US20180074888A1 - Methods and systems for achieving trusted fault tolerance of a system of untrusted subsystems - Google Patents
Methods and systems for achieving trusted fault tolerance of a system of untrusted subsystems Download PDFInfo
- Publication number
- US20180074888A1 US20180074888A1 US15/692,412 US201715692412A US2018074888A1 US 20180074888 A1 US20180074888 A1 US 20180074888A1 US 201715692412 A US201715692412 A US 201715692412A US 2018074888 A1 US2018074888 A1 US 2018074888A1
- Authority
- US
- United States
- Prior art keywords
- voting
- components
- input
- output
- consensus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/20—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits characterised by logic function, e.g. AND, OR, NOR, NOT circuits
- H03K19/23—Majority or minority circuits, i.e. giving output having the state of the majority or the minority of the inputs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/14—Handling requests for interconnection or transfer
- G06F13/20—Handling requests for interconnection or transfer for access to input/output bus
- G06F13/28—Handling requests for interconnection or transfer for access to input/output bus using burst mode transfer, e.g. direct memory access DMA, cycle steal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/14—Handling requests for interconnection or transfer
- G06F13/20—Handling requests for interconnection or transfer for access to input/output bus
- G06F13/32—Handling requests for interconnection or transfer for access to input/output bus using combination of interrupt and burst mode transfer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C13/00—Voting apparatus
- G07C13/02—Ballot boxes
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/02—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits using specified components
- H03K19/08—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits using specified components using semiconductor devices
- H03K19/0813—Threshold logic
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K25/00—Pulse counters with step-by-step integration and static storage; Analogous frequency dividers
- H03K25/02—Pulse counters with step-by-step integration and static storage; Analogous frequency dividers comprising charge storage, e.g. capacitor without polarisation hysteresis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/1097—Boot, Start, Initialise, Power
Definitions
- Computer servers of modern safety- and security-critical applications are challenged by arbitrary faults.
- faults can include malicious cyber threats (e.g., spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration), exploitation of design flaws, and vulnerabilities in a global supply chain.
- malicious cyber threats e.g., spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration
- exploitation of design flaws e.g., spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration
- exploitation of design flaws e.g., spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration
- exploitation of design flaws e.g., spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration
- exploitation of design flaws e.g., exploitation of design flaws
- vulnerabilities in a global supply chain e.g., under-constrained
- One example embodiment is a system for trusted integration of untrusted components.
- the example system includes at least three electrical components and voting (consensus) circuitry.
- the components have varied hierarchical implementations for providing common output given common input.
- the voting circuitry is configured to receive, as input, outputs from the components and provide a consensus output that is a majority of the outputs received from the components.
- the electrical components of the system can be digital components and the voting circuitry can be analog circuitry.
- the varied hierarchical implementations of the components can include, for example, any of differing processor instruction sets, differing register sets, and differing address schemes.
- each component can include a processor having an input queue, state memory, state machine, and output queue.
- the output queues can provide input to the voting circuitry.
- the state machines can be configured to interpret headers in data of the input queue, where the headers indicating the source and nature of the data.
- Each state memory can be configured to permit direct memory access for fault recovery.
- the voting circuitry detects a fault by a given component, the state memory of the given component can be overwritten with data from a state memory of a component that satisfied the consensus.
- the components that satisfied the consensus can be enabled to proceed to a next state while the given component is recovered if there are enough components that satisfied the consensus to protect against additional faults.
- the system can include a timer to ensure completion of output queue data of each output queue before the processors can proceed to a next state.
- a timer can be associated with the voting circuitry, and the voting circuitry can be configured to provide an interrupt to cause the processors to proceed to the next state.
- the voting circuitry can be configured to reboot a component that fails repeatedly, and to reboot the system in an event a consensus output cannot be obtained.
- the voting circuitry can include, for each bit of output across the components, a voting input stage, a transfer stage, and an accumulating stage.
- the voting input stage can include at least three input switched capacitors corresponding to the components.
- the input switched capacitors can be configured to receive, as input, a bit of output across the components.
- the transfer stage can include transfer switched capacitors corresponding to the input switched capacitors.
- the transfer switched capacitors can be configured to charge a voting capacitor corresponding to each input switched capacitor during a state of a clock signal.
- the accumulating stage can include accumulating switched capacitors connecting the voting capacitors in series.
- the accumulating switched capacitors can cause the charges of the voting capacitors to be accumulated during an alternate state of the clock signal.
- the accumulated charge of the voting capacitors can represent the consensus output of the bit of output across the components.
- Another example embodiment is a method of providing trusted integration of untrusted components.
- the method includes integrating at least three electronic components into a system.
- the components have varied hierarchical implementations for providing common output given common input.
- the method further includes providing outputs from the components as input to voting circuitry to provide a consensus output that is a majority of the outputs of the components.
- Providing outputs from the components as input to voting circuitry can include, for each bit of the outputs across the components, (i) providing one bit of output from the at least three components as inputs to at least three voting inputs, each in the form of high or low logical bits, (ii) converting the voting inputs to analog voltages, resulting in analog voting voltages, and (iii) accumulating the analog voting voltages, resulting in an accumulated analog voting voltage.
- the accumulated analog voting voltage represents the consensus output of the bit of output across the components.
- the example system includes at least three processors, each processor including an input queue, state memory, state machine, and output queue having varied hierarchical implementations for providing common output given common input.
- the system also includes voting circuitry that includes, for each bit of output across the components, a voting input stage, a transfer stage, and an accumulating stage.
- the voting input stage includes at least three input switched capacitors corresponding to the components.
- the input switched capacitors are configured to receive, as input, a bit of output across the output queues.
- the transfer stage includes transfer switched capacitors corresponding to the input switched capacitors.
- the transfer switched capacitors are configured to charge a voting capacitor corresponding to each input switched capacitor during a state of a clock signal.
- the accumulating stage includes accumulating switched capacitors connecting the voting capacitors in series.
- the accumulating switched capacitors are configured to cause the charges of the voting capacitors to be accumulated during an alternate state of the clock signal.
- the accumulated charge of the voting capacitors represents the consensus output of the bit of output across the output queues.
- FIG. 1 is a schematic diagram illustrating hierarchical diversity for trusted fault tolerance, according to an example embodiment.
- FIG. 2 is a circuit diagram illustrating a circuit for determining a majority value of three input values, according to an example embodiment.
- FIG. 3 is a circuit diagram illustrating a circuit for determining a majority value of N input values, according to an example embodiment.
- FIG. 4 is a schematic diagram illustrating eight voting circuits used to determine bit-by-bit a majority eight-bit value, according to an example embodiment.
- FIG. 5 is a timing diagram illustrating example voltages, at various times, of components of the circuit of FIG. 2 .
- FIG. 6 is a timing diagram illustrating example voltages, at various times, of components of the circuit of FIG. 2 .
- FIG. 6 illustrates a fault relating to one of the input values.
- FIG. 7 is a timing diagram illustrating example voltages, at various times, of components of a voting circuit with five input values.
- FIG. 7 illustrates faults relating to two of the input values.
- FIG. 8 is a flow chart illustrating a method of providing trusted integration of untrusted components, according to an example embodiment.
- FIG. 9 is a flow chart illustrating a method of determining a majority vote from a plurality of inputs, according to an example embodiment.
- COTS commercial-off-the-shelf
- Client-server applications typically employ state-machine-based implementation of a software server process.
- IoT Internet of Things
- high availability and reliability of a server is paramount for critical applications across distributed computing.
- Data, materials, and services are interconnected throughout the world, adding many new dimensions to well-established concerns of service disruption by equipment failure, environmental catastrophe, or malicious intrusion.
- Computer servers of modern safety- and security-critical applications are challenged by arbitrary faults that can occur.
- faults can include malicious cyber threats, exploitation of design flaws, and vulnerabilities in a global supply chain.
- Cyber-attacks can include spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration.
- Malware has been met by a subscription business model of detection and patch for an accumulated catalog of threats, but it is a solution that will always lag malware development and impact computational performance.
- under-constrained design methodology can create opportunities to unanticipated system stimulus that can cause unspecified consequences. Extended iterations of custom design and trusted fabrication at the high complexity of modern processors inevitably suffer from new exploitable flaws.
- ASIC design methodology of functional verification by comparison to an independently developed model is commonly used to flag bugs. That is, equivalent but diverse models developed from a single specification must agree in function. This concept is as useful for software as it is with hardware. Complex control path architectures with many corner cases, as is the case for a processor, are much harder to fully verify than pipelined, regular data path architectures. With time-to-market being a pressing need, modern complex commercial ASICs are released after constrained-random verification coverage that samples distinct test cases most likely and most critical to be covered by customers—but not exhaustive verification coverage, which would require an unacceptable number of years of verification. There is wide-spread acceptance in industry today that every complex ASIC tape-out has remaining unfound bugs, however minor.
- Formal verification methods can be used to ascertain that specific vulnerabilities do not exist, but this continues to be limited by computation complexity and characterization of both the model and a known vulnerability. Synthesizable assertions can also be extended from ASIC/FPGA verification to validation and deployed operation to assure that unspecified behavior does not occur. This has been employed in custom solutions for trusted microelectronics.
- Computer servers are a common target for malicious attack because as they are critical shared resources. Thus, they are at risk with broad consequences in disruption of service or data compromise.
- Fault-tolerant approaches for highly-available services are means of exploiting distributed computing for replication and consensus of server state machines. Recovery can occur by acquiring a consensus state from a non-faulty processor replica. Faults can be arbitrary; that is, the precise cause does not require determination for a solution to be rendered. Fault-tolerant computing has matured in space applications, where a single event upset of digital computation is not uncommon. It is also useful for critical data applications for which distributed computing is not co-located, providing protection from earthquake, tsunami, power grid outage, or other natural disasters.
- Fault-tolerant computing concepts can be extended to modern multicore processor architectures, which can be adequate for faults due to single event upset. However, this does not consider other daunting vulnerabilities. Equivalent, but diverse, model comparison used in verification methodology can be extended to fault tolerant computing. Binary diversity on multicore processors can be used for detection of software intrusion. The notion of binary diversity is that any fault due to a cyber-attack or malware would not occur in the same way or at the same time across different cores. This is of conceptual interest, but inadequate for the many other possible vulnerabilities on identically replicated silicon design. That is, it is not sufficient to ensure Byzantine resilience from any arbitrary fault(s).
- Fault-tolerant principles posit that 2F+1 replicated state machines in consensus can permit F faults at every comparison with stable operation.
- a distinct set of faults that can be detected by comparison of state machine replica output must be a superset of possible vulnerabilities.
- vulnerabilities can exist at various levels of an architecture's implementation. Therefore, implementation diversity of replicated state machines at appropriate layers of vulnerability can provide trusted operation for a fault tolerant architecture.
- a sufficiently diverse fault-tolerant solution can address all levels of vulnerability, e.g., compiler, operating system, processor architecture, digital logic design, fabrication technology, and foundry. Rather than presuming that trusted operation is designed into trusted components, one can consider the trusted integration of untrusted COTS components. This can apply to hardware and software.
- COTS voting replicas that have varied hierarchical implementation can be integrated into a single, trusted fault-tolerant server if all replicated state machines see the same input at the same time and have consensus on state machine output. This greatly simplifies the distributed computing paradigm of fault tolerance, where a state machine would otherwise never be certain if all others have seen the same input and in the same order.
- a diversity of multiple untrusted COTS system components (hardware and/or software) engaged in redundant operation can be integrated to as a single consensus-based trusted system with a high degree of fault tolerance to, for example, unforeseen environmental interference, cyber-attack, supply chain counterfeit, inserted Trojan logic, or component design flaws.
- the degree of fault tolerance can be increased by increasing the degree of diversity of redundant operational nodes or by increasing the number of diversely implemented operational nodes.
- FIG. 1 is a schematic diagram illustrating hierarchical diversity for trusted fault tolerance, according to an example embodiment.
- FIG. 1 illustrates a conceptual design, for which trusted integration can employ scaled customizations of untrusted processor and memory diversity for any arbitrary application.
- the example is a COTS configuration that is resilient at all layers of implementation: application, operating system, processor architecture, logic implementation, fabrication process, and foundry.
- Input is captured on Input FIFOs (queues) 105 of sufficient size for identically-ordered sequential processing at the server application bandwidth.
- Data units on the FIFOs 105 can have headers indicating the source and nature of payload data. These data units can be constructed for input to an amalgamated server to facilitate generalization from any incorporating system input transceiver or bus.
- Each processor 115 has dedicated state memory 110 for reference and update when evaluating input. This memory 110 can also provide a simplified recovery mechanism when there is a fault by permitting Direct Memory Access (DMA) from the state memory 110 of a consensus processor 115 .
- DMA Direct Memory Access
- a timer in a voting (consensus) circuit 125 can ensure completion of all candidate state machine output 120 .
- processors 115 can await an interrupt from the voting circuit 125 to proceed to the next state.
- the voting circuit 125 can concurrently step through each data word on all candidate output FIFOs 120 , performing exclusive-OR to check for a violation of consensus. Checksum comparison is not advised, since it is a mere indication of data uniqueness and can be spoofed.
- the voting circuit 125 can enable DMA of state memory 110 from a replica that satisfied consensus. After DMA completion, the voting circuit 125 can trigger a next state to the processors 115 by interrupt. DMA latency to correct the state variables of the faulty processor can be masked by allowing non-faulty processors to concurrently proceed to next state if sufficient 2F+1 processors remain available.
- the voting circuit 125 can include a hardwired-configuration to reboot the processor 115 .
- the voting circuit 125 can include a hard-wired configuration to reboot the system.
- processor instruction sets, register sets, and addressing schemes can contribute to the many ways that the same state machine output can be accomplished.
- This can be ideal for trusted fault-tolerant server operation of a state machine replica.
- processor diversity would also apply to the granularity of atomic operations evaluated at processor I/O in general purpose computing. This technique assures the defined application-specific objective of the hardware/software amalgamation, rather than cycle-accurate operation of untrusted components at an arbitrary level of implementation.
- An example configuration for PCB integration can implement a SQL database server handling requests from clients for access to an SQL database. This is a simplified example to demonstrate the merit of the conceptual architecture. A diversity of processors may be run on different real-time operating systems:
- Three processors are selected for this example to handle at most one fault at any state machine consensus, but the example can be scaled to any 2F+1 arrangement.
- nodes of a redundant state-based functional system can submit votes by charging switched capacitors of a voting circuit. Integration of nodes can place these charges in tandem, for which voltage potential between the ground and the last node would be the consensus to be routed when a threshold majority is met, e.g., a voltage above or below the logic threshold for a Complementary Metal-Oxide-Semiconductor (CMOS) ⁇ PLEASE PROVIDE EXAMPLE OF ALTERNATIVE CIRCUITRY>>. All nodes can sample the consensus output, and if the consensus output differs from a node's state, the node can revise its state based on the consensus output.
- CMOS Complementary Metal-Oxide-Semiconductor
- FIG. 2 is a circuit diagram illustrating a circuit 200 for determining a majority value of three input values 205 a - c , according to an example embodiment.
- the circuit includes a voting input stage, a transfer stage, and an accumulating stage.
- the voting input stage includes at least three input switched capacitors 210 a - c .
- the transfer stage includes transfer switched capacitors 215 a - e corresponding to the input switched capacitors 210 a - c .
- the transfer switched capacitors 215 a - e charge a voting capacitor 220 a - c corresponding to each input switched capacitor 210 a - c during a state of a clock signal.
- the accumulating stage includes accumulating switched capacitors 225 a,b connecting the voting capacitors 220 a - c in series.
- the accumulating switched capacitors 225 a,b cause the charges of the voting capacitors 220 a - c to be accumulated during an alternate state of the clock signal.
- the accumulated charge 230 of the voting capacitors represents a majority vote of the input switched capacitors 210 a - c .
- the transfer switched capacitors 215 a - e can charge the voting capacitors 220 a - c during a high state of the clock signal, and the accumulating switched capacitors 225 a,b can cause the charges of the voting capacitors 220 a - c to be accumulated during a low state of the clock signal.
- the accumulated charge 230 of the voting capacitors 220 a - c can represent a high logic vote if the accumulated charge 230 is greater than one half of the circuit supply voltage, and the accumulated charge 230 of the voting capacitors 220 a - c can represent a low logic vote if the accumulated charge 230 is less than one half of the circuit supply voltage.
- the input switched capacitors 210 a - c can be switched by binary outputs of digital circuits, and the accumulated charge 230 of the voting capacitors 220 a - c can be passed to a digital comparator.
- FIG. 3 is a circuit diagram illustrating a circuit 300 for determining a majority value of N input values 305 a - n , according to an example embodiment.
- the circuit includes a voting input stage, a transfer stage, and an accumulating stage.
- the voting input stage includes N input switched capacitors 310 a - n .
- the transfer stage includes transfer switched capacitors 315 a - n corresponding to the input switched capacitors 310 a - n .
- the transfer switched capacitors 315 a - n charge a voting capacitor 320 a - n corresponding to each input switched capacitor 310 a - n during a state of a clock signal.
- the accumulating stage includes accumulating switched capacitors 325 a - n connecting the voting capacitors 320 a - n in series.
- the accumulating switched capacitors 325 a - n cause the charges of the voting capacitors 320 a - n to be accumulated during an alternate state of the clock signal.
- the accumulated charge 330 of the voting capacitors represents a majority vote of the input switched capacitors 310 a - n .
- the input switched capacitors 310 a - n can be coupled to a voltage divider to divide a circuit supply voltage among the input switched capacitors 310 a - n .
- the voting input stage can include a resistive voltage divider 335 a - n at each of the input switched capacitors 310 a - n , where each resistive voltage divider 335 a - n is scaled to (N ⁇ 1):1.
- the illustrated circuit can be a bitwise analog voting circuit with a totem of switched capacitors connected in series by CMOS switches at evaluation of the aggregate (accumulated) voltage of stacked consensus, V TRUST , but isolated from each other by these CMOS switches when the voting charge of each replica's bit is being transferred to each individual switched capacitor in the stack by parallel CMOS switches on the alternate phase of a driving clock, C.
- the number of voting inputs to the analog circuit could support a quantity of three or greater voting replicas. An odd number can be used to reduce the chance of a split vote having ambiguous logic output. 2F+1 voting replicas would provide fault tolerant consensus for F faults. Thus, five replicas would be needed for Byzantine resilience in the case of two possible faults.
- Each voting input stage can be implemented with a CMOS switch connecting a voltage divider. While the number of voting replicas, N, can vary for the number of coincident faults that the system is to tolerate, the resistive voltage divider at each voting input can be scaled (N ⁇ 1):1. This ensures that a unanimous vote of logic high at circuit inputs accumulates to no more than the supply voltage, logic high, at output. Thus, resistor proportions on each voltage divider is directly related to how many voting replicas are to be integrated for consensus voting to tolerate a particular number of faults at once.
- the CMOS switch can be considered to be “off” at the voting input stage when a logic low is input. In such a case, no current is drawn from the supply across the voltage divider and there is no voltage drop on the lower resister—yielding ground voltage at the voting terminal (top of the lower resistor in the voltage divider). This voltage contribution to the consensus stack for V TRUST will be nil on the next phase of the driving clock.
- the CMOS switch can be considered to be “on” at the voting input stage when a logic high is input; that is, the CMOS switch shorts from transistor source to drain. When that happens, current flows from the power supply through the voltage divider to ground.
- the contribution V TRUST on the consensus stack will be 1/N*VCC, or 1/Nth of logic high.
- V TRUST is over a CMOS threshold voltage for logic “1”
- the bitwise consensus can be logic “1”.
- the consensus can be logic “0” at the digital output of the analog circuit.
- the circuit can employ an implicit comparison of the aggregate voltage of consensus to logic “0” or “1” when the output drives CMOS digital logic, and no analog comparator is needed.
- FIG. 4 is a schematic diagram illustrating eight voting circuits 415 a - h used to determine, bit-by-bit, a majority eight-bit value 420 , according to an example embodiment.
- Fault tolerance can rely on voting replicas of the same functional unit, such that a compromised outlier does not hinder consensus-based operation. This can be resolved down to bitwise evaluation of the state of functional units, assessing each bit across replicas by majority vote. Since multiple replicas can be integrated to use voting (consensus) as a safe operation, a voting unit can be utilized. Voting on bit states by digital means could introduce metastable flip-flop fault, but if voting by an analog means, an exhaustive sweep test across bounded temperature and power can assure resilient performance.
- FIG. 4 Three redundant processors 405 a - c are illustrated in FIG. 4 .
- the processors 405 a - c can perform the same functions, but each has a different architecture.
- Representations of eight-bit output data 410 a - c from the processors 405 a - c are also illustrated.
- Corresponding bits from each of the output data 410 a - c are provided to eight corresponding voting circuits 415 a - h .
- Each voting circuit 415 a - h determines a majority value from the received input bits of the output data 410 a - c
- the eight voting circuits 415 a - h provide a resulting consensus output 420 based on the eight majority values.
- the consensus output 420 will not include the incorrect bit.
- FIG. 5 is a timing diagram illustrating example voltages, at various times, of components of the circuit of FIG. 2 .
- the timing diagram shows values 505 of a driving clock C and its opposite value (“not C”).
- the value of C is high at times T 1 , T 3 , and T 5 .
- the value of “not C” is high at T 2 , T 4 , and T 6 .
- the timing diagram also shows the values of the three input values 205 a - c , the three voting capacitors 220 a - c , and the accumulated charge (V TRUST ) 230 .
- the timing diagram illustrates that the three input values 205 a - c are changed to high at time T 2 .
- the three voting capacitors 220 a - c are shown as being high. This is because the transfer stage of circuit 200 charges the voting capacitors 220 a - c corresponding to each input switched capacitor 210 a - c during a high state of the clock signal.
- the driving clock C is low (and “not C” is high)
- the accumulated charge (V TRUST ) 230 is shown as being high. This is because the accumulating stage of circuit 200 causes the charges of the voting capacitors 220 a - c to be accumulated during a low state of the clock signal.
- FIG. 6 is a timing diagram illustrating example voltages, at various times, of components of the circuit of FIG. 2 .
- FIG. 6 illustrates a fault relating to one of the input values. The fault can be seen at time T 2 where input value 205 c is low while the other input values 205 a,b are high. When all components are functioning correctly, the input values should agree. Thus, the low value of input 205 c represents a fault.
- the accumulated value 230 is high as it is still above a threshold value (2 out of 3) for logical high, thereby correcting the fault at input 205 c.
- FIG. 7 is a timing diagram illustrating example voltages, at various times, of components of a voting with five input values.
- FIG. 7 illustrates faults relating to two of the input values.
- the timing diagram shows values 505 of a driving clock C and its opposite value (“not C”).
- the value of C is high at times T 1 , T 3 , and T 5 .
- the value of “not C” is high at T 2 , T 4 , and T 6 .
- the timing diagram also shows the values of the five input values 705 a - e , five voting capacitors 720 a - e , and an accumulated charge (V TRUST ) 730 .
- FIG. 8 is a flow chart illustrating a method 800 of providing trusted integration of untrusted components, according to an example embodiment.
- the example method 800 includes integrating 805 at least three electronic components into a system.
- the components have varied hierarchical implementations for providing common output given common input.
- the method 800 further includes providing 810 outputs from the components as input to consensus circuitry to provide a consensus output that is a majority of the outputs of the components.
- FIG. 9 is a flow chart illustrating a method 900 of determining a majority vote from a plurality of inputs, according to an example embodiment.
- the example method 900 includes receiving 905 at least three voting inputs. Each voting input is in the form of a high or low logical bit.
- the method 900 further includes converting 910 the voting inputs to analog voltages, resulting in analog voting voltages, and accumulating 915 the analog voting voltages, resulting in an accumulated analog voting voltage.
- the accumulated analog voting voltage represents a majority vote of the voting inputs.
- Receiving at least three voting inputs can include receiving 2F+1 inputs to provide fault tolerant consensus for F faults.
- a circuit supply voltage can be divided among the voting inputs. For each voting input, the corresponding analog voting voltage can be equal to the divided circuit supply voltage if the voting input is a high logical bit, and can be equal to a ground voltage if the voting input is a low logical bit.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Power Engineering (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Hardware Redundancy (AREA)
Abstract
Systems and methods for trusted integration of untrusted components. An example system includes at least three electrical components and voting (consensus) circuitry. The components have varied hierarchical implementations for providing common output given common input. The voting circuitry is configured to receive, as input, outputs from the components and provide a consensus output that is a majority of the outputs received from the components. Such a diversity of multiple untrusted system components (hardware and/or software) engaged in redundant operation can be integrated to as a consensus-based trusted system with a high degree of fault tolerance to unforeseen environmental interference, cyber-attack, supply chain counterfeit, inserted Trojan logic, or component design flaws. The degree of fault tolerance can be increased by increasing the degree of diversity of redundant operational nodes or by increasing the number of diversely implemented operational nodes.
Description
- This application claims the benefit of U.S. Provisional Application Nos. 62/385,440 and 62/385,435, both filed on Sep. 9, 2016. The entire teachings of the above applications are incorporated herein by reference.
- Computer servers of modern safety- and security-critical applications are challenged by arbitrary faults. Such faults can include malicious cyber threats (e.g., spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration), exploitation of design flaws, and vulnerabilities in a global supply chain. In addition to design flaws, under-constrained design methodology can create opportunities to unanticipated system stimulus that can cause unspecified consequences. Further, supply chain assurance is a growing concern, as fewer trusted foundries may exist, and counterfeit, cloned, over-produced, and recycled components have entered the supply chain of programs with a thorough chain-of-custody from trusted suppliers. Computer servers are a common target for malicious attack as they are critical shared resources. Thus, they are at risk with broad consequences in disruption of service or data compromise.
- The systems and methods disclosed herein provide reliable fault tolerance solutions. One example embodiment is a system for trusted integration of untrusted components. The example system includes at least three electrical components and voting (consensus) circuitry. The components have varied hierarchical implementations for providing common output given common input. The voting circuitry is configured to receive, as input, outputs from the components and provide a consensus output that is a majority of the outputs received from the components. The electrical components of the system can be digital components and the voting circuitry can be analog circuitry. The varied hierarchical implementations of the components can include, for example, any of differing processor instruction sets, differing register sets, and differing address schemes.
- In some embodiments, each component can include a processor having an input queue, state memory, state machine, and output queue. The output queues can provide input to the voting circuitry. The state machines can be configured to interpret headers in data of the input queue, where the headers indicating the source and nature of the data. Each state memory can be configured to permit direct memory access for fault recovery. In an event the voting circuitry detects a fault by a given component, the state memory of the given component can be overwritten with data from a state memory of a component that satisfied the consensus. In some embodiments, the components that satisfied the consensus can be enabled to proceed to a next state while the given component is recovered if there are enough components that satisfied the consensus to protect against additional faults.
- The system can include a timer to ensure completion of output queue data of each output queue before the processors can proceed to a next state. Such a timer can be associated with the voting circuitry, and the voting circuitry can be configured to provide an interrupt to cause the processors to proceed to the next state. The voting circuitry can be configured to reboot a component that fails repeatedly, and to reboot the system in an event a consensus output cannot be obtained.
- The voting circuitry can include, for each bit of output across the components, a voting input stage, a transfer stage, and an accumulating stage. The voting input stage can include at least three input switched capacitors corresponding to the components. The input switched capacitors can be configured to receive, as input, a bit of output across the components. The transfer stage can include transfer switched capacitors corresponding to the input switched capacitors. The transfer switched capacitors can be configured to charge a voting capacitor corresponding to each input switched capacitor during a state of a clock signal. The accumulating stage can include accumulating switched capacitors connecting the voting capacitors in series. The accumulating switched capacitors can cause the charges of the voting capacitors to be accumulated during an alternate state of the clock signal. The accumulated charge of the voting capacitors can represent the consensus output of the bit of output across the components.
- Another example embodiment is a method of providing trusted integration of untrusted components. The method includes integrating at least three electronic components into a system. The components have varied hierarchical implementations for providing common output given common input. The method further includes providing outputs from the components as input to voting circuitry to provide a consensus output that is a majority of the outputs of the components. Providing outputs from the components as input to voting circuitry can include, for each bit of the outputs across the components, (i) providing one bit of output from the at least three components as inputs to at least three voting inputs, each in the form of high or low logical bits, (ii) converting the voting inputs to analog voltages, resulting in analog voting voltages, and (iii) accumulating the analog voting voltages, resulting in an accumulated analog voting voltage. The accumulated analog voting voltage represents the consensus output of the bit of output across the components.
- Another example embodiment is a system for trusted integration of untrusted components. The example system includes at least three processors, each processor including an input queue, state memory, state machine, and output queue having varied hierarchical implementations for providing common output given common input. The system also includes voting circuitry that includes, for each bit of output across the components, a voting input stage, a transfer stage, and an accumulating stage. The voting input stage includes at least three input switched capacitors corresponding to the components. The input switched capacitors are configured to receive, as input, a bit of output across the output queues. The transfer stage includes transfer switched capacitors corresponding to the input switched capacitors. The transfer switched capacitors are configured to charge a voting capacitor corresponding to each input switched capacitor during a state of a clock signal. The accumulating stage includes accumulating switched capacitors connecting the voting capacitors in series. The accumulating switched capacitors are configured to cause the charges of the voting capacitors to be accumulated during an alternate state of the clock signal. The accumulated charge of the voting capacitors represents the consensus output of the bit of output across the output queues.
- The foregoing will be apparent from the following more particular description of example embodiments, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating embodiments.
-
FIG. 1 is a schematic diagram illustrating hierarchical diversity for trusted fault tolerance, according to an example embodiment. -
FIG. 2 is a circuit diagram illustrating a circuit for determining a majority value of three input values, according to an example embodiment. -
FIG. 3 is a circuit diagram illustrating a circuit for determining a majority value of N input values, according to an example embodiment. -
FIG. 4 is a schematic diagram illustrating eight voting circuits used to determine bit-by-bit a majority eight-bit value, according to an example embodiment. -
FIG. 5 is a timing diagram illustrating example voltages, at various times, of components of the circuit ofFIG. 2 . -
FIG. 6 is a timing diagram illustrating example voltages, at various times, of components of the circuit ofFIG. 2 .FIG. 6 illustrates a fault relating to one of the input values. -
FIG. 7 is a timing diagram illustrating example voltages, at various times, of components of a voting circuit with five input values.FIG. 7 illustrates faults relating to two of the input values. -
FIG. 8 is a flow chart illustrating a method of providing trusted integration of untrusted components, according to an example embodiment. -
FIG. 9 is a flow chart illustrating a method of determining a majority vote from a plurality of inputs, according to an example embodiment. - A description of example embodiments follows.
- Commoditized commercial-off-the-shelf (COTS) processors are well supported by modern operating systems and offer long product lifecycles for implementation in servers. Client-server applications typically employ state-machine-based implementation of a software server process. In the Internet of Things (IoT), for example, high availability and reliability of a server is paramount for critical applications across distributed computing. Data, materials, and services are interconnected throughout the world, adding many new dimensions to well-established concerns of service disruption by equipment failure, environmental catastrophe, or malicious intrusion.
- Trust Vulnerabilities
- Computer servers of modern safety- and security-critical applications are challenged by arbitrary faults that can occur. Such faults can include malicious cyber threats, exploitation of design flaws, and vulnerabilities in a global supply chain. Cyber-attacks can include spoofing, unauthorized data access, state modification, deadlock, or instruction stream alteration. Malware has been met by a subscription business model of detection and patch for an accumulated catalog of threats, but it is a solution that will always lag malware development and impact computational performance. In addition to design flaws, under-constrained design methodology can create opportunities to unanticipated system stimulus that can cause unspecified consequences. Extended iterations of custom design and trusted fabrication at the high complexity of modern processors inevitably suffer from new exploitable flaws. Supply chain assurance is a growing concern, as fewer trusted foundries may exist, and counterfeit, cloned, over-produced, and recycled components have entered the supply chain of programs with a thorough chain-of-custody from trusted suppliers. Further, malicious Trojan logic or selectively adulterated fabrication can escape manufacturing testing and be deployed for ultimate activation/failure. Further, insider threat in the development process is significantly difficult to eliminate, even with trusted foundries.
- Verification Methodology for Trusted Logic
- ASIC design methodology of functional verification by comparison to an independently developed model is commonly used to flag bugs. That is, equivalent but diverse models developed from a single specification must agree in function. This concept is as useful for software as it is with hardware. Complex control path architectures with many corner cases, as is the case for a processor, are much harder to fully verify than pipelined, regular data path architectures. With time-to-market being a pressing need, modern complex commercial ASICs are released after constrained-random verification coverage that samples distinct test cases most likely and most critical to be covered by customers—but not exhaustive verification coverage, which would require an unacceptable number of years of verification. There is wide-spread acceptance in industry today that every complex ASIC tape-out has remaining unfound bugs, however minor. Formal verification methods can be used to ascertain that specific vulnerabilities do not exist, but this continues to be limited by computation complexity and characterization of both the model and a known vulnerability. Synthesizable assertions can also be extended from ASIC/FPGA verification to validation and deployed operation to assure that unspecified behavior does not occur. This has been employed in custom solutions for trusted microelectronics.
- Fault-Tolerance Approaches to Trusted Server Operation
- Computer servers are a common target for malicious attack because as they are critical shared resources. Thus, they are at risk with broad consequences in disruption of service or data compromise. Fault-tolerant approaches for highly-available services are means of exploiting distributed computing for replication and consensus of server state machines. Recovery can occur by acquiring a consensus state from a non-faulty processor replica. Faults can be arbitrary; that is, the precise cause does not require determination for a solution to be rendered. Fault-tolerant computing has matured in space applications, where a single event upset of digital computation is not uncommon. It is also useful for critical data applications for which distributed computing is not co-located, providing protection from earthquake, tsunami, power grid outage, or other natural disasters. Fault-tolerant computing concepts can be extended to modern multicore processor architectures, which can be adequate for faults due to single event upset. However, this does not consider other formidable vulnerabilities. Equivalent, but diverse, model comparison used in verification methodology can be extended to fault tolerant computing. Binary diversity on multicore processors can be used for detection of software intrusion. The notion of binary diversity is that any fault due to a cyber-attack or malware would not occur in the same way or at the same time across different cores. This is of conceptual interest, but inadequate for the many other possible vulnerabilities on identically replicated silicon design. That is, it is not sufficient to ensure Byzantine resilience from any arbitrary fault(s).
- Diverse System Integration for Trusted Fault-Tolerance
- Fault-tolerant principles posit that 2F+1 replicated state machines in consensus can permit F faults at every comparison with stable operation. For trusted operation, a distinct set of faults that can be detected by comparison of state machine replica output must be a superset of possible vulnerabilities. However, vulnerabilities can exist at various levels of an architecture's implementation. Therefore, implementation diversity of replicated state machines at appropriate layers of vulnerability can provide trusted operation for a fault tolerant architecture. A sufficiently diverse fault-tolerant solution can address all levels of vulnerability, e.g., compiler, operating system, processor architecture, digital logic design, fabrication technology, and foundry. Rather than presuming that trusted operation is designed into trusted components, one can consider the trusted integration of untrusted COTS components. This can apply to hardware and software. COTS voting replicas that have varied hierarchical implementation can be integrated into a single, trusted fault-tolerant server if all replicated state machines see the same input at the same time and have consensus on state machine output. This greatly simplifies the distributed computing paradigm of fault tolerance, where a state machine would otherwise never be certain if all others have seen the same input and in the same order.
- A diversity of multiple untrusted COTS system components (hardware and/or software) engaged in redundant operation can be integrated to as a single consensus-based trusted system with a high degree of fault tolerance to, for example, unforeseen environmental interference, cyber-attack, supply chain counterfeit, inserted Trojan logic, or component design flaws. The degree of fault tolerance can be increased by increasing the degree of diversity of redundant operational nodes or by increasing the number of diversely implemented operational nodes.
-
FIG. 1 is a schematic diagram illustrating hierarchical diversity for trusted fault tolerance, according to an example embodiment.FIG. 1 illustrates a conceptual design, for which trusted integration can employ scaled customizations of untrusted processor and memory diversity for any arbitrary application. The example is a COTS configuration that is resilient at all layers of implementation: application, operating system, processor architecture, logic implementation, fabrication process, and foundry. - Input is captured on Input FIFOs (queues) 105 of sufficient size for identically-ordered sequential processing at the server application bandwidth. Data units on the
FIFOs 105 can have headers indicating the source and nature of payload data. These data units can be constructed for input to an amalgamated server to facilitate generalization from any incorporating system input transceiver or bus. Eachprocessor 115 has dedicatedstate memory 110 for reference and update when evaluating input. Thismemory 110 can also provide a simplified recovery mechanism when there is a fault by permitting Direct Memory Access (DMA) from thestate memory 110 of aconsensus processor 115. A timer in a voting (consensus)circuit 125 can ensure completion of all candidatestate machine output 120. Upon providing candidate state machine output to FIFOs 120 and notifying thevoting circuit 125,processors 115 can await an interrupt from thevoting circuit 125 to proceed to the next state. Thevoting circuit 125 can concurrently step through each data word on allcandidate output FIFOs 120, performing exclusive-OR to check for a violation of consensus. Checksum comparison is not advised, since it is a mere indication of data uniqueness and can be spoofed. - In the case that the
voting circuit 125 has detected a fault, it can enable DMA ofstate memory 110 from a replica that satisfied consensus. After DMA completion, thevoting circuit 125 can trigger a next state to theprocessors 115 by interrupt. DMA latency to correct the state variables of the faulty processor can be masked by allowing non-faulty processors to concurrently proceed to next state if sufficient 2F+1 processors remain available. - In the case that a
processor 115 is not able to deliver state output or aprocessor 115 repeatedly fails, thevoting circuit 125 can include a hardwired-configuration to reboot theprocessor 115. Whenprocessors 115 fail to reach majority consensus or a majority fail to deliver state output, thevoting circuit 125 can include a hard-wired configuration to reboot the system. - Because an aspect of this solution's strength is in its diversity, it follows that differing processor instruction sets, register sets, and addressing schemes can contribute to the many ways that the same state machine output can be accomplished. This can be ideal for trusted fault-tolerant server operation of a state machine replica. For the fault tolerant server, it does not matter how it arrives but that it does indeed arrive at output consensus. However, it should not be implied that processor diversity would also apply to the granularity of atomic operations evaluated at processor I/O in general purpose computing. This technique assures the defined application-specific objective of the hardware/software amalgamation, rather than cycle-accurate operation of untrusted components at an arbitrary level of implementation.
- Example Hierarchical Diversity for Trusted Fault Tolerance
- An example configuration for PCB integration can implement a SQL database server handling requests from clients for access to an SQL database. This is a simplified example to demonstrate the merit of the conceptual architecture. A diversity of processors may be run on different real-time operating systems:
-
- ST Microelectronics STM32 F0 (ARM Cortex M0) and FreeRTOS
- Microchip PIC32MX (MIPS) and VxWorks RTOS
- Freescale MPC8313E PowerQUICC II Pro (PowerPC) and Linux RTOS
- Three processors are selected for this example to handle at most one fault at any state machine consensus, but the example can be scaled to any 2F+1 arrangement.
- Voting Circuit
- Diversely implemented nodes of a redundant state-based functional system can submit votes by charging switched capacitors of a voting circuit. Integration of nodes can place these charges in tandem, for which voltage potential between the ground and the last node would be the consensus to be routed when a threshold majority is met, e.g., a voltage above or below the logic threshold for a Complementary Metal-Oxide-Semiconductor (CMOS)<<PLEASE PROVIDE EXAMPLE OF ALTERNATIVE CIRCUITRY>>. All nodes can sample the consensus output, and if the consensus output differs from a node's state, the node can revise its state based on the consensus output.
-
FIG. 2 is a circuit diagram illustrating acircuit 200 for determining a majority value of three input values 205 a-c, according to an example embodiment. The circuit includes a voting input stage, a transfer stage, and an accumulating stage. The voting input stage includes at least three input switched capacitors 210 a-c. The transfer stage includes transfer switched capacitors 215 a-e corresponding to the input switched capacitors 210 a-c. The transfer switched capacitors 215 a-e charge a voting capacitor 220 a-c corresponding to each input switched capacitor 210 a-c during a state of a clock signal. The accumulating stage includes accumulating switchedcapacitors 225 a,b connecting the voting capacitors 220 a-c in series. The accumulating switchedcapacitors 225 a,b cause the charges of the voting capacitors 220 a-c to be accumulated during an alternate state of the clock signal. The accumulatedcharge 230 of the voting capacitors represents a majority vote of the input switched capacitors 210 a-c. The transfer switched capacitors 215 a-e can charge the voting capacitors 220 a-c during a high state of the clock signal, and the accumulating switchedcapacitors 225 a,b can cause the charges of the voting capacitors 220 a-c to be accumulated during a low state of the clock signal. The accumulatedcharge 230 of the voting capacitors 220 a-c can represent a high logic vote if the accumulatedcharge 230 is greater than one half of the circuit supply voltage, and the accumulatedcharge 230 of the voting capacitors 220 a-c can represent a low logic vote if the accumulatedcharge 230 is less than one half of the circuit supply voltage. The input switched capacitors 210 a-c can be switched by binary outputs of digital circuits, and the accumulatedcharge 230 of the voting capacitors 220 a-c can be passed to a digital comparator. -
FIG. 3 is a circuit diagram illustrating acircuit 300 for determining a majority value of N input values 305 a-n, according to an example embodiment. The circuit includes a voting input stage, a transfer stage, and an accumulating stage. The voting input stage includes N input switched capacitors 310 a-n. The transfer stage includes transfer switched capacitors 315 a-n corresponding to the input switched capacitors 310 a-n. The transfer switched capacitors 315 a-n charge a voting capacitor 320 a-n corresponding to each input switched capacitor 310 a-n during a state of a clock signal. The accumulating stage includes accumulating switched capacitors 325 a-n connecting the voting capacitors 320 a-n in series. The accumulating switched capacitors 325 a-n cause the charges of the voting capacitors 320 a-n to be accumulated during an alternate state of the clock signal. The accumulatedcharge 330 of the voting capacitors represents a majority vote of the input switched capacitors 310 a-n. The voting input stage can include 2F+1 input switched capacitors 310 a-n to provide fault tolerant consensus for F faults (e.g., N=2F+1). The input switched capacitors 310 a-n can be coupled to a voltage divider to divide a circuit supply voltage among the input switched capacitors 310 a-n. The voting input stage can include a resistive voltage divider 335 a-n at each of the input switched capacitors 310 a-n, where each resistive voltage divider 335 a-n is scaled to (N−1):1. - The illustrated circuit can be a bitwise analog voting circuit with a totem of switched capacitors connected in series by CMOS switches at evaluation of the aggregate (accumulated) voltage of stacked consensus, VTRUST, but isolated from each other by these CMOS switches when the voting charge of each replica's bit is being transferred to each individual switched capacitor in the stack by parallel CMOS switches on the alternate phase of a driving clock, C. Note that the number of voting inputs to the analog circuit could support a quantity of three or greater voting replicas. An odd number can be used to reduce the chance of a split vote having ambiguous logic output. 2F+1 voting replicas would provide fault tolerant consensus for F faults. Thus, five replicas would be needed for Byzantine resilience in the case of two possible faults. Each voting input stage can be implemented with a CMOS switch connecting a voltage divider. While the number of voting replicas, N, can vary for the number of coincident faults that the system is to tolerate, the resistive voltage divider at each voting input can be scaled (N−1):1. This ensures that a unanimous vote of logic high at circuit inputs accumulates to no more than the supply voltage, logic high, at output. Thus, resistor proportions on each voltage divider is directly related to how many voting replicas are to be integrated for consensus voting to tolerate a particular number of faults at once.
- The CMOS switch can be considered to be “off” at the voting input stage when a logic low is input. In such a case, no current is drawn from the supply across the voltage divider and there is no voltage drop on the lower resister—yielding ground voltage at the voting terminal (top of the lower resistor in the voltage divider). This voltage contribution to the consensus stack for VTRUST will be nil on the next phase of the driving clock. The CMOS switch can be considered to be “on” at the voting input stage when a logic high is input; that is, the CMOS switch shorts from transistor source to drain. When that happens, current flows from the power supply through the voltage divider to ground. The contribution VTRUST on the consensus stack will be 1/N*VCC, or 1/Nth of logic high. If VTRUST is over a CMOS threshold voltage for logic “1”, then the bitwise consensus can be logic “1”. Else, the consensus can be logic “0” at the digital output of the analog circuit. Thus, the circuit can employ an implicit comparison of the aggregate voltage of consensus to logic “0” or “1” when the output drives CMOS digital logic, and no analog comparator is needed.
-
FIG. 4 is a schematic diagram illustrating eight voting circuits 415 a-h used to determine, bit-by-bit, a majority eight-bit value 420, according to an example embodiment. Fault tolerance can rely on voting replicas of the same functional unit, such that a compromised outlier does not hinder consensus-based operation. This can be resolved down to bitwise evaluation of the state of functional units, assessing each bit across replicas by majority vote. Since multiple replicas can be integrated to use voting (consensus) as a safe operation, a voting unit can be utilized. Voting on bit states by digital means could introduce metastable flip-flop fault, but if voting by an analog means, an exhaustive sweep test across bounded temperature and power can assure resilient performance. - Three redundant processors 405 a-c are illustrated in
FIG. 4 . The processors 405 a-c can perform the same functions, but each has a different architecture. Representations of eight-bit output data 410 a-c from the processors 405 a-c are also illustrated. Corresponding bits from each of the output data 410 a-c are provided to eight corresponding voting circuits 415 a-h. Each voting circuit 415 a-h determines a majority value from the received input bits of the output data 410 a-c, and the eight voting circuits 415 a-h provide a resultingconsensus output 420 based on the eight majority values. Thus, for example, if an output bit from one of the processors is incorrect, theconsensus output 420 will not include the incorrect bit. -
FIG. 5 is a timing diagram illustrating example voltages, at various times, of components of the circuit ofFIG. 2 . The timing diagram showsvalues 505 of a driving clock C and its opposite value (“not C”). The value of C is high at times T1, T3, and T5. The value of “not C” is high at T2, T4, and T6. The timing diagram also shows the values of the three input values 205 a-c, the three voting capacitors 220 a-c, and the accumulated charge (VTRUST) 230. - The timing diagram illustrates that the three input values 205 a-c are changed to high at time T2. At time T3, when the driving clock C is high, the three voting capacitors 220 a-c are shown as being high. This is because the transfer stage of
circuit 200 charges the voting capacitors 220 a-c corresponding to each input switched capacitor 210 a-c during a high state of the clock signal. At time T4, when the driving clock C is low (and “not C” is high), the accumulated charge (VTRUST) 230 is shown as being high. This is because the accumulating stage ofcircuit 200 causes the charges of the voting capacitors 220 a-c to be accumulated during a low state of the clock signal. -
FIG. 6 is a timing diagram illustrating example voltages, at various times, of components of the circuit ofFIG. 2 .FIG. 6 illustrates a fault relating to one of the input values. The fault can be seen at time T2 whereinput value 205 c is low while the other input values 205 a,b are high. When all components are functioning correctly, the input values should agree. Thus, the low value ofinput 205 c represents a fault. At time T4, when the three values are accumulated, the accumulatedvalue 230 is high as it is still above a threshold value (2 out of 3) for logical high, thereby correcting the fault atinput 205 c. -
FIG. 7 is a timing diagram illustrating example voltages, at various times, of components of a voting with five input values.FIG. 7 illustrates faults relating to two of the input values. The timing diagram showsvalues 505 of a driving clock C and its opposite value (“not C”). The value of C is high at times T1, T3, and T5. The value of “not C” is high at T2, T4, and T6. The timing diagram also shows the values of the five input values 705 a-e, five voting capacitors 720 a-e, and an accumulated charge (VTRUST) 730. Two faults can be seen at time T2, where input values 705 d and 705 e are low while the other input values 705 a-c are high. Again, when all components are functioning correctly, the input values should agree. Thus, the low values ofinputs value 730 is high as it is still above a threshold value (3 out of 5) for logical high, thereby correcting the faults atinputs -
FIG. 8 is a flow chart illustrating amethod 800 of providing trusted integration of untrusted components, according to an example embodiment. Theexample method 800 includes integrating 805 at least three electronic components into a system. The components have varied hierarchical implementations for providing common output given common input. Themethod 800 further includes providing 810 outputs from the components as input to consensus circuitry to provide a consensus output that is a majority of the outputs of the components. -
FIG. 9 is a flow chart illustrating amethod 900 of determining a majority vote from a plurality of inputs, according to an example embodiment. Theexample method 900 includes receiving 905 at least three voting inputs. Each voting input is in the form of a high or low logical bit. Themethod 900 further includes converting 910 the voting inputs to analog voltages, resulting in analog voting voltages, and accumulating 915 the analog voting voltages, resulting in an accumulated analog voting voltage. The accumulated analog voting voltage represents a majority vote of the voting inputs. Receiving at least three voting inputs can include receiving 2F+1 inputs to provide fault tolerant consensus for F faults. A circuit supply voltage can be divided among the voting inputs. For each voting input, the corresponding analog voting voltage can be equal to the divided circuit supply voltage if the voting input is a high logical bit, and can be equal to a ground voltage if the voting input is a low logical bit. - While example embodiments have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the scope of the embodiments encompassed by the appended claims.
Claims (23)
1. A system for trusted integration of untrusted components, the system comprising:
at least three electrical components, the components having varied hierarchical implementations for providing common output given common input; and
voting circuitry to receive as input, outputs from the components and provide a consensus output that is a majority of the outputs received from the components.
2. A system as in claim 1 wherein each component includes a processor having an input queue, state memory, state machine, and output queue, and wherein the output queues provide input to the voting circuitry.
3. A system as in claim 2 wherein the state machines are configured to interpret headers in data of the input queue, the headers indicating the source and nature of the data.
4. A system as in claim 2 wherein each state memory is configured to permit direct memory access for fault recovery.
5. A system as in claim 4 wherein in an event the voting circuitry detects a fault by a given component, the state memory of the given component is configured to be overwritten with data from a state memory of a component that satisfied the consensus.
6. A system as in claim 5 wherein the components that satisfied the consensus are enabled to proceed to a next state while the given component is recovered if there are enough components that satisfied the consensus to protect against additional faults.
7. A system as in claim 2 further comprising a timer to ensure completion of output queue data of each output queue before the processors can proceed to a next state.
8. A system as in claim 7 wherein the timer is associated with the voting circuitry, and wherein the voting circuitry is configured to provide an interrupt to cause the processors to proceed to the next state.
9. A system as in claim 1 wherein the voting circuitry is configured to reboot a component that fails repeatedly, and to reboot the system in an event a consensus output cannot be obtained.
10. A system as in claim 1 wherein the varied hierarchical implementations of the components include any of differing processor instruction sets, differing register sets, and differing address schemes.
11. A system as in claim 1 wherein the electrical components are digital components and the voting circuitry is analog circuitry.
12. A system as in claim 1 wherein the voting circuitry includes for each bit of output across the components:
a voting input stage including at least three input switched capacitors corresponding to the components, the input switched capacitors configured to receive, as input, the bit of output across the components;
a transfer stage including transfer switched capacitors corresponding to the input switched capacitors, the transfer switched capacitors charging a voting capacitor corresponding to each input switched capacitor during a state of a clock signal; and
an accumulating stage including accumulating switched capacitors connecting the voting capacitors in series, the accumulating switched capacitors causing the charges of the voting capacitors to be accumulated during an alternate state of the clock signal, the accumulated charge of the voting capacitors representing the consensus output of the bit of output across the components.
13. A method of providing trusted integration of untrusted components, the method comprising:
integrating at least three electronic components into a system, the components having varied hierarchical implementations for providing common output given common input; and
providing outputs from the components as input to voting circuitry to provide a consensus output that is a majority of the outputs of the components.
14. A method as in claim 13 wherein each component includes a processor having an input queue, state memory, state machine, and output queue, and wherein the output queues provide input to the voting circuitry.
15. A method as in claim 14 further including enabling the state machines to interpret headers in data of the input queue, the headers indicating the source and nature of the data.
16. A method as in claim 14 further including enabling each state memory to permit direct memory access for fault recovery.
17. A method as in claim 16 wherein, in an event a fault of a given component is detected by the voting circuitry, overwriting the state memory of the given component with data from a state memory of a component that satisfied the consensus.
18. A method as in claim 17 further including enabling the components that satisfied the consensus to proceed to a next state while the given component is recovered if there are enough components that satisfied the consensus to protect against additional faults.
19. A method as in claim 14 further including ensuring completion of all output queue data before the processors can proceed to a next state.
20. A method as in claim 19 further including providing an interrupt to cause the processors to proceed to the next state.
21. A method as in claim 13 further including rebooting a component that fails repeatedly, and rebooting the system in an event a consensus output cannot be obtained.
22. A method as in claim 13 wherein providing outputs from the components as input to voting circuitry includes, for each bit of the outputs across the components:
providing one bit of output from the at least three components as inputs to at least three voting inputs, each in the form of high or low logical bits;
converting the voting inputs to analog voltages, resulting in analog voting voltages; and
accumulating the analog voting voltages, resulting in an accumulated analog voting voltage, the accumulated analog voting voltage representing the consensus output of the bit of output across the components.
23. A system for trusted integration of untrusted components, the system comprising:
at least three processors, each processor including an input queue, state memory, state machine, and output queue having varied hierarchical implementations for providing common output given common input; and
voting circuitry including for each bit of output across the components:
a voting input stage including at least three input switched capacitors corresponding to the components, the input switched capacitors configured to receive, as input, the bit of output across the output queues;
a transfer stage including transfer switched capacitors corresponding to the input switched capacitors, the transfer switched capacitors charging a voting capacitor corresponding to each input switched capacitor during a state of a clock signal; and
an accumulating stage including accumulating switched capacitors connecting the voting capacitors in series, the accumulating switched capacitors causing the charges of the voting capacitors to be accumulated during an alternate state of the clock signal, the accumulated charge of the voting capacitors representing a consensus output of the bit of output across the output queues.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/692,412 US20180074888A1 (en) | 2016-09-09 | 2017-08-31 | Methods and systems for achieving trusted fault tolerance of a system of untrusted subsystems |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201662385435P | 2016-09-09 | 2016-09-09 | |
US201662385440P | 2016-09-09 | 2016-09-09 | |
US15/692,412 US20180074888A1 (en) | 2016-09-09 | 2017-08-31 | Methods and systems for achieving trusted fault tolerance of a system of untrusted subsystems |
Publications (1)
Publication Number | Publication Date |
---|---|
US20180074888A1 true US20180074888A1 (en) | 2018-03-15 |
Family
ID=59858796
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/692,024 Expired - Fee Related US10075170B2 (en) | 2016-09-09 | 2017-08-31 | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems |
US15/692,412 Abandoned US20180074888A1 (en) | 2016-09-09 | 2017-08-31 | Methods and systems for achieving trusted fault tolerance of a system of untrusted subsystems |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/692,024 Expired - Fee Related US10075170B2 (en) | 2016-09-09 | 2017-08-31 | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems |
Country Status (2)
Country | Link |
---|---|
US (2) | US10075170B2 (en) |
WO (2) | WO2018048720A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10075170B2 (en) | 2016-09-09 | 2018-09-11 | The Charles Stark Draper Laboratory, Inc. | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems |
CN113602269A (en) * | 2021-07-13 | 2021-11-05 | 清华大学 | Fault-tolerant method and device for safety of expected function of cooperative adaptive cruise control |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11018672B1 (en) | 2019-12-27 | 2021-05-25 | Kepler Computing Inc. | Linear input and non-linear output majority logic gate |
US10944404B1 (en) | 2019-12-27 | 2021-03-09 | Kepler Computing, Inc. | Low power ferroelectric based majority logic gate adder |
US11374574B2 (en) | 2019-12-27 | 2022-06-28 | Kepler Computing Inc. | Linear input and non-linear output threshold logic gate |
US11283453B2 (en) | 2019-12-27 | 2022-03-22 | Kepler Computing Inc. | Low power ferroelectric based majority logic gate carry propagate and serial adder |
US11381244B1 (en) | 2020-12-21 | 2022-07-05 | Kepler Computing Inc. | Low power ferroelectric based majority logic gate multiplier |
US11165430B1 (en) | 2020-12-21 | 2021-11-02 | Kepler Computing Inc. | Majority logic gate based sequential circuit |
US11418197B1 (en) | 2021-05-21 | 2022-08-16 | Kepler Computing Inc. | Majority logic gate having paraelectric input capacitors and a local conditioning mechanism |
US11290112B1 (en) | 2021-05-21 | 2022-03-29 | Kepler Computing, Inc. | Majority logic gate based XOR logic gate with non-linear input capacitors |
US11303280B1 (en) | 2021-08-19 | 2022-04-12 | Kepler Computing Inc. | Ferroelectric or paraelectric based sequential circuit |
US11705905B1 (en) | 2021-12-14 | 2023-07-18 | Kepler Computing, Inc. | Multi-function ferroelectric threshold gate with input based adaptive threshold |
US11664370B1 (en) | 2021-12-14 | 2023-05-30 | Kepler Corpating inc. | Multi-function paraelectric threshold gate with input based adaptive threshold |
US11817859B1 (en) | 2021-12-23 | 2023-11-14 | Kepler Computing Inc. | Asynchronous circuit with multi-input threshold gate logic and 1-input threshold gate |
US11855627B1 (en) | 2022-01-13 | 2023-12-26 | Kepler Computing Inc. | Asynchronous consensus circuit using multi-function threshold gate with input based adaptive threshold |
US11967954B1 (en) | 2022-04-20 | 2024-04-23 | Kepler Computing Inc. | Majority or minority logic gate with non-linear input capacitors without reset |
US11765908B1 (en) | 2023-02-10 | 2023-09-19 | Kepler Computing Inc. | Memory device fabrication through wafer bonding |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5574849A (en) * | 1992-12-17 | 1996-11-12 | Tandem Computers Incorporated | Synchronized data transmission between elements of a processing system |
US6704887B2 (en) * | 2001-03-08 | 2004-03-09 | The United States Of America As Represented By The Secretary Of The Air Force | Method and apparatus for improved security in distributed-environment voting |
US6754846B2 (en) * | 1998-12-18 | 2004-06-22 | Invensys Systems, Inc. | Method and apparatus for processing control using a multiple redundant processor control system related applications |
US20050188282A1 (en) * | 2004-02-05 | 2005-08-25 | Mayur Joshi | Fast and compact circuit for bus inversion |
US20050223274A1 (en) * | 2004-03-30 | 2005-10-06 | Bernick David L | Method and system executing user programs on non-deterministic processors |
US20050246581A1 (en) * | 2004-03-30 | 2005-11-03 | Hewlett-Packard Development Company, L.P. | Error handling system in a redundant processor |
US20070109012A1 (en) * | 2005-10-27 | 2007-05-17 | Honeywell International Inc. | Voting scheme for analog signals |
US20080282064A1 (en) * | 2007-05-07 | 2008-11-13 | Michael Norman Day | System and Method for Speculative Thread Assist in a Heterogeneous Processing Environment |
US20100169886A1 (en) * | 2008-12-31 | 2010-07-01 | Seakr Engineering, Incorporated | Distributed memory synchronized processing architecture |
US20100263043A1 (en) * | 2009-04-09 | 2010-10-14 | Freescale Semiconductor, Inc. | Method and device for secure test port authentication |
US7908520B2 (en) * | 2000-06-23 | 2011-03-15 | A. Avizienis And Associates, Inc. | Self-testing and -repairing fault-tolerance infrastructure for computer systems |
US20110170584A1 (en) * | 2006-03-31 | 2011-07-14 | To Hing Thomas Yan | Disparate clock domain synchronization |
US7996714B2 (en) * | 2008-04-14 | 2011-08-09 | Charles Stark Draper Laboratory, Inc. | Systems and methods for redundancy management in fault tolerant computing |
US9497099B2 (en) * | 2013-12-16 | 2016-11-15 | Artesyn Embedded Computing, Inc. | Voting architecture for safety and mission critical systems |
US10075170B2 (en) * | 2016-09-09 | 2018-09-11 | The Charles Stark Draper Laboratory, Inc. | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems |
Family Cites Families (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US2946900A (en) | 1957-11-20 | 1960-07-26 | Litton Ind Of California | Redundant transistor flip-flops |
US3522455A (en) | 1967-07-27 | 1970-08-04 | Bendix Corp | Method and means of synchronizing timing pulses of a three channel triplicated system |
US3665173A (en) | 1968-09-03 | 1972-05-23 | Ibm | Triple modular redundancy/sparing |
US3706044A (en) | 1970-09-29 | 1972-12-12 | Martin Marietta Corp | Analog majority voting circuit |
US3818243A (en) | 1971-09-09 | 1974-06-18 | Massachusetts Inst Technology | Error correction by redundant pulse powered circuits |
US4015246A (en) | 1975-04-14 | 1977-03-29 | The Charles Stark Draper Laboratory, Inc. | Synchronous fault tolerant multi-processor system |
US4092578A (en) | 1976-12-03 | 1978-05-30 | Rockwell International Corporation | Elimination of voter caused deadzone |
US4497059A (en) | 1982-04-28 | 1985-01-29 | The Charles Stark Draper Laboratory, Inc. | Multi-channel redundant processing systems |
US4562575A (en) | 1983-07-07 | 1985-12-31 | Motorola, Inc. | Method and apparatus for the selection of redundant system modules |
US4570261A (en) | 1983-12-09 | 1986-02-11 | Motorola, Inc. | Distributed fault isolation and recovery system and method |
US4665522A (en) | 1985-01-28 | 1987-05-12 | The Charles Stark Draper Laboratory, Inc. | Multi-channel redundant processing systems |
US4799140A (en) | 1986-03-06 | 1989-01-17 | Orbital Sciences Corporation Ii | Majority vote sequencer |
US4907232A (en) | 1988-04-28 | 1990-03-06 | The Charles Stark Draper Laboratory, Inc. | Fault-tolerant parallel processing system |
US4984241A (en) | 1989-01-23 | 1991-01-08 | The Boeing Company | Tightly synchronized fault tolerant clock |
SE465056B (en) | 1989-05-12 | 1991-07-15 | Ellemtel Utvecklings Ab | PROCEDURE TO AVOID LATENT ERRORS IN A LOGIC FOR MAJORITY SELECTION OF BINARY SIGNALS |
CA2068048A1 (en) | 1991-05-06 | 1992-11-07 | Douglas D. Cheung | Fault tolerant processing section with dynamically reconfigurable voting |
US5377205A (en) | 1993-04-15 | 1994-12-27 | The Boeing Company | Fault tolerant clock with synchronized reset |
US5526288A (en) | 1993-11-05 | 1996-06-11 | Ilc Data Device Corporation | Multiple channel discrete to digital interface |
JP3229135B2 (en) * | 1994-09-14 | 2001-11-12 | 三菱電機株式会社 | Analog / digital converter |
JPH08204562A (en) * | 1995-01-31 | 1996-08-09 | Canon Inc | Semiconductor device and semiconductor circuit, correlation operation device, a/d converter, d/a converter, and signal processing system using this semiconductor device |
US5565812A (en) | 1995-03-23 | 1996-10-15 | Texas Instruments Incorporated | Increased sensitivity signal shaper circuit to recover a data stream coming from a digitally modulated channel |
JP3701091B2 (en) | 1996-11-29 | 2005-09-28 | ローム株式会社 | Switched capacitor |
US6161196A (en) | 1998-06-19 | 2000-12-12 | Lucent Technologies Inc. | Fault tolerance via N-modular software redundancy using indirect instrumentation |
US6850098B2 (en) | 2001-07-27 | 2005-02-01 | Nanyang Technological University | Method for nulling charge injection in switched networks |
US6856925B2 (en) | 2001-10-26 | 2005-02-15 | Texas Instruments Incorporated | Active removal of aliasing frequencies in a decimating structure by changing a decimation ratio in time and space |
US6570411B1 (en) | 2002-06-17 | 2003-05-27 | Analog Devices, Inc. | Switched-capacitor structures with reduced distortion and noise and enhanced isolation |
US6593804B1 (en) | 2002-06-25 | 2003-07-15 | National Semiconductor Corporation | Controllable high frequency emphasis circuit for selective signal peaking |
US8817597B2 (en) | 2007-11-05 | 2014-08-26 | Honeywell International Inc. | Efficient triple modular redundancy on a braided ring |
WO2009076476A1 (en) | 2007-12-10 | 2009-06-18 | Bae Systems Information And Electronic Systems Integration, Inc. | Hardened current mode logic (cml) voter circuit, system and method |
US8230253B2 (en) | 2008-07-21 | 2012-07-24 | International Business Machines Corporation | Byzantine fault tolerant dynamic quorum using a trusted platform module |
CN101635338B (en) | 2008-07-23 | 2012-07-18 | 鸿富锦精密工业(深圳)有限公司 | Battery fixing device |
US8209591B2 (en) | 2008-10-23 | 2012-06-26 | Intersil Americas Inc. | Voter tester for redundant systems |
US8544092B2 (en) | 2009-03-12 | 2013-09-24 | International Business Machines Corporation | Integrity verification using a peripheral device |
US8970706B2 (en) | 2011-09-22 | 2015-03-03 | Basil Henry Scott | Dual pixel pitch imaging array with extended dynamic range |
US8963575B2 (en) * | 2012-09-26 | 2015-02-24 | Sandisk Technologies Inc. | Analog majority vote circuit |
US9367375B2 (en) | 2014-04-14 | 2016-06-14 | Artesyn Embedded Computing, Inc. | Direct connect algorithm |
-
2017
- 2017-08-31 WO PCT/US2017/049648 patent/WO2018048720A1/en active Application Filing
- 2017-08-31 US US15/692,024 patent/US10075170B2/en not_active Expired - Fee Related
- 2017-08-31 WO PCT/US2017/049666 patent/WO2018048723A1/en active Application Filing
- 2017-08-31 US US15/692,412 patent/US20180074888A1/en not_active Abandoned
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5574849A (en) * | 1992-12-17 | 1996-11-12 | Tandem Computers Incorporated | Synchronized data transmission between elements of a processing system |
US6754846B2 (en) * | 1998-12-18 | 2004-06-22 | Invensys Systems, Inc. | Method and apparatus for processing control using a multiple redundant processor control system related applications |
US7908520B2 (en) * | 2000-06-23 | 2011-03-15 | A. Avizienis And Associates, Inc. | Self-testing and -repairing fault-tolerance infrastructure for computer systems |
US6704887B2 (en) * | 2001-03-08 | 2004-03-09 | The United States Of America As Represented By The Secretary Of The Air Force | Method and apparatus for improved security in distributed-environment voting |
US20050188282A1 (en) * | 2004-02-05 | 2005-08-25 | Mayur Joshi | Fast and compact circuit for bus inversion |
US20050223274A1 (en) * | 2004-03-30 | 2005-10-06 | Bernick David L | Method and system executing user programs on non-deterministic processors |
US20050246581A1 (en) * | 2004-03-30 | 2005-11-03 | Hewlett-Packard Development Company, L.P. | Error handling system in a redundant processor |
US20070109012A1 (en) * | 2005-10-27 | 2007-05-17 | Honeywell International Inc. | Voting scheme for analog signals |
US20110170584A1 (en) * | 2006-03-31 | 2011-07-14 | To Hing Thomas Yan | Disparate clock domain synchronization |
US20080282064A1 (en) * | 2007-05-07 | 2008-11-13 | Michael Norman Day | System and Method for Speculative Thread Assist in a Heterogeneous Processing Environment |
US7996714B2 (en) * | 2008-04-14 | 2011-08-09 | Charles Stark Draper Laboratory, Inc. | Systems and methods for redundancy management in fault tolerant computing |
US20100169886A1 (en) * | 2008-12-31 | 2010-07-01 | Seakr Engineering, Incorporated | Distributed memory synchronized processing architecture |
US20100263043A1 (en) * | 2009-04-09 | 2010-10-14 | Freescale Semiconductor, Inc. | Method and device for secure test port authentication |
US9497099B2 (en) * | 2013-12-16 | 2016-11-15 | Artesyn Embedded Computing, Inc. | Voting architecture for safety and mission critical systems |
US10075170B2 (en) * | 2016-09-09 | 2018-09-11 | The Charles Stark Draper Laboratory, Inc. | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10075170B2 (en) | 2016-09-09 | 2018-09-11 | The Charles Stark Draper Laboratory, Inc. | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems |
CN113602269A (en) * | 2021-07-13 | 2021-11-05 | 清华大学 | Fault-tolerant method and device for safety of expected function of cooperative adaptive cruise control |
Also Published As
Publication number | Publication date |
---|---|
WO2018048723A1 (en) | 2018-03-15 |
WO2018048720A1 (en) | 2018-03-15 |
US10075170B2 (en) | 2018-09-11 |
US20180076815A1 (en) | 2018-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10075170B2 (en) | Voting circuits and methods for trusted fault tolerance of a system of untrusted subsystems | |
Cui et al. | High-level synthesis for run-time hardware Trojan detection and recovery | |
US20160092320A1 (en) | Electronic fault detection unit | |
US10078565B1 (en) | Error recovery for redundant processing circuits | |
US10740186B2 (en) | High data integrity processing system | |
CN110861600B (en) | Ensuring X module redundancy | |
Kretzschmar et al. | Synchronization of faulty processors in coarse-grained TMR protected partially reconfigurable FPGA designs | |
JP7038185B2 (en) | A system for verifying the integrity of register contents and its method | |
CN114981771A (en) | Memory device recoverable from network attacks and failures | |
Anjankar et al. | FPGA based multiple fault tolerant and recoverable technique using triple modular redundancy (FRTMR) | |
de Oliveira et al. | Exploring performance overhead versus soft error detection in lockstep dual-core ARM cortex-A9 processor embedded into Xilinx Zynq APSoC | |
Hartmann et al. | Evolution of fault-tolerant and noise-robust digital designs | |
US20090249174A1 (en) | Fault Tolerant Self-Correcting Non-Glitching Low Power Circuit for Static and Dynamic Data Storage | |
KR20130086379A (en) | Classifying a criticality of a soft error and mitigating the soft error based on the criticaltiy | |
EP3525210B1 (en) | Data register monitoring | |
US9299456B2 (en) | Matrix and compression-based error detection | |
Szurman et al. | Coarse-grained TMR soft-core processor fault tolerance methods and state synchronization for run-time fault recovery | |
US9983926B2 (en) | Apparatus, system and method for protecting data | |
Mercier | Multiple fault mitigation in network-on-chip architectures through a bit-shuffling method | |
Hadjicostis et al. | Fault-tolerant computation in groups and semigroups: applications to automata, dynamic systems and Petri nets | |
Khosravi et al. | System-level reliability analysis considering imperfect fault coverage | |
Sekanina | On dependability of FPGA-based evolvable hardware systems that utilize virtual reconfigurable circuits | |
Strollo et al. | A fault-tolerant real-time microcontroller with multiprocessor architecture | |
Shatta et al. | FPGA-based Architectures to Recover from Hardware Trojan Horses, Single Event Upsets and Hard Failures | |
Ruano et al. | A new EDAC technique against soft errors based on pulse detectors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: THE CHARLES STARK DRAPER LABORATORY, INC., MASSACH Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VIGEANT, RICHARD L.;DE LA SERNA, ANTONIO E.;REEL/FRAME:043467/0979 Effective date: 20170830 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |