Link to register and connect to the online PhD defense
Please be informed that Webex events is not accessible on Linux OS.Members of the defense committee:
Prof. Dr Peter Y A RYAN, Université du Luxembourg, Chairman
Prof. Dr Gilbert FRIDGEN, Université du Luxembourg, Vice-Chairman
Prof. Dr Marcus VÖLP, Université du Luxembourg, Supervisor
Prof. Antonio CASIMIRO, Faculdade de Ciencias da Universidade de Lisboa, Member
Prof. Dr Gerhard FOHLER, Technische Universitat Kaiserslautern, Member
Abstract:
Increasingly, more aspects of our lives rely on the correctness and safety of computing systems, namely in the embedded and cyber-physical (CPS) domains, which directly affect the physical world. While systems have been pushed to their limits of functionality and efficiency, security threats and generic hardware quality have challenged their safety. Leveraging the enormous modular power, diversity and flexibility of these systems, often deployed in multi-processor systems-on-chip (MPSoC), requires careful orchestration of complex and heterogeneous resources, a task left to low-level software, e.g., hypervisors. In current architectures, this software forms a single point of failure (SPoF) and a worthwhile target for attacks: once compromised, adversaries can gain access to all information and full control over the platform and the environment it controls, for instance by means of privilege escalation. Currently, solutions to protect low-level software often rely on an underlying trusted layer which is often a SPoF itself and/or exhibit downgraded performance. Fault and intrusion tolerance (FIT) protocols leveraging replication, rejuvenation and diversification, often used in the context of distributed systems, would meet the requirements needed for for SPoF-free systems as well in the realm of tightly-coupled MPSoCs. However, in the latter, the performance impact of traditional Byzantine fault tolerant state-machine replication (BFT-SMR) protocols is prohibitive due to the high costs of cryptographic operations and quantity of messages exchanged. Furthermore, fault isolation, one of the key prerequisites in FIT, presents a complicated challenge to tackle, given the whole system resides within one chip in these environments. There is so far no solution completely addressing the SPoF issue in critical low-level management software. It is our aim, then, to devise such a solution that, additionally, reaps benefit of the tight-coupled nature of such manycore systems, providing the level of FIT seen in classical distributed systems. In this thesis we present two architectures, using trusted-trustworthy mechanisms and consensus protocols, capable of protecting of protecting all software layers, specifically at low level, by performing critical operations, such as those involving privilege escalation and platform reconfiguration, only when a majority of correct replicas agree to their execution: iBFT and Midir. Moreover, we discuss ways in which these can be used at application level on the example of replicated applications sharing critical data structures. By means of low-complexity trusted-trustworthy mechanisms, akin to the those utilized by hybrid BFT protocols, it is possible to confine software-level faults and some hardware faults to the individual tiles of an MPSoC, converting these into fault containment domains, thus, enabling fault isolation and, consequently, making way to high-performance FIT at the lowest level.