Divergent Multi-Version Execution (DME): Canonical Instruction-Trace Fault Detection via Structural Address-Space Decorrelation

TL;DR

Divergent Multi-Version Execution (DME) is a runtime verifier that detects faults by comparing instruction traces from independently compiled replicas with different memory layouts but identical semantics.

Contribution

It introduces a novel approach to fault detection using diversified executions and canonical instruction traces, improving fault detection beyond traditional redundancy methods.

Findings

Detects silent data corruption caused by various faults.

Uses independent compilation to produce diverse replicas.

Compares instruction traces to identify inconsistencies.

Abstract

Traditional redundancy (lockstep, TMR) executes identical binaries with identical memory layouts. A single correlated fault - for example, an arbitrary program counter value or a perturbation delta-PC in all replicas - redirects all replicas along the same incorrect path. The same applies to corruption of data pointers. Both types of faults, regardless of their origin (deliberate tampering, software bug, compilation bug, or physical disturbance), cause silent data corruption and erroneous program execution. This work presents Divergent Multi-Version Execution (DME), a runtime semantic consistency verifier for diversified executions. Each replica is compiled independently, producing different code and data memory layouts while preserving identical semantics. Faults are detected by comparing canonical instruction traces, which include opcodes, register identifiers, loaded/stored values, and results, while discarding layout-dependent addresses.