Toward On-chip Network Security Using Runtime Isolation Mapping

What is it about?

Many-cores execute a large number of diverse applications concurrently. Inter-application interference can lead to a security threat as timing channel attack in the on-chip network. A non-interference communication in the shared on-chip network is a dominant necessity for secure many-core platforms to leverage the concepts of the cloud and embedded system-on-chip. The current non-interference techniques are limited to static scheduling and need router modification at micro-architecture level. Mapping of applications can effectively determine the interference among applications in on-chip network. In this work, we explore non-interference approaches through run-time mapping at software and application level. We map the same group of applications in isolated domain(s) to meet non-interference flows. Through run-time mapping, we can maximize utilization of the system without leaking information. The proposed run-time mapping policy requires no router modification in contrast to the best known competing schemes, and the performance degradation is, on average, 16% lower than that of the state-of-the-art baselines.

Featured Image

Why is it important?

We propose a new runtime mapping algorithm to eliminate interference between security domains. Non-interference runtime mapping is motivated by the combination of proposing a software level approach to eliminate timing channel attack and critical runtime resource management process in many-core systems. We demonstrate that runtime mapping algorithm can eliminate timing channel by separating applications into security domains. We show that regional progress of each security domain has a significant impact on non-interference performance. We extensively evaluate the proposed mapping policies on different network sizes using a suite of diverse applications. We evaluate the overhead of the Liso approach and show that Liso results in 8% and 16% performance overhead compared to two baseline approaches on average. Moreover, our approaches have no additional hardware overhead compared to the best known competing schemes.