`
`Multiple Processors vs. A Single Processor In Attribute Measurement Systems
`
`Robert Landry, Luca Gratton, and Duncan MacArthur
`Los Alamos National Laboratory
`
`Los Alamos, NM 87545 USA
`
`1
`
`SAMSUNG 1061
`SAMSUNG1061
`SAMSUNG v. SMART MOBILE
`SAMSUNGv. SMART MOBILE
`IPR2022-01004
`IPR2022-01004
`
`1
`
`
`
`Multiple Processors vs. A Single Processor In Attribute Measurement Systems
`
`Robert Landry, Luca Gratton, and Duncan MacArthur
`Los Alamos National Laboratory
`Los Alamos, NM 87545 USA
`
`SUMMARY
`Competing design proposals for data acquisition and analysis components in an attribute
`measurement system (AMS)differ in the processor (CPU) specifications, and in the distribution
`and tasking of the processors. Primary design considerations include the number of CPU’s,their
`locations within the system, and their processing assignments. Because the processor system
`must communicate with multiple measurementcollection units, viable design options include the
`use of one multitasking CPU or multiple single-tasking CPU’s.
`
`After a comprehensive comparison, the authors advocate the use of multiple, single-tasking
`CPU’s rather than a single, multitasking unit (Tables 1.a and 1.b). This comparison is made on
`the basis of anticipated attributes for generic systems. Detailed comparisonsin each ofthe
`categories require formal system descriptions, which are beyond the current scope ofthis effort.
`
`The multiple processor design provides distinct advantages for AMS hardware and software
`simplicity, certification, authentication, repair times and failure modes, processing capabilities,
`and information security. The single processor design has advantages for apparent hardware
`simplicity (i.e., the visual perception of simplicity), integration, system size, and communication
`networksecurity. Ties are recorded for physical security, the cost of processor acquisition, and
`processing system reliability.
`
`Table 1.a. A Categorical Comparison of Processor Design Solutions.
`
`Category
`
`Advantage To
`
`Multiple Processor
`
`Single Processor
`
`Tie
`
`
`
`Hardware/Software Functional Simplicity
`
`Hardware Apparent Simplicity
`
`HardwareIntegration
`
`Physical Size of the Processing System
`
`ProcessorCertification
`
`Processor Authentication
`
`Duration of Processor System Unavailability and Repair Time
`
`2
`
`
`
`Table 1.6. A Categorical Comparison of Processor Design Solutions (Continued).
`
`Advantage To
`
`
`
`
`
`
`Multiple Processor
`
`Single Processor
`
`Tie
`
`Category
`
`Restriction of Processor Failure Modes andCriteria
`
`Processing Mode Capabilities
`
`On-ProcessorInformation Security
`
`On-NetworkInformation Security
`
`Physical Security
`
`Reduced Cost of Acquisition
`
`Processor System Reliability
`
`INTRODUCTION
`An AMSallows qualitative assessments to confirm declarations for nuclear material properties
`without divulging classified information. Differences among competing design proposals for an
`attribute measurement system include the specifications for computer processor (CPU) control of
`the measurementsubsystems, and for the distribution and task-devotion of the processors.
`Primary design considerations include the number of CPU’s in the system, and their processing
`assignments among manypossible system control distribution plans.
`
`A proposed design solution uses several small microprocessors in the data gathering system to
`implement different functions. An alternative proposalis to use only one processorto perform
`all the functions in multitasking operations. In this paper, we present advantages and
`disadvantages of each approach. Because advantagesfor the multiple processor
`implementation are disadvantages for the single processor configuration and visa-versa, both
`advantages and disadvantagesare presented in the context of the multiple processor
`implementation. The disadvantages of the multiple processor implementation are understood to
`be advantages of the single processor configuration.
`
`ADVANTAGES OF A MULTIPLE PROCESSOR DESIGN
`The use of a multiple processor design for the attribute measurement system confers advantages
`in the categories of simplicity of function, certifiability, authenticatability, modularity, length of
`system recovery and repair time, system developmenttime, failure criteria and modes,
`processing modes, and information security. There is no significant advantage for either solution
`in the category of physical security of communication and powerlines.
`
`NO
`
`3
`
`
`
`Simplification
`Simplicity is a desirable system design characteristic that may enhance system reliability.
`Simplicity additionally accelerates maintenance and repair operations, and easescertification and
`authentication activities. A multiple processor solution is preferable for achieving a high degree
`of system simplicity.
`
`A multiple CPU design employsa basic single-tasking operating system and limited instruction
`set on each processor. A simple processor running a basic operating system is easier to inspect
`than a single processor running a more complex multitasking operating system. This observation
`is consistent with the findings of a working group formed to review information barrier system
`concepts, which has recommendedthat extraneous code and complex operating systems be
`avoided.' A simple design facilitates visual inspection ofthe physical layout of the CPU’s,
`cables, interconnections andinterfaces to other hardware. An advantage of a multiple processor
`solution is that the physical architecture better mimics the functional architecture. It is therefore
`easier to visually inspect a multiple processor design with a smaller numberof traces and
`connectionsat each of the dedicated CPU’s, anda limited distribution of interfaces among
`CPU’s, because the required function of each CPUis simpler than for the single processor
`design. Additionally, the multiple CPU solution better facilitates the removal and replacement of
`individual processors because fewer interconnectionsexist at each processing node and because
`simple single-tasking software requires only a limited suite of diagnostic checks following
`installation. Finally, the hierarchical software structure that is inherent to the multiple CPU
`solution better compliments the hierarchical physical architecture.’
`
`Certification
`Certification and attestation of the AMSare performedbythe party hosting the measurements
`(i.e., usually the steward of the nuclear materials). Certification and attestation ensure that the
`AMSadequately protects sensitive information while operating in a secure acquisition mode. It
`is more efficient for the hosts to certify a simple processor running a basic operating system than
`a single processor solution running a more complex multitasking operating system. From the
`certification standpoint, a network of simple processors, each running a basic operating system
`and instruction set, can be evaluated on a node-by-nodebasis to ensure operational integrity.
`Compared to a single processor design, the multiple CPU designis better distinguishable in
`terms of component functionality and dedication of purpose. The functional dedication
`facilitates systematic inspection processes consisting of a series of simple checksthat are specific
`to a given processing node. Because individual CPUtasks are dedicated, and reduced
`comparedto the single multi-tasking CPU design,it is easier to identify execution errors,
`aberrant and unauthorized operations at a given node. Smaller CPU stacks and layers of boards
`can be used for each processor, thereby reducingthe likelihood that undetected programmable
`logic or persistent memory is present, or that extraneous functionality exists. With simpler
`instruction sets, smaller sizes for executable single-tasking programs on each CPU,and
`dedicated function, the multiple CPU design allows minimization or elimination of unused
`sections of memory so that they are not exploited for covert data storage or code execution.
`Memory optimization for the intended processing operation also provides impedimentsto the
`execution of self-modifying code.
`Similarly, with the functional dedication and reduced
`numberof interconnectionsat a single processor in the multiple CPU solution, the certification
`of inputs and output connectionsat processing nodesis simpler than for the single CPU option.
`
`we
`
`4
`
`
`
`Authentication
`Authentication is performed by the party monitoring the measurements. Authentication activities
`provide assurance that the AMS implementation provides genuine and accurate output. Accurate
`output is demonstrated by the evaluation of reference materials in an open (non-secure)
`measurement mode. Thebenefits of a multiple CPU design to the authentication procedures are
`analogousto those for certification procedures. The multiple CPU design facilitates the
`authentication process in three major categories: abilities to conduct (1) detailed examination of
`equipment, (2) functional and (3) system performancetesting.
`
`Multiple processor implementations may include standardized hardware componentsto allow for
`module exchange. For a modular CPU design, a single processor is considered to be an
`interchangeable module. Replacements for the CPU hardware components of multiple
`subsystemscan be stored in a reduced (comparedto a single CPU solution involving multiple
`expansions) spare parts inventory that consists of a single type and model of processor board,
`perhaps with the exception of the software PROM. Theuse of standard modular hardware
`allows random componentselection from a larger pool of replacement parts. Because the same
`part may be used for components in multiple subsystems in a modular, interchangeable
`componentdesign,it is less likely that a defect or engineered vulnerability in the replacement
`can be successfully exploited for installations in all eligible subsystems. The use of a random
`hardwareselection procedure in situations where the host supplies the hardware,therefore,
`provides authentication process advantages that are amplified where modular CPU designsare
`employed. Moreover, these modules are inexpensive. Additionally, if all of the modules
`(processor systems) are identical with the exception of the software PROM,replacementof a
`failed module is faster. Two existing attribute measurement system designs with specifications
`for multiple processors use single board computers conforming to a PC-104 architecture to
`achieve a degree of modularity.”
`
`Recovery and Repair Times
`Foridentical types of CPU failure, the time to system repair and the duration of system
`unavailability can be reduced with a multiple processor design, relative to a single processor
`design. System state-of-health software can identify a failure in a single module, and notify the
`operator of the problematic module. Prior attribute measurement system designs conduct
`operatornotification by use of an unclassified outputerror signal that crosses the data barrier.”
`Moredetailed error messages would probably require operator access to diagnostic messagesthat
`reside within the information barrier security enclosure, and may needto be preceded by an
`active purge of sensitive information. The distribution of control and processing tasks among
`dedicated CPU’s makes problem isolation and identification simpler; the characteristic of the
`failed function indicates the problematic node and operation in a multiple processor design.
`Finally, the replacementof the failed processor requires installation and manipulation of a
`limited numberof connections for the multiple processor design (e.g., see Reference 4, p. 10,
`Fig. 8). Processor replacement would be a standard and rapid operation where modular
`components are concerned.
`
`The scope of diagnostic and operational integrity checks for a replacement module in a multiple
`processor design can belimited to tests for the proper operation of the affected subsystem. The
`
`5
`
`
`
`ability to limit scope reduces the time required to develop, troubleshoot and debug simple
`hardware and software configurations in a multiple CPU design. Additionally, the diagnostics
`software for the individual single-tasking processors can berelatively simple in the multiple
`processor design. Because the multiple CPU’s are controllers for respective subsystems,
`troubleshooting and debugging mayproceed for the subsystemsindividually. For a single
`processordesign,all system functions would require testing following replacementofthe failed
`processor component and system software. Each diagnostic checkin a series of tests would
`involve evaluation for the proper operation of relevant subsystems in a multitasking modefor the
`single processor solution. The additional checks required for the multitasking system would
`correspond to an increased expenditure of time in performing diagnostics. Additionally, a
`relatively complex diagnostics and control program is required to take advantage of the multi-
`tasking operating system in the single CPU solution.
`
`Information Security And System Reliability
`The level of physical security of the power and data communicationslines and CPUsis
`dependent mostly on the security enclosure, and is independent of the numberof processors used
`in the system. Either design requires the same numberandtypes of barrier penetrations through
`a shielded security enclosure for power delivery and communications. The use of multiple
`processors requires a greater number of communication buses between CPU’s,but all added
`buses are located within the security enclosure.
`
`In an efficient multiple processor design, sensitive information is distributed among multiple,
`secure processors. Applications for other attribute measurement systems with information
`barriers have used multiple CPU’s, with operational relegation to either dedicated classified
`processors andother unclassified processors in a distributed processing mode.’ Ideally, the
`entire ensemble of sensitive information is not simultaneously resident on a single processor for
`the duration of a measurement,as is the case in a single processor solution. Therefore,
`unauthorized accessto an entire ensemble of sensitive information on a multiple processor
`system requires more work and the defeat of more subsystems than with a single processor.
`These considerations conform to functional requirements that mandate a minimization of the
`amountofclassified data residing at each stage of the system.”
`
`Additional security benefits of a multiple processor design are that fewer memory operationsare
`required and that memory capacities can be sized for the subsystem operations. Fewer
`manipulations of information in core memory are required for a networkofsingle-tasking
`processorsthan for a multitasking single processor. Consequently, sensitive information
`vulnerabilities are lowered by the less frequent storage andretrieval that occurs with the multiple
`single-tasking processor design. Finally, sizing the memory in hardware suchthatit is just
`sufficient to accommodate the executable and any runtime overhead requirementsis a security
`measure that provides assurances that unauthorized code execution is not occurring on any of the
`processors. This resident memory tailoring is more difficult to do with a single, multitasking
`processor because runtime dynamic memory allocation demandsare generally greater.
`
`A multiple processor design is less sensitive to a single failure, and is easily designed for the
`system to fail gracefully while providing diagnostic warnings. This design thereby allows the
`retention of important system functions, the active archival or erasure of information as
`
`Nn
`
`6
`
`
`
`appropriate, the broadcast of diagnostic information, and the recovery of crucial system
`capacities (e.g., information security functions) following the loss of a CPU. A single processor
`solution is prone to catastrophic failure with the loss of a CPU. For a single processor design,
`loss of the CPU has the consequencesthat core system functionsare disabled, that information is
`irretrievably lost, and most importantly, that the system is unable to transmit diagnostic
`information to the operator.
`
`Processing
`Theparallel processing capabilities of a multiple processor system can be used to shorten data
`collection cycle times. This may only be a discernable advantage where the measurement count
`rates are high, because no processor system supervisory deadtime from the multitasking
`operation in a single processor configuration would be encountered with multiple processors.
`However, this may only be a modest benefit that further shortens already-brief collection cycles.
`
`ADVANTAGESOF A SINGLE PROCESSOR DESIGN
`The use of a single, multitasking processor design for the attribute measurement system offers
`advantagesin the areas of hardware integration, size, apparent simplicity and networksecurity.
`
`Integration, Size and Apparent Complexity
`An advantage of the use of a single multitasking processoris the integration of all system control
`and analysis functions in a single piece of hardware. This alleviates some of the interface and
`communicationsissues present for the multiple processor design, but places added burdens on
`the software, particularly with respect to security, reliability and programmingerrorissues in
`multitasking operations. Because of the hardware integration, the volumeof a single processoris
`generally accepted to be less than the combined displacement of multiple processors and
`communicationslines. Therefore, it is expected that less internal space is required for
`electronics. The apparent complexity (i.e., the observer’s visual perception of system
`complexity) of a single processor solution is lower than for a multiple processor system. While
`the validity of this perception does not stand up to a detailed consideration of the functional
`simplicity of the entire (hardware and software) system, the perception may confer advantages
`for host and/or inspector acceptanceofa single processor design.
`
`Hardware Acquisition and Operation Costs
`Therelative cost of acquisition for a single multitasking processor system, comparedto that for
`multiple single-tasking processors, is dependent on the specific design proposals. If the CPU’s
`considered for the single and multiple processor implementations are equivalent, it is reasonable
`to expect that the acquisition cost for the single processor would be lower. Processorprices are
`currently low, and the processors are among the least expensive componentsin the attribute
`measurement system for either the single or multiple processor solutions. For these later reasons,
`the processor acquisition cost is considered to be indifferent to a single or multiple processor
`solution.
`
`The integrated costs of acquisition, installation, maintenance, and repair are also dependent on a
`comparison of specific design proposals. However, the computational expense is lower, and the
`utilization factor is much greater, for one complex computer system running a multi-tasking
`operating system than for the distribution of load over many CPU’s. Finally, the operational
`
`7
`
`
`
`costs (e.g., power requirements) are lower for a single multitasking CPU. Thoughit is unlikely
`that computational and powercosts are significant economic factors in the operation of an
`attribute measurement system, operational cost issues may have added significance in
`applications involving frequent or continuous measurement system use in remotelocations.
`
`Information Security And System Reliability
`The single multitasking processorsolution is slightly superior on the issues of network
`vulnerabilities and reliability issues. The multiple processor design requires interprocessor
`interfaces via communication lines and ports (1.e., a network). Possible network security
`measures include the enforcement of one-way data transfers, the disconnection of network
`connections during periods ofinactivity, checksum-based block protection schemes, encryption,
`and key managementand authentication.°’ Few elaborate network security schemes should be
`necessary becauseof the physical protection inherent to the location of the system within an
`information barrier enclosure. However, network security must be considered with a multiple
`processor solution. The advantage of a single multitasking CPU designis that no interprocessor
`communication security considerationsexist.
`
`Althoughthe single processor implementation has a quantitative advantage for system reliability
`if all CPU’s have equivalent componentfailure probabilities, the quantitative difference in
`system reliability between single and multiple processor designsis negligible and demonstrates
`an indifference to design solution for likely implementations(i.e., comparisons to multiple
`processor systems with far fewer than 10 CPU’s). Differences in system failure probability scale
`linearly with the number of processors. Parametric comparisons demonstrate the scalings for the
`examples of a 1 and a 3 CPU system overan arbitrary service lifetime. For small independent
`and constant componentfailure probabilities, the parametric comparisons show that the system
`failure probability is an intuitive factor of 3 greater than that for a single processor system.
`Only at high uniform componentfailure probabilities (> 0.1) do the system failure probabilities
`for the 1 and 3 CPU systems converge. Becausea reliable design implementation would lead to
`the choice of processor componentswith failure probabilities less than 1-10° over a standard
`servicelife (1.e., prior to routine processor replacement), the difference in the values of system
`failure probability by a factor of 3 between solutionsis of negligible consequence for overall
`system reliability.
`
`The computational loads on each of multiple processors would be smaller than for the CPU ina
`single processor design. Therefore, it is likely that smaller and simpler CPU’s can be used in a
`multiple processor design. Each ofthe simple (1.e., smaller numberof traces and lowercircuit
`density) CPU’s would have a higher componentreliability than the CPU in the single processor
`configuration. This results in a sub linear scaling of the system failure probability, relative to the
`failure probability for a 1 CPU system. Thereliability differences of the 1 and 3 CPU systems
`may, therefore, may be muchless than a factor of 3 under actual implementation.
`
`CONCLUSIONS
`A comprehensiveconsideration of the advantages and disadvantagesfor single or multiple
`processor design optionsresults in a general endorsement for the multiple processor design by
`the authors. The multiple processor solution provides distinct advantages in the categories of
`functional simplicity for hardware and software; processorcertification; processor
`
`I
`
`8
`
`
`
`authentication; the brevity of processor system unavailability and repair time; the restriction of
`failures to a tolerable field of failure modes and associated criteria; processing mode capabilities
`(e.g., parallel); and processor-resident-information security. The single processor solution has
`advantagesin the categories of apparent hardware simplicity; the integration of processing
`hardware; the processing system size; and information security over any inter-processor
`communication network(the single processor does not have this network vulnerability). Though
`the single processor solution nominally enjoys a modest quantitative advantage over the multiple
`processor design in the category of processor system reliability, a tie is recorded for the
`competing solutions in this category. Thetie is assigned because the system reliability is largely
`indifferent to the solution (provided the numberofprocessors in the multiple processor system
`does not approach or exceed 10) in the anticipated individual componentreliability regime. A tie
`also occurs in the physical security category, because there are no significant differences
`between the barrier enclosures, or the numberandtypes of enclosure penetrations, for the
`competing solutions. Finally, the processor acquisition cost category is indifferent to the type of
`solution. Processors are currently of low expense, and are amongthe least costly of components
`in an attribute measurement system with either single or multiple CPU’s.
`
`ACKNOWLEDGEMENT
`This work wassupported by the U.S. Department of Energy, NA-241. The views and
`conclusions presented here are solely those of the authors, and should not be interpreted as
`representing the official views, policies or endorsements of the University of California or the
`U.S. Government.
`
`oo
`
`9
`
`
`
`REFERENCES
`‘Bruce Geelhood, Richard Comerford, David Lee, James Mullens, and James Wolford, “Review
`of Two USInformation Barrier Implementations,” Report PNNL-SA-34973, Pacific Northwest
`National Laboratory, June 26, 2001.
`
`*Sally Bahowick, George Staehle, Daniel Decman, Randy Logsdon, Greg White, Thomas
`Gosnell and Thomas Moore,“Functional Specification Inventory Sampling Measurement
`System (ISMS), Version 1.04,” Lawrence Livermore National Laboratory, June, 2002.
`
`*Duncan W. Mac Arthur, “Proposed Attribute Measurement System (AMS) with Information
`Barrier for the Mayak/PPIA Demonstration: System Overview,” Report LA-UR-99-5611, Los
`Alamos National Laboratory, 1999.
`
`“Rena Whiteson, Duncan W. Mac Arthur, and Robert P. Landry,“Functional Specifications for a
`Prototype Inspection System with Information Barrier,” Report LA-UR-99-1174, Los Alamos
`National Laboratory, 1999.
`
`Rena Whiteson and Duncan W. MacArthur, “Functional Requirements for a Prototype
`Inspection System and Information Barrier,” Report LA-UR-98-5982, Los Alamos National
`Laboratory, 1998.
`
`°Bruce D. Geelhood,“Information Barriers to Protect Sensitive Information During Nuclear
`Weaponsand Materials Inspections,” Report PNNL-11982, Pacific Northwest National
`Laboratory, September 2, 1998.
`
`’Matthew J. Moyer, Josyula R. Rao, and Pankaj Rohatgi, “A Survey of Security Issues in
`Multicast Communications,” JEEE Network 13(6), pp. 12-23, November 1999.
`
`10
`
`