Control-Flow Monitoring Revisited

Author: Simon Schuster

The increasing usage of embedded systems for safety-critical tasks in adverse environments requires the usage of fault detection and fault tolerance mechanisms to tackle the issue of transient faults. In the past, various control flow checking approaches have been proposed to improve upon this situation. In the course of this talk, I will revisit prominent variants of those methods -- which we implemented for our KESO Java VM for statically-configured, deeply embedded systems -- and reevaluate the widely accepted assumptions on the effectiveness of softwarebased control flow checking techniques. 
The measurements performed using the Fault Injection Leveraged (FAIL*) tool suite graphs a different picture and indicates three different implications. First of all the methods discussed work, but the improvements are not as effective as previous experimental evaluations using the fault coverage metric claim, in some cases they are even negligible, especially when compared to the high runtime overhead incurred ranging between 130% to 1900% depending on the method used. Second, the behaviour of a said application or application variant under injection is heavily dependent upon the assembly generated and the layout in memory, so the aptness of a specific method to a specific application cannot be determined statically. Third, control flow and data hardening may not be discussed as orthogonal goal, as both influence the fault space dimensions. Especially this disparity between a slightly reduced numbers of undetected control flow errors compared to a rapidly rising number of newly introduced cases of silent data corruption question the general idea of software implemented control flow checking techniques, at least for the IA32 discussed here.