During the design-space exploration (DSE) of embedded systems, multiple optimization

objectives—such as performance, power/energy consumption, and cost—should be considered simultaneously. This is called multi-objective DSE [

2]. Since the objectives are often in conflict, there cannot be a single optimal solution that simultaneously optimizes all objectives. Therefore, optimal decisions need to be taken in the presence of trade-offs between design criteria.

#### 2.1. Multi-Objective Optimization

Given a set of

m decision variables, which are the degrees of freedom (e.g., parameters like the number and type of processors in the system, application mapping, etc.) that are explored during DSE, a so-called

fitness function must optimize the

n objective values [

2]. The fitness function is defined as:

A potential solution

$x\in {R}^{m}$ is an assignment of the

m decision variables. The fitness function

${f}_{i}$ translates a point in the solution space

X into the

i-th objective value (where

$1\le i\le n$). For example, a particular fitness function

${f}_{i}$ could assess the performance or energy efficiency of a certain solution

x (representing a specific design instance). The combined fitness function

$f\left(x\right)$ subsequently translates a point in the solution space into the objective space

Y. Formally, a multi-objective optimization problem (MOP) that tries to identify a solution

x for the

m decision variables that minimizes the

n objective values using objective functions

${f}_{i}$ with

$1\le i\le n$:

Here, the decision variables ${x}_{i}$ (with $1\le i\le m$) usually are constrained. These constraints make sure that the decision variables refer to valid system configurations (e.g., using not more than the available number of processors, using a valid mapping of application tasks to processing resources, etc.), that is, ${x}_{i}$ are part of the so-called feasible set. In the remainder of this section, we assume a minimization procedure, but without loss of generality, this minimization procedure can be converted into a maximization problem by multiplying the fitness values ${y}_{i}$ with $-1$.

With an optimization of a single objective, the comparison of solutions is trivial. A better fitness (i.e., objective value) means a better solution. With multiple objectives, however, the comparison becomes non-trivial. Take, for example, two different embedded system architecture designs: a high-performance system and a slower but much cheaper system. In case there is no preference defined with respect to the objectives and there are also no restrictions for the objectives, one cannot say if the high-performance system is better or the low-cost system. A typical MOP in the context of embedded systems design can have a variety of different objectives, like performance, energy consumption, cost and reliability. To compare different solutions in the case of multiple objectives, the Pareto dominance relation is generally used. Here, a solution

${x}_{a}\in X$ is said to dominate solution

${x}_{b}\in X$ if and only if

${x}_{a}<{x}_{b}$:

Hence, a solution ${x}_{a}$ dominates ${x}_{b}$ if its objective values are superior to the objective values of ${x}_{b}$. For all of the objectives, ${x}_{a}$ must not have a worse objective value than solution ${x}_{b}$. Additionally, there must be at least one objective in which solution ${x}_{a}$ is better (otherwise they are equal).

An example of the dominance relation is given in

Figure 1, which illustrates a two dimensional MOP. For solution

H the dominance relations are shown. Solution

H is dominated by solutions

B,

C and

D as all of them have a lower value for both

${f}_{1}$ and

${f}_{2}$. On the other hand, solution

H is superior to solutions

M,

N and

O. Finally, some of the solutions are not comparable to

H. These solutions are better for one objective but worse for another.

The Pareto dominance relation only provides a partial ordering. For example, the solutions

A to

F of the example in

Figure 1 cannot be ordered using the ordering relation. Since not all solutions

$x\in X$ can be ordered, the result of a MOP is not a single solution, but a front of non-dominated solutions, called the

Pareto front. A set

${X}^{\prime}$ is defined to be a Pareto front of the set of solutions

X as follows:

The Pareto front of

Figure 1 contains six solutions:

$A-F$. Each of these solutions does not dominate the other. An improvement on objective

${f}_{1}$ is matched by a worse value for

${f}_{2}$. Generally, it is up to the designer to decide which of the solutions provides the best trade-off.

#### 2.2. Search for Pareto Optimal Solutions

The search for Pareto optimal design points with respect to multiple design criteria entails two distinct elements [

5]:

The evaluation of a single design point using the fitness function(s)

$f\left(x\right)$ regarding all the objectives in question like system performance, power/energy consumption and so on. These evaluations are usually based on measurements using real systems or predictions from either analytical models or simulation models [

2].

The search strategy for navigating through and covering the design space during the DSE process. Such search strategies can be based on exact, but typically unscalable, methods that guarantee finding the optimal solution(s). These exact methods can, for example, be implemented using integer linear programming (ILP) solutions (e.g., References [

6,

7]) or branch & bound algorithms (e.g., Reference [

8]). Alternatively, so-called meta-heurisics, such as genetic algorithms (GA) or simulated annealing, can be used to search the design space for optimal solutions. They only perform a finite number of design point evaluations, and can thus handle larger design spaces. However, there is no guarantee that the global optimum will be found using meta-heuristics, and therefore the result can be a local optimum within the design space. GA-based DSE has been widely studied in the domain of system-level embedded design (e.g., References [

9,

10,

11,

12]) and has demonstrated to yield good results.

In this paper, we focus on the fitness evaluation aspect of DSE. More specifically, we argue that while there are well-established techniques and metrics for the fitness evaluation of traditional design objectives such as performance, power/energy consumption, cost, and reliability, this is not the case for evaluating the fitness of design instances in terms of how secure they are. This lack of security fitness evaluation methods and metrics inhibits the use of system security as a first-class citizen in the process of early design-space exploration of embedded systems. As was indicated before, such design practice leads to suboptimal products because any security measures that may be taken later in the design process do affect the already established trade-offs with respect to the other extra-functional properties of the system like performance, power/energy consumption, cost, and so forth.

In the next section, we will therefore argue for the development of a security-aware DSE approach, based on a multifaceted, scoring-based security quantification methodology. This methodology allows for quantifying the degree of secureness of design instances such that these can be incorporated in the DSE’s multi-objective optimization process. Eventually, once such a security-aware DSE would have been implemented, it would allow for optimization of security aspects of embedded systems in their earliest design phases as well as for studying the trade-offs between security and the other design objectives like performance, power consumption and cost. Evidently, such technology would provide a substantial competitive advantage in the embedded systems industry.