format

Session.log

Excel Sheet

Console

ModelSim SE 5.8d.lnk

Synplify Pro 7.2.lnk

Project Navigator.lnk


FT-UNSHADES Analysis Example

CLOCK: 133937REGISTER:leon0_mcore0_proc0_cx.c0_icache0_r.waddress_16DAMAGE DETECTED: YESLATENCY: 1 CLKPORT: address

A step by step analysis can be done, dump the data in VCD format and visualize the fault

evolution with a waveform viewer

Fault Inj.

Error DetectedAfter one clock cycle

CLK


This model Studies the behavior of the FPGA and the design under radiation

The objective is to evaluate reliability of the design already implemented on a particular family of FPGA

The results, for being considered valid, must comply several conditions:◦ The FPGA has to belong to

the same family than the target

◦ The design is firmly fixed in his place and route

◦ The attack points are constrained to a restricted area.

An static analysis has to be performed previous to the dynamic analysis in order to define the database of critical configuration points.

Again, the design and its workload refines this database, classifying the points as critical or not critical form dynamic point of view

There is a strong dependence between Workload and the result of this refinement.

FPGA analysis

DESIGN

DESIGN

WORKLOAD

FPGA

Comparator

Gold

Faulty

DATABASE OF CRITICAL

POINTSTNT

11/09/2009 FPGA workshop. ESA/ESTEC, Noordwijk

!!

Comparator

System Clock

Workload inputs

Star-Roraalliance

What can FT-UNSHADES do for you?

1. FTUNSHADES will deeply analyze your modular protections using a fully deterministic fault injection method.

2. FTUNSHADES can optimize the redundancy insertion in your design. This can save area and power consumption.

3. FTUNSHADES can analyze reset net and initialization strategy

4. FTUNSHADES can provide an idea of the covering of the workload. The workload can be refined for further implementation in the acceleration test setup

5. FTUNSHADES can evaluate the strategy of redundancy in the software of an embedded processor and optimize the balance performance/area&consumption

6. FTUNSHADES allows the evaluation of the hardening of the place and route of a Xilinx FPGA.


Relevant featuresCombine fault injection campaigns

with detailed analysisProvide internal view of hierarchical

module criticalityProvide the possibility of analyzing the

criticality considering application timeA tool for optimizing the overhead of a

mitigated design.Preserve confidentiality of designExperiences contrasted in Spanish

National Accelerators Centre11/09/2009

FPGA workshop. ESA/ESTEC, Noordwijk

Experiences...Designs tested:Leon, Leon2 and Leon3MicroBlaze8051Cordic 18x18x18PicoBlazeRENASER RadTest device Other ESA benchmarks...Publications:TNS: 4, TIE:1, TIME:1 ....Projects: RENASER, EMULASER, CELPAE,

FTUNSHADES2, ...11/09/2009

FPGA workshop. ESA/ESTEC, Noordwijk

Accessing to FTUNSHADESFTUNSHADES is managed by the RadUs team

that belongs to the Electronic Engineering Group of the University of Sevilla

The FTUNSHADES system is be offered to customers through an agreement with a company named AICIA

The accessing framework is a service. The system can be accessed also remotely.

Design secret is granted by◦ NDA◦ Training in the company◦ Transfer of preparation tools◦ Remote access or on site access if agreed◦ Technical support


Contacts

http://walle.us.es/ftunshades

[email protected] +3494487367

University of SevillaCamino de los Descubriumientos

s/n

41092 Sevilla (SPAIN)


Hope to SEE you in RADECS 2011 !

SS1. Special Session on Ionizing Radiation Effects on Digital Devices for Safety Critical Industrial Applications

Contacts: [email protected] and [email protected]

http://www.isie2010.it/special-sessions/approved-special-sections


f t -u nshades a design analysis tool based on emulation technologies esa-estec/17540 university of...

Documents