- Title: Dynamic security architecture for multiprocessor systems-on-chip
(Original title: Architecture de sécurité dynamique pour systèmes multiprocesseurs intégrés sur puce)
Defended on December 13th, 2010 at University of Pierre and Marie Curie (UPMC), Paris
- Albert Cohen (INRIA, dissertation reviewer)
- Tanguy Risset (INSA-Lyon, dissertation reviewer)
- Jean-Claude Bajard (UPMC)
- Renaud Pacalet (Telecom ParisTech)
- Bernard Kasser (STMicroelectronics)
- Christian Schwarz (Nagravision, ex-STMicroelectronics, industrial co-advisor)
- Alain Greiner (UPMC, academical advisor)
This thesis presents the multi-compartment approach. This approach enables a secure and flexible co-hosting of multiple autonomous software stacks within a same multiprocessor system-on-a-chip. In the field of multimedia oriented consumer devices, such autonomous software stacks generally represent the assets of the different stakeholders. These stakeholders, chips and set-top boxes manufacturers, network operators, content providers and customers, do not necessarily trust each other. Hence, the requirement to find a means to execute those software stacks together, while enforcing a certain degree of isolation. Multimedia chips are heavily heterogeneous -- a few general purpose processors are assisted by numerous specialized processors or coprocessors -- and follow a shared memory policy. These hardware specificities make it difficult, and even impossible, to solve this problematic with recent co-hosting techniques only (e.g. virtualization). The multi-compartment approach consists in a new trust model, more flexible and generic than the current ones. It allows various software stacks to run securely and simultaneously on heterogeneous hardware platforms. In particular, the core of the proposed approach is composed of a global mechanism for protection. Such a mechanism is responsible for the secure sharing of the single address space and is placed within the interconnect to ensure the best control. The multi-compartment approach also presents solutions for sharing peripheral devices, and more precisely DMA capable devices, among software stacks. Finally, the approach introduces solutions for the hardware interrupts redirection problem, a collateral aspect to the peripheral devices sharing. The main building blocks of the proposed hardware and software solutions are implemented along with the conception of an experimental platform, under the form of a virtual prototype. In addition to validating the approach, the platform is measured in terms of cost, performance and hardware surface. Considering both aspects, the obtained results show the cost is negligible.
keyword(s): security - multiprocessor system-on-a-chip - network-on-chip - software co-hosting - virtualization - hardware-software co-design - virtual prototyping
Even if most of my Ph.D. practical work is unfortunately protected by a NDA with STMicroelectronics, I can still mention that I made great use of two awesome academic projects, namely SoCLib and MutekH.
SoCLib is an open platform for virtual prototyping of multiprocessor systems-on-chip. Basically, it is a set of SystemC models along with a smart build system, for building simple and complex simulation systems. Using SoCLib, I developed a MIPS-based multiprocessor and multicluster system-on-chip model, including the security module I proposed in my Ph.D. You can find my contributions to SoCLib here and there (I committed changes under several different names and Trac does not seem to support OR in searches).
MutekH is a free exokernel-based operating system for embedded systems. I developed a few modules for MutekH over the course of my Ph.D. and after. The biggest module I added was a dynamic ELF loader (for MIPS). It allowed me to dynamically load user applications, which was needed for my Ph.D. work (or maybe not... but it was fun to do it anyway!), instead of having in-kernel applications only as MutekH usually operates. In addition to this libelf, I also developed a module, named libdsrl, that offered a LUA interface for scripting applications launching. It was very useful for describing and launching complex data-flow applications, composed of several threads communicating via software channels. Find the list of my contributions to MutekH here.