f t -u nshades a design analysis tool based on emulation technologies esa-estec/17540 university of...
TRANSCRIPT
FT-UNSHADES
A design analysis tool based on Emulation Technologies
ESA-ESTEC/17540University of Sevilla-AICIA-ESA
Summary
Fault Injection in generalWhat is FT-UNSHADES?What is not FT-UNSHADES?Main featuresModels for design analysis
◦ Cycle accurate◦ Smart table
FT-UNSHADES for FPGA analysisWhat can FT-UNSHADES do for you?Using FT-UNSHADESAccessing to FTUNSHADES
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Fault Injection in general Certain Radiation Effects over digital circuits mainly
affect to the stored information in Registers and Memories.
These radiation effects are:◦ Single Event Upset (one register is attacked)
◦ Single Event Transient (Due to propagation, one or several registers are attacked)
◦ Multi Bit Upsets (Several registers simultaneously due to Layout adjacence)
These effects corrupt temporally the information processed by the silicon design.
The corruption of the information due to these effects is because 0 changes into 1 or viceversa.
This model is named bit-flip. FAULT INJECTION means reproduce the bit-flip in a
dynamic execution of the circuit in order to analyze its behavior
FAULT INJECTION needs two mechanisms:◦ A platform that executes the circuit
◦ A method for producing a bit-flip in time.
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Using Run-Time reconfiguration for FAULT INJECTION The execution is made using an SRAM-FPGA from
Xilinx The injection is performed using the configuration
circuit The injection is made modifying either the REGISTER
CONTENTS or THE CONFIGURATION CIRCUIT
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Configuration memory
Implemented design
Configured elements
Modify the register content
Modify the design behavior
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Q
QGRB
CLR
D
Injection over user registers
Injection over Config memory
What is FTUNSHADES? A Fault Injection system based on the concepts related
to hardware debugging: observability and controlability*.
The method is non intrusive. The design is analyzed with little modifications.
Deterministic procedure of bit-flip insertion. The design is analyzed using a stimuli set or application
(workload) Analysis of a design reliability attacking register,
memory elements or configuration bits. The results are analyzed form design behavior point of view.
A hardware accelerator allows to speed up the analysis. (This is the meaning of emulation, instead of simulation)
Massive injection campaign and detailed analysis of the design are performed in the same platform.
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
* in this context observability means accessing to internal values of the registers, at every clock cycle. Controlability is the possibility of perturbing the circuit at any time of the workload.
What is not FTUNSHADES?It is not a tool for technological
analysis. The effects are not treated as physical phenomena.
It is not exactly a tool for FPGA implementation analysis (but maybe…)
It is not a system for setting up experiments inside a beam (but maybe...)
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
FTUNSHADES is a tool for reliability analysis over a logic description of a design, so it is technology
independent.
Main featuresA design is treated using the Xilinx standard
tools.The design flow can preserve the
confidentiality of the design.The analysis is made by means of a time-
location model:◦ Time is a clock cycle of the application ◦Location is the user register (DFF, or bit of
memory or SRL16) where the bit flip will be inserted.
The register selection is based on the hierarchical tree, allowing selective injection.
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
How it works...
DESIGNINPUT VECTORS
(APPLICATION)
OUTPUTS
DESIGNWORKLOAD
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
The starting point is a traditional simulation scheme over the structural netlist of the design.
Input vectors are stored and inserted in a database. They will form the so called “workload”
The design is converted to a fully equivalent netlist in a Xilinx technology. This step is extremely critical
As an RTL equivalent netlist the consequences of the injections over the Xilinx netlist can be assumed in the original design
The model is similar to a system in an accelerator.
Two identical instances of the design are implemented
The inputs are stored in external memories and the outputs are compared between both instances
The clock is the same. Both instances work in parallel
The injection is always to the same instance. The other works for comparison.
The register selection is made using a demapping information provided by Xilinx
Time variable is also controlled
Deterministic attack using the design hierarchical organization
Standard modelDESIGN
DESIGN
WORKLOAD
Emulator (FPGA)
Comparator
Gold
FaultyFaulty
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Comparator
System Clock
Workload inputs
The model is dedicated to microprocessor analysis.
Outputs are stored in a memory: The table
Inputs are stored in external memories
Comparison are made using the table as a reference
The injection is on the microprocessor netlist.
Software redundancy techniques would recover the system using clock cycles
The recovering is made using several extra instructions and the comparison is made using some recovery time.
The clock accurate comparison would be relaxed using the smart controller module
Smart Table Model
μPROC
Software
Emulator (FPGA)
Comparator
Faulty
SMART CONTROLLER
REFERENCE
TABLE
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Comparator
System Clock
Workload inputs
Structure of the systemFT-UNSHADES
TNT
INPUT VECTOR DATABASE
BITSTREAM
BIT ALLOCATION
UserCommand
s(Scripts)
VCD format
Session.log
Excel Sheet
Console
ModelSim SE 5.8d.lnk
Synplify Pro 7.2.lnk
Project Navigator.lnk
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
FT-UNSHADES Analysis Example
CLOCK: 133937REGISTER:leon0_mcore0_proc0_cx.c0_icache0_r.waddress_16DAMAGE DETECTED: YESLATENCY: 1 CLKPORT: address
A step by step analysis can be done, dump the data in VCD format and visualize the fault
evolution with a waveform viewer
Fault Inj.
Error DetectedAfter one clock cycle
CLK
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
This model Studies the behavior of the FPGA and the design under radiation
The objective is to evaluate reliability of the design already implemented on a particular family of FPGA
The results, for being considered valid, must comply several conditions:◦ The FPGA has to belong to
the same family than the target
◦ The design is firmly fixed in his place and route
◦ The attack points are constrained to a restricted area.
An static analysis has to be performed previous to the dynamic analysis in order to define the database of critical configuration points.
Again, the design and its workload refines this database, classifying the points as critical or not critical form dynamic point of view
There is a strong dependence between Workload and the result of this refinement.
FPGA analysis
DESIGN
DESIGN
WORKLOAD
FPGA
Comparator
Gold
Faulty
DATABASE OF CRITICAL
POINTSTNT
11/09/2009 FPGA workshop. ESA/ESTEC, Noordwijk
!!
Comparator
System Clock
Workload inputs
Star-Roraalliance
What can FT-UNSHADES do for you?
1. FTUNSHADES will deeply analyze your modular protections using a fully deterministic fault injection method.
2. FTUNSHADES can optimize the redundancy insertion in your design. This can save area and power consumption.
3. FTUNSHADES can analyze reset net and initialization strategy
4. FTUNSHADES can provide an idea of the covering of the workload. The workload can be refined for further implementation in the acceleration test setup
5. FTUNSHADES can evaluate the strategy of redundancy in the software of an embedded processor and optimize the balance performance/area&consumption
6. FTUNSHADES allows the evaluation of the hardening of the place and route of a Xilinx FPGA.
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Relevant featuresCombine fault injection campaigns
with detailed analysisProvide internal view of hierarchical
module criticalityProvide the possibility of analyzing the
criticality considering application timeA tool for optimizing the overhead of a
mitigated design.Preserve confidentiality of designExperiences contrasted in Spanish
National Accelerators Centre11/09/2009
FPGA workshop. ESA/ESTEC, Noordwijk
Experiences...Designs tested:Leon, Leon2 and Leon3MicroBlaze8051Cordic 18x18x18PicoBlazeRENASER RadTest device Other ESA benchmarks...Publications:TNS: 4, TIE:1, TIME:1 ....Projects: RENASER, EMULASER, CELPAE,
FTUNSHADES2, ...11/09/2009
FPGA workshop. ESA/ESTEC, Noordwijk
Accessing to FTUNSHADESFTUNSHADES is managed by the RadUs team
that belongs to the Electronic Engineering Group of the University of Sevilla
The FTUNSHADES system is be offered to customers through an agreement with a company named AICIA
The accessing framework is a service. The system can be accessed also remotely.
Design secret is granted by◦ NDA◦ Training in the company◦ Transfer of preparation tools◦ Remote access or on site access if agreed◦ Technical support
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Contacts
http://walle.us.es/ftunshades
[email protected] +3494487367
University of SevillaCamino de los Descubriumientos
s/n
41092 Sevilla (SPAIN)
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk
Hope to SEE you in RADECS 2011 !
SS1. Special Session on Ionizing Radiation Effects on Digital Devices for Safety Critical Industrial Applications
Contacts: [email protected] and [email protected]
http://www.isie2010.it/special-sessions/approved-special-sections
11/09/2009FPGA workshop. ESA/ESTEC, Noordwijk