Watchdog processors in multicore systems

Abstract

Systems and methods are provided for securing a multicore computer chip with a watchdog processor. In a system with a watchdog process and any number of other processors and components, the watchdog processor monitors bus communications between the second processor and at least one third component. The watchdog processor may be further independently coupled to at least one of the other components so that it can monitor internal operations of such component, thereby acquiring detailed information about the specific operations of at least one component in the system. The watchdog processor can enforce an interaction policy on bus communications between components, as well as enforce an independent security policy on the monitored components.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The systems and methods for watchdog processors in multicore systems in accordance with the present invention are further described with reference to the accompanying drawings in which:

FIG. 1 illustrates trends in transistor counts in processors capable of executing the x86 instruction set.

FIG. 2 illustrates a computer chip that comprises several general purpose controller, graphics, and digital signal processing computation powerhouses, as well as watchdog processors to monitor and secure aspects of the chip.

FIG. 3 illustrates a system comprising a computer chip 350 with a plurality of functional groups. An exemplary functional group is expanded to demonstrate and exemplary deployment of a watchdog processor.

FIG. 4 illustrates an application layer comprising software applications, an operating system layer, and a hardware layer comprising a computer chip. Processor policies may come from a variety of sources, and may be enforced by the watchdog processor against one or more other components in the chip.

FIG. 5 illustrates an exemplary computing device in which the various systems and methods contemplated herein may be deployed.

DETAILED DESCRIPTION

Certain specific details are set forth in the following description and figures to provide a thorough understanding of various embodiments of the invention. Certain well-known details often associated with computing and software technology are not set forth in the following disclosure, however, to avoid unnecessarily obscuring the various embodiments of the invention. Further, those of ordinary skill in the relevant art will understand that they can practice other embodiments of the invention without one or more of the details described below. Finally, while various methods are described with reference to steps and sequences in the following disclosure, the description as such is for providing a clear implementation of embodiments of the invention, and the steps and sequences of steps should not be taken as required to practice this invention.

The concept of a watch-dog processor as a processor that performs a bus monitoring function is generally understood in the art. Watchdog processors have been used to monitor Input/Output (I/O) behavior and generate exceptions upon certain data values on a monitored bus. Watch-dog processors have not however previously been deployed in integrated multicore computer chips or otherwise integrated into multiprocessor processing systems as described herein, nor have watchdog processors been utilized according to the various techniques described herein. As opposed to monitoring a given data bus, in one aspect of the invention a watch-dog processor may be dedicated to a specific processor or group of processors. The watchdog can behave as a parasite that monitors the behavior of its target.

In one embodiment, a watch-dog processor may be used for security and specific performance applications in multicore systems. One objective of such watchdog processors is to observe the behavior of a given application and respond to unexpected behavior or report on certain performance parameters. As the rate of decrease in sizes of semiconductor features moderates in coming years, an increase of on-chip latency in super-linear manner with respect to interconnect length will emerge. As a result, computer chips are increasingly built as a network of relatively small functional units, cores, connected via a networking structure that comprises buses, routers, and relays.

Processes such as firewalls, malware scanners, device drivers, and peer-to-peer networking handlers can be executed on separate processors with dedicated or shared memory and with optimized datapaths. For example, a 100-million transistor processor can pack 3450 i8086 or 18 Pentium P6 processors; obviously a substantial computational power at high frequency clocks that is hard to equal by context switching a large number of processes and/or exploring better instruction level parallelism of individual threads using extreme pipelining or superscalar units but at low frequency clocks.

FIG. 2 gives an example of a computer chip that comprises several general purpose controller, graphics, and digital signal processing computation powerhouses. This allows for maximum increase of localized clock frequencies and improved system throughput. As a consequence, system's processes are distributed over the available processors to minimize context switching overhead.

It will be appreciated that a multicore computer chip 200 such as that of FIG. 2 can comprise a plurality of processors, memories, caches, buses, and so forth. For example, chip 200 is illustrated with shared memory 201-205, exemplary bus 207, main CPUs 210-211, a plurality of Digital Signal Processors (DSP) 220-224, Graphics Processing Units (GPU) 225-227, caches 230-234, crypto processors 240-243, watch dog processors 250-253, additional processors 261-279, routers 280-282, tracing processors 290-292, key storage 295, Operating System (OS) controller 297, and pins 299.

Components of chip 200 may be grouped into functional groups. For example, shared memory 203, caches 230, main CPU 210, crypto processor 240, watchdog processor 250, and key storage 295 may be components of a first functional unit. Such grouping is not necessary to practice the invention but will clarify the description by reducing the subset of components that must be discussed to describe operation of an exemplary watchdog processor as contemplated herein. Aspects of an exemplary functional group of a processor are illustrated in FIG. 3.

FIG. 3 illustrates a system comprising a computer chip 350 with a plurality of functional groups 351-355. An expanded view of functional group 353 is provided to demonstrate one embodiment of the invention. Functional group 353 comprises a first processor 310 (the watchdog), a second processor 320, and at least one third component 330. In this case, at least one third component 330 comprises third processor 330. The processors are coupled to a bus 300, which runs between the second processor 320 and the third processor 330. The watchdog 310 is also coupled to bus 300 so that it can monitor activity on said bus 300. Bus 300 may also be coupled to other aspects of functional group 353 such as cache 340 and memory 360, and may furthermore be coupled to other functional groups 351-355 according to the design specifications of the particular computer chip.

At least one wire connection 305 can run between the watchdog 310 and an internal component 325 of a chip component such as the second processor 320. Additional wire connections may run to further internal components of the second processor 320, and additional wire connections may run to internal components of other chip components such as 330, 351-355, 360, etc. The watchdog 310 can monitor information in an internal component 325 via said wire connection 305.

While FIG. 3 illustrates just three processors for the sake of simplicity, it should be emphasized that watchdog 310 can monitor any number of processors and/or other chip 350 components. Such monitoring may be via a wire connections such as 305, or may be via a bus interactions monitoring approach, or any combination thereof. A chip component is defined herein as any part of the chip that performs some discrete function. In this regard, processors 310, 320, 330 are components, as are functional groups 351-355. Cache 340, memory 360, and bus 300 are also components. Other components which may be monitored by watchdog 310 may be, for example, components supporting video codecs, encryption algorithms, key lengths, authentications mechanisms, and so forth.

Internal component 325 may be one or more of a variety of internal processor components that allow monitoring of behaviors which are generally known and appreciated by those of skill in the art. Candidate values and events to monitor are:

System calls/Child processes. The application or the user can set up policies for the watchdog 310 to obey when detecting suspicious behavior. Upon detection, both the parent and the child process (or system call) can be terminated or paused. For example, the watchdog 310 may detect a system call that launches a command shell; if unexpected, such a call is commonly a sign of system intrusion.

Program counter. For a given program, a specialist and/or a secure automated analysis mechanism may first identify all addresses to which a jump/branch or call/return instruction can go to at compilation time. Thus, any inconsistency with these addresses during program execution can be identified as a bug or intrusion.

Pointer access. The watchdog 310 could verify each pointer access against a heap map. It could build the heap map in parallel while the second processor 320 allocates memory. Each read access to uninitialized memory or deallocation of an uninitialized pointer could be identified by the watchdog 310.

To monitor the various values and events exemplified by those set forth above, watchdog 310 may monitor internal components such as a register, a stack pointer table, and a virtual memory table. Finally, other system parameters such as I/O behavior, detailed page fault statistics, communication to other processes/cores, etc. can be also detected and analyzed by the watch-dog 310. The results can be in this case served as application performance and communication profile to the operating system which could use it for optimized process-to-core assignment and scheduling.

It should be noted that in some configurations, watchdog 310 may be configured to monitor behaviors of functional groups 351-355 as a whole rather than the internal operations of a particular functional group 353. In such embodiments, a wire connection such as 305 may link watchdog 310 to an internal component of one or more of the functional groups 351-355, while a bus akin to 300 connects watchdog 310 to the various functional groups 351-355 instead of or in addition to processors 320 and 330.

FIG. 3 further illustrates an aspect of the invention in which a first processor (watchdog) is electronically coupled to a bus 300, and is configured to monitor the interaction of a second processor 320 and a third processor 330. The second processor 320 is electronically coupled to the third processor 330 via bus 300, and the watchdog can monitor interactions by monitoring certain bus 300 interactions of the processors 320, 330. For example, in a multicore architecture the second processor 320 can be configured to outsource processor work by initiating at least one process on the third processor 330. The watchdog 310 can monitor such activity as well as responses from the third processor 330 back to the second processor 320, and ensure that it represents a legitimate use of the third processor 330 and not an attack or illegitimate use of chip 350 resources.

In this embodiment, it may be useful for watchdog 310 to monitor many of the same behaviors as when watchdog 310 is monitoring internal component 305 of processor 320. For example, system calls/child processes, program counters, and pointer access pertaining to interactions between second processor 320 and third processor 330 are beneficially monitored by watchdog 310 by monitoring bus 300. Embodiments may further beneficially combine monitoring of an internal component 325 with monitoring processor interactions to achieve robust and effective multicore monitoring capabilities.

The watchdog 310 may be configured to enforce an interaction policy against the second processor 320 and/or third processor 330. Such a configuration can be understood with reference to FIG. 4.

FIG. 4 demonstrates an application layer comprising software applications 461 and 462, an operating system layer 470, and a hardware layer comprising computer chip 450. The computer chip 450 comprises a functional group 453 which may comprise various components, such as processors 420 and 430 and watchdog 410 as discussed with reference to FIG. 3. As illustrated in FIG. 4, an interaction policy may come from a variety of sources, such as processor policy 464 from an application 462, processor policy 472 from operating system 470, and processor policy 480 from chip 450.

In one embodiment, an OS 470 may dictate a basic interaction policy 472 to be applied regardless of the process or particular application functions that may be running on second processor 320 or third processor 330. Similarly, a basic policy such as 480 may be universally applied regardless of processes running on second processor 420 or third processor 430. This is not to say that policies 472 and 480 coming from an OS 470 or from hardware 450 may not be conditionally applied. Various useful configurations of the invention may utilize, not utilize, or conditionally utilize hardware and OS processor policies as desired.

Additionally, an application 462 may comprise a processor interaction policy 464 in addition to the application functions 463 supplied with the application 464. Like other processor policies, the application processor policy 464 may provide either independent or supplemental interaction policies to be enforced when the one or more processes associated with the application are executing on a processor 420. For example, some applications may dictate that no system calls may be made and no child processes may be spawned during execution of a particular process. The watchdog 410 may accordingly watch for such a behavior when one of the processors 420 is executing such a process.

An interaction policy may further dictate what action is to be taken by the watchdog 410 when a disapproved behavior occurs. In one embodiment, the watchdog 410 may freeze the processor 420 or 430 that exhibited the disapproved behavior. Other less or more drastic measures are also available depending on a level of security that is desired.

A processor policy may evolve dynamically. Behaviors of a complex multiprocessor system such as chip 450 may be difficult to fully understand, even by experts in the field. In this regard, intelligent logic may be placed in an OS 470 or on chip 450 to learn over time which processor interaction behaviors are considered normal or, conversely, which interaction behaviors are considered abnormal. Policies such as 472 can be updated to reflect advances in knowledge. Another way to dynamically update processor policies 472 may be over a network. For example, as new security loopholes are discovered, a processor policy such as 472 may be updated via a network connection so watchdog 410 can effectively close discovered security loopholes.

FIG. 4 thus illustrates an embodiment of the invention in which a second processor 420 is electrically coupled to a watchdog processor 410 via bus 400, and a software application 462 comprising a set of application functions 463 and a processor policy 464, wherein said set of application functions 463 are executed by the second processor 420, and wherein said processor policy 464 is enforced against said second processor 420 by said first processor 410 (the watchdog processor).

FIG. 5 illustrates an exemplary computing device 500 into which the various systems and methods contemplated herein may be deployed. An exemplary computing device 500 suitable for use in connection with the systems and methods of the invention is broadly described. In its most basic configuration, device 500 typically includes a processing unit 502 and memory 503. Depending on the exact configuration and type of computing device, memory 503 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two. Additionally, device 500 may also have mass storage (removable 504 and/or non-removable 505) such as magnetic or optical disks or tape. Similarly, device 500 may also have input devices 507 such as a keyboard and mouse, and/or output devices 506 such as a display that presents a GUI as a graphical aid accessing the functions of the computing device 500. Other aspects of device 500 may include communication connections 508 to other devices, computers, networks, servers, etc. using either wired or wireless media. All these devices are well known in the art and need not be discussed at length here.

The invention is operational with numerous general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, cell phones, Personal Digital Assistants (PDA), distributed computing environments that include any of the above systems or devices, and the like.

In light of the diverse computing environments that may be built according to the general frameworks of provided in FIGS. 2-5, the systems and methods provided herein cannot be construed as limited in any way to a particular computing architecture. Instead, the present invention should not be limited to any single embodiment, but rather should be construed in breadth and scope in accordance with the appended claims.

Claims

1. A system comprising: a first processor;a second processor;at least one third component;a bus between said second processor and said at least one third component, wherein the first processor is configured to monitor activity on said bus;at least one wire connection between said first processor and said second processor, wherein said wire connection is independent of said bus, and wherein said first processor can monitor an internal component of said second processor via said wire connection.

2. The system of claim 1, wherein said first, second, and at least one third component are located on a single computer chip.

3. The system of claim 1, wherein said internal component of said second processor is a register.

4. The system of claim 1, wherein said internal component of said second processor is a stack pointer table.

5. The system of claim 1, wherein said first processor enforces a policy on said second processor.

6. The system of claim 1, wherein said at least one third component comprises a processor.

7. The system of claim 1, further comprising at least one wire connection between said first processor and said at least one third component.

8. A system comprising: a first processor;a second processor electrically coupled to said first processor;a software application comprising a set of application functions and a processor policy, wherein said set of application functions are executed by said second processor, and wherein said processor policy is enforced against said second processor by said first processor.

9. The system of claim 8, wherein said first processor and said second processor are configured such that the first processor can halt a process running on said second processor.

10. The system of claim 8, wherein said first and second processor are located on a single computer chip.

11. The system of claim 8, wherein said processor policy detects a system call that launches a command shell.

12. The system of claim 8, wherein said processor policy detects if a child process is started on said second processor.

13. The system of claim 8, wherein said processor policy identifies a plurality of legal jump instructions.

14. The system of claim 8, wherein said processor policy identifies a plurality of legal call instructions.

15. The system of claim 8, wherein said processor policy identifies a read access to uninitialized memory.

16. The system of claim 8, further comprising at least one wire connection between said first processor and at least one third component, wherein said first processor can monitor information in an internal component of said at least one third component via said wire connection.

17. The system of claim 8, wherein said processor policy is a dynamically evolving processor policy.

18. A system comprising: a first processor electronically coupled to a bus, and configured to monitor the interaction of a second processor and a third processor, wherein said first processor is configured to enforce an interaction policy against said second processor and third processor;wherein said second processor is electronically coupled to said third processor via said bus; andwherein said second processor is configured to initiate at least one process on said third processor.

19. The system of claim 18, wherein said processor policy is a dynamically evolving processor policy.

20. The system of claim 18, wherein said dynamically evolving processor policy identifies normal behavior and/or abnormal behavior of one or more of said second and said third processor.