1 / 29

Updating RT Embedded Software in the Field

Updating RT Embedded Software in the Field. Lui Sha Real Time Systems Laboratory Department of CS, UIUC lrs@cs.uiuc.edu October, 2002. RT embedded systems have a long life span. How to develop real time systems that can: be easily changed in the field, even on the fly?

minnie
Télécharger la présentation

Updating RT Embedded Software in the Field

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Updating RT Embedded Software in the Field Lui Sha Real Time Systems Laboratory Department of CS, UIUC lrs@cs.uiuc.edu October, 2002 lrs@cs.uiuc.edu

  2. RT embedded systems have a long life span. How to develop real time systems that can: • be easily changed in the field, even on the fly? • maintain stability and controllability in spite of • arbitrary errors in the new software? • malicious attack by insiders disguised as upgrades? lrs@cs.uiuc.edu

  3. Win98/NT Win98/NT * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important * important A/V Streams LynxOS Simplex annotated, pre-recorded presentation (e.g. HTML) (in case of communication failures) A/V Streams Win98/NT : Telelab Screen Shot Interactive Demo on the Web http://www-rtsl.cs.uiuc.edu/ click project, click drii, click telelab download lrs@cs.uiuc.edu

  4. Some Initial Application Interest • . “By providing protection from faults, Simplex enables such functionality to be applied on a mission. … Joint Strike Fighter (JSF)—the JSF mission software architecture builds on the architectural principles developed under the INSERT project” http://www.sei.cmu.edu/pub/documents/99.reports/pdf/news-sei-fall-1999.pdf • “The Space and Naval Warfare Systems Command (SPAWAR) has initiated a process to transition SIMPLEX technology … The technology will be transitioned to the Surface Combatant for the 21st Century (SC21), the Next Generation Carrier (CV(X)), and other Navy systems.” http://www.rl.af.mil/tech/programs/edcs/Accomplishments.html • Currently, DoD’s Open Systems Joint Task Force (OS-JTF) “is extending the Simplex approach for safe insertion of COTS software”. http://www.acq.osd.mil/osjtf/library/library_pilots_5b.html lrs@cs.uiuc.edu

  5. Job 1 is Robust Against Bugs • We shall begin with an investigation on the principle of developing software systems that are robust against bugs. Leaving them alone, bugs may destroy: • Correctness • Performance • Reliability • Security • … • any software property that you care. lrs@cs.uiuc.edu

  6. The Software Reliability Conundrum • If history is any guide, formal methods can only handle software with moderate complexity in the foreseeable future. • How about using software tolerance based on diversity? • But wait. What if the fault tolerance system is itself too complex to verify and have faults? • For example, the Six Western States Blackout incident in US was • triggered by the shorting of 1 power line at Oregon • spread by the flawed “self healing” architecture at the time lrs@cs.uiuc.edu

  7. Complexity, Diversity and Reliability • To build a robust software system that can tolerant arbitrary application software faults, we must understand the relations between software • Complexity: the root cause of software faults • Diversity: a necessary condition for software fault tolerance. • Reliability: a function of complexity and diversity • We shall begin with postulates based self-evident facts lrs@cs.uiuc.edu

  8. Software Development Postulates • We assert that the following postulates self-evident • P1: Complexity Breeds Bugs: Everything else being equal, the more complex the software project is, the harder it is to make it reliable. • P2: All Bugs are Not Equal: You fix a bunch of obvious bugs quickly, but finding and fixing the last few bugs is much harder. • P3: All Budgets are Finite: There is only a finite amount of effort (budget) that we can spend on any project. • How can we model “software complexity”? lrs@cs.uiuc.edu

  9. Logical Complexity • Computational complexity => the number of steps in computation. • Logical complexity => the number of steps in verification. • A program can have different logical and computational complexities. • Bubble-sort: lower logical complexity but higher computational complexity. • Heap sort: the other way around. • Residue logical complexity. A program could have high logical complexity initially. However, if it has been verified and can be used as is, then the residue complexity is zero… lrs@cs.uiuc.edu

  10. The Implications of the 3 Postulates • P1: Complexity Breeds Bugs: For a given mission duration t, the reliability of software decreases as complexity increases. • P2: All Bugs are Not Equal: for a given degree of complexity, the reliability function has a monotonically decreasing rate of improvement with respect to development effort. • P3: Budgets are finite: Diversity is not free. That is, if we go for n version diversity, we must divide the available effort n-ways. • One simple model that satisfies P1, P2 and P3 • Sum of efforts used in diversity = available effort • Reliability function: e ─ k (complexity / effort ) t lrs@cs.uiuc.edu

  11. Diversity, Complexity and Reliability • . 3-version programming 1-version programming A reliable core with 10x complexity reduction Analysis shows that what really counts is not the degree of diversity. Rather it is the existence of a simple and reliable core that can guarantee the stability of the system. This result is also robust against change of model assumptions. --- Using Simplicity to Control Complexity, IEEE Software 7/8, 2001, L. Sha lrs@cs.uiuc.edu

  12. Putting the Principle to Work • Complexity is • The side effect of features and performance • The root cause of software faults • It is kind of like money … a source of many evils but something we cannot live without. • So let’s find a way to control complexity, instead of letting it control our systems. lrs@cs.uiuc.edu

  13. An Example • Once upon a time, there was an exam on sorting programs. Grades are given as follows: • A: Correct and fast: n log (n) in worst case • B: Correct but slow • F: Incorrect • Joe can verify his bubble sort, but has only 50% chance to write Heap Sort correctly. • What is his optimal strategy? lrs@cs.uiuc.edu

  14. Requirement Decomposition • Often, requirements can be decomposed into • Critical (correctness) requirements • Sorting: output numbers in correct order; • TSP: visit every city exactly once • Control: stable and controllable • Performance optimization • Sorting: faster • TSP: shorter path • Control: less time/error/energy • Joe can exploit software he cannot verify safely … Heap Sort Bubble Sort lrs@cs.uiuc.edu

  15. Stability Control • Stability control is a mechanism that ensures that errors are bounded in a way that satisfies the preconditions for the recovery operations. Stability control must be simple or it will be self defeating. • What if the untrusted sorting program alters an item in the input list? • Create a verified simple primitive called “permute” • Untrusted sorting software is not allowed to touch the input list except use the permute primitive. • Enforce the restriction using an object with (only) method “permute” • Under stability control, the untrusted Heap-sort can only produce “out of order” application errors. lrs@cs.uiuc.edu

  16. Stability Control for Control Systems • Having a reliable controller, we identify the recovery region within which the controller can operate successfully. Recovery region is a subset of the states that are admissible with respect to operational constraints • The largest recovery region can be found using LMI. This approach is applicable to any linearizable systems. They cover most of the practical control systems. operational constraints Recovery Region Stability envelope The system under new complex controller must stay within recovery region lrs@cs.uiuc.edu

  17. Simplex Architecture for Control Stability Monitoring Trusted simple and reliable controller Plant Online upgradeable complex controller Data Flow Block Diagram • Simplex architecture for control systems allows the online upgrade of control systems without shutting down the operation. • It also maintains control in spite of arbitrary application errors in the upgrade process. To try an interactive demonstration, see www-drii.cs.uiuc.edu/download. lrs@cs.uiuc.edu

  18. Dynamic Component Replacement Complex feature Rich components Simple & reliable component Application layer Monitoring and switching logic eSimplex middleware Operating System Hardware Runtime Component Replacement Middleware lrs@cs.uiuc.edu

  19. Intrusion Tolerance • An untrusted software may contain not just application level faults or attacks. It may contains attacks aiming at corrupting the system. • Overuse system memory and CPU resources • Corrupt other program’s code or data • Usurp supervisory control privileges • The first two can be handled by • Address space protection via, e.g., process abstraction • Memory and temporal resource restrictions lrs@cs.uiuc.edu

  20. Prevent Untrusted Code Usurping Privileges • To handle the third, we begin with restricting available system calls to memory allocation only, and do not allow the use embedded assembly. • Under above constraints, to usurp privileges one has to violate code safety constraints, e.g., • Jump to data areas to execute data: hidden or synthesized machine codes • Jump to system code areas and run system codes lrs@cs.uiuc.edu

  21. C Code Safety Checks • Due to the large installed base of C, we working with colleagues to define a subset of C, called Control_C, that can be statically checked for safety and expressive enough for control and signal processing. • + { strong-typing } • + { Java-style pointers } • + { region-based heap with only 1 region } • + { “bounded” arrays } • – { system calls except memory allocation } • – {embedded assembly } Code Compiler Analysis GCC Ensure Code Safety without Runtime Checks for Real Time Control Systems, Kowshik, Dhurjati, & Adve, CASE 2002 lrs@cs.uiuc.edu

  22. Technology Integration in eSimplex Middleware Attack on Exec env Development Environment Code Safety Checks appl. Logic Bugs + attacks Appl. Domain Technology Safety Controller + Stability Control Resource Depletion attacks RT Resource Management Middleware lrs@cs.uiuc.edu

  23. UIUC Real Time Systems Lab • How to integrate real time, fault tolerance, compiler and control technologies into a middlleware for real time, fault and intrusion tolerant upgrades in the field? • How can we maximize performance of special purpose streaming applications such as sonar by co-design protocols for cache, bus, CPU and communication? • How to integrate queueing model based feed forward and control theory based feedback to suppress performance variations in distributed command and control networks? • How can we integrate legacy control software components with modern real-time control software components in a way that minimizes the need for recertification? • How to perform quality driven RT communication in wireless sensor networks? • How to handle physical constraints such as heat & power in multi-function phase array radars real time search and tracking? lrs@cs.uiuc.edu

  24. Using Simplicity to Control Complexity The high assurance control subsystem • Application level: well-understood controllers to keep the control software simple. • System software level: certified OS kernels • Hardware level: well-established and fault tolerant hardware • System development: high assurance process, e.g. DO178B • Requirement management: critical properties and essential services. The high performance control subsystem • Application level: advanced control technologies, • System software level: COTS OS and middleware • Hardware level: standard industrial hardware • System development: standard industrial development processes. • Requirement management: features, performance & rapid innovation lrs@cs.uiuc.edu

  25. Intrusion Tolerance • When attacks are disguised as upgrade, it can attack the system by • Malicious control logics: countered by analytically redundant controller and recovery region • Resources depletion attacks: countered by static memory allocation and temporal firewalls from real time schedulers • Corrupt other applications’ code and data: countered by address space protection. • Usurp system management authority: to be discussed next lrs@cs.uiuc.edu

  26. Examples lrs@cs.uiuc.edu

  27. Language & Compiler Support for Security • Current languages are too general (Java, SafeC, PCC, Modula-3+). • Safety requires extensive runtime checks + garbage collection • Control_C: A language for safe, upgradeable, real-time control • C + { strong-typing } • + { Java-style pointers } • + { region-based heap with only 1 region} • + { “bounded” arrays } • – { system calls } lrs@cs.uiuc.edu

  28. State constraints Recovery Region Lyapunov function State Constraints and the switching rule (Lyapunov function) The Stability Bounds • We cannot use the boundary of admissible states as switching rule due to the inertia of the physical plant. • Recovery region is closed with respect to the operations of simple controller. It is Lyapunov function inside the polytope. • The largest recovery region can be found using LMI. lrs@cs.uiuc.edu

  29. killcode Compiler Detection of Violations Stack bottom Attack: Write beyond ends of a buffer or array • Compiler solution: check for array bounds violations (or runtime checks) Attack: Jump to illegal code within data area • Compiler solution: check for jumps to non-label type Attack: Illegal pointer usage corrupts data • Compiler solution: region-based protection with a single region &new + 2 Return add. &new new lrs@cs.uiuc.edu

More Related