To satisfy various design requirements and application needs, designers integrate multiple intellectual property blocks (IPs) to produce a system on chip (SoC). For improved survivability, designers should be able to patch the SoC to mitigate potential security issues arising from hardware IPs; for increased flexibility, we propose adding programmable hardware-based support for monitoring and bug mitigation. However, it is a challenge to decide how much additional cost a designer should expend up front to deal with unknown, future issues. We propose an approach that guides designers toward maximizing the benefits of adding “patchability” to various IPs in the system, given a target resource overhead. We frame the design problem as an integer quadratic program and show that our approach achieves superior patchability compared to the naïve and baseline approaches for a given cost limit. Experimental results show that when we set a cost limit of 2% field-programmable gate array adaptive logic module usage, our solution can generate a viable patching infrastructure with six patching blocks offering patches for seven different services in our case study.

中文翻译：

---

硬件支持的硬件 IP 块中安全漏洞修补

为了满足各种设计要求和应用需求，设计人员集成了多个知识产权块 (IP) 来生产片上系统 (SoC)。为了提高生存能力，设计人员应该能够修补 SoC 以减轻硬件 IP 引起的潜在安全问题；为了提高灵活性，我们建议添加基于可编程硬件的监控和错误缓解支持。然而，要决定设计师应该预先花费多少额外成本来处理未知的、未来的问题是一个挑战。我们提出了一种方法，可以指导设计人员在给定目标资源开销的情况下最大限度地利用向系统中的各种 IP 添加“可修补性”的好处。我们将设计问题构建为一个整数二次规划，并表明我们的方法与给定成本限制的朴素和基线方法相比具有出色的可修补性。实验结果表明，当我们将现场可编程门阵列自适应逻辑模块使用的成本限制设置为 2% 时，我们的解决方案可以生成一个可行的补丁基础架构，其中包含六个补丁块，为我们的案例研究中的七种不同服务提供补丁。