Applications (IP-cores). An embedded hardware module will monitor and control the Active Applications at run time checking for PCI bus transaction violations.
28 ELECTRONIC SYSTEMS AND CONTROL DIVISION RESEARCH 2003
An Embedded Monitor Module for Active Networks with Hardware Support Nikolaos G Bartzoudis, Alexandros G Fragkiadakis, David J Parish and José L Núñez
Abstract — This paper describes an experimental platform for Active Network processing. The system is based on a PC running Linux and operating as a router. A PCI FPGA board is the host unit for the Active Applications. The FPGA can be reconfigured multiple times on-the-fly with several Active Applications (IP-cores). An embedded hardware module will monitor and control the Active Applications at run time checking for PCI bus transaction violations. Index Terms — Reconfigurable Computing Safety, Active Networks, Hardware Monitor.
A
topology will be based on the one given in Figure 1. A way to check the validity of a model is to monitor the transactions of a certain protocol that is being used. In our case, the transactions use the PCI interface. Therefore monitoring the PCI bus signal transactions is an efficient way to validate the performance of an application. The violations of the PCI protocol were characterised according to the PCI bus specification (rev. 2.2) [3]. The monitor module (Figure 2) detects violations in the communication of a configured IP core with the host over the PCI bus.
I. INTRODUCTION
N active packet [1] that carries executable code can potentially change the state of a node. Nodes (e.g. routers, switches) are public resources. Their operability is critical to the proper and correct running of many important systems and services. Therefore, the execution environment must satisfy very strict safety and security requirements. An experimental Active Network with hardware reconfiguration support is already in operation [1], [2]. A security framework for a proposed target hardware platform is introduced in this paper. It will be an embedded module in a FPGA PCI board. This module is currently being verified in a simulation testbench. II. THE EMBEDDED MONITOR MODULE
The ideal configuration environment can be realized with the topology shown in Figure 1. An embedded module, permanently configured in one of the FPGAs of the PCI board, will monitor the PCI interface signals. Any kind of unstable, suspicious or malicious application is considered as potential threat for the operability of the Active Router. As a consequence such applications will be terminated upon the detection of a violation. This monitoring module can prevent the system from reaching a performance critical mode. The monitor module will unload the faulty configuration and replace it with a safe configuration bitstream. This safe configuration will restore the system’s stability. The final testing of the platform will be implemented with a combination of boards or a hybrid solution, due to the fact that the available commercial solutions do not meet the strict requirements of our system. The main concept of the system This work is supported by EPSRC under Grant GR/R31218/01. N. Bartzoudis is a Reasearch Associate in the Electronic Systems Design Group
Fig. 1: The proposed topology that meets the system requirements.
Several events of the PCI bus protocol were studied. The challenge was to demonstrate if these events hide potential threats for our system. For example the target can be disconnected from the data if one of the following conditions occur: 1) the target is slow. It cannot deliver the subsequent data within 8 cycles, 2) the target does not support bursts, 3) the target does not understand the addressing sequence for cache line wrap, 4) the transfer crosses over the address/cache line boundary of the target. When a target disconnects with the data, an alert flag can be raised for suspicious or invalid behaviour. The PCI bus protocol properties were transformed into monitoring rules and realized in a hardware description language (VHDL). In more detail the PCI signals monitor module includes several PCI bus transaction events, described in VHDL. The produced signals act complementary to the structure of the monitor system defining events such as the address phase, the idle state, the master termination condition, the data phase, the final data phase, the data transfer, the target abort condition, the retry condition and also conditions when an
Department of Electronic and Electrical Engineering, Loughborough University, LE11 3TU, UK
29
ELECTRONIC SYSTEMS AND CONTROL DIVISION RESEARCH 2003 agent disconnects with data or without data. These events form definitive parts for the efficient implementation of the monitor unit rules. Additional definitions describe the read and write commands, the target select conditions and the master or target initialisations.
Figure 3: The simulation testbench. The value of the 6-bit register shown in Figure 2 will be passed to a correspondent process running in the host. Virtually this mechanism is the communication interface with the host that will be tested in the next stage, when the monitor module is going to be implemented in hardware, as part of the Active Router. Fig. 2: The monitor module.
The Embedded Monitor Logic is implemented with the help of two main state machines. The first one, the counter module, sets time-out events on the communication between the PCI core and the custom IP core. Virtually it checks for PCI protocol timing compliance but it can be adjusted easily to form a stricter framework for the safety critical environment of an Active Router (e.g. force faster PCI decoding for performance purposes). The flexibility of this state machine is based on the needs of the system. Some of the time events that are monitored include the assertion of frame#, the target and master initialisation along with the subsequent states and events related to the timeout if the irdy# signal. The second state machine, the history module, creates a record of past events. The above is accomplished by defining the previous state of several PCI bus signals and also the previous state of the produced signals. Some of the monitor signals that comprise the history module are the master abort history record, the read or write transaction history, the initial data phase history record and the history record for the assertion of the devsel# signal. In the current stage the PCI signals monitor module is being verified and evaluated with the Altera PCI simulation testbench [4]. The validity and efficiency of the rules is tested in the above-mentioned testbench with the additional help of an IP core (X-MatchPro [5]). An indicative diagram of the simulation testbench is given in Figure 3. The monitor module is able to detect at this stage several violation events including data corruption, continuous request for bus ownership, reading an empty memory, trying to write to a full memory, generating illegal read or write cycles, and bus contention.
III. FUTURE WORK The PCI monitor application is built incrementally and it can be enforced with additional rules. The main goal is to prevent the Active Application from writing to a memory area in the host, which is out of the memory range, allocated by the OS. Also, the violations of the PCI bus transactions will be grouped in categories; each violation will be characterized according to the impact it has in the stability and viability of the embedded system. The Monitor application will take different countermeasures for the different kind of violations according to the predefined severity classification. On completion of the above development phase, the efficiency of the monitoring module will be validated and tested with deliberately corrupted IP cores under real network traffic conditions.
REFERENCES [1]
[2]
[3] [4] [5]
A.G. Fragkiadakis, N.G. Bartzoudis, D.J. Parish and M.J. Sandford, “Hardware Support for Active Networking”, In Proceedings of The 2003 International Multiconference in Computer Science & Engineering (SAM'03), Las Vegas, U.S.A., June 2003, pp. 27-33. N.G. Bartzoudis, A.G. Fragkiadakis, D.J. Parish, J.L Núñez and M.J. Sandford, “Reconfigurable Computing and Active Networks”, to appear in Proceedings of The 2003 International Multiconference in Computer Science & Engineering (ERSA'03), Las Vegas, U.S.A., June 2003, pp 280-284. “PCI Local Bus Specification, Revision 2.2”, PCI Special Interest Group, December 1998. The Altera PCI simulation testbench, (www.altera.com/literature/ug/ug_pcitestbench.pdf) J.L. Núñez, C. Feregrino, S. Jones, S. Bateman, “X-MatchPRO: A ProASIC-Based 200 Mbytes/s Full-Duplex Lossless Data Compressor”, In Proceedings of FPL 2001, Lecture Notes in Computer Science, Springer, August 2001, pp. 613-617.
Department of Electronic and Electrical Engineering, Loughborough University, LE11 3TU, UK
