*-aware software for cyber physical systems john a. stankovic bp america professor university of...
TRANSCRIPT
*-aware Software for
Cyber Physical Systems
John A. StankovicBP America Professor
University of VirginiaFeb 3, 2012
What is a CPS?What is a CPS?
• Isn’t is just an embedded system?
• Not the main question
• Simply parsing “CPS” -> Many systems are CPS, but that is not the issue
• REALLY INTERESTED IN– New research needed for the next
generation of physical-cyber systems
Confluence of Key AreasConfluence of Key Areas
Real-Time
Control
CostForm FactorSevere ConstraintsSmall ScaleClosed
SchedulingFault ToleranceWired networksLevel of Uncertainty
Noisy C.SensingScaleReal-Time/ActuationOpen
Wireless SensorNetworks
EmbeddedSystems
LinearAdaptiveDistributedDecentralizedOpenHuman Models
ArchitecturePrinciples
What’s NewWhat’s New
• Openness• Scale
– World covered by trillions of sensors
• Systems of systems• Confluence of physical, wireless and
computing• Human (in the loop) Participation
ThemeTheme
• How can we build practical cyber physical systems of the future?
• 3 Critical (Foundational) Issues: must be addressed together
– Robustness– Real-Time– Openness
Foundational PrincipleFoundational Principle
• Scientific and systematic approach for the impact of the physical on the cyber
• Propose:– Physically-aware SW– Validate-aware SW– Privacy/security aware SW
Real-timeaware SW
OpennessOpenness
• Typical embedded systems closed systems design not applicable
• Added value• Systems interact with other systems• Evolve over long time• Physical system itself changes
• High levels of uncertainty: Guarantees
Computing in Physical Systems
Computing in Physical Systems
BodyNetworks
Road and Street Networks
Battlefield Networks
VehicleNetworks
IndustrialNetworks
BuildingNetworks
Environmental Networks Open, Heterogeneous
Wireless Networks withSensors and Actuators
OutlineOutline
• Physically-aware software
• Validate-aware software
• Real-Time-aware software
• Privacy-aware software
Physically Aware: Impact of the Physical
Physically Aware: Impact of the Physical
• For Wireless Communications (things we know)– Noise– Bursts– Fading– Multi-path– Location (on ground)– Interference– Orientation of Antennas– Weather– Obstacles– Energy – Node failures
AsymmetryAsymmetry
AC
D
Bbeacon
data
beacon
data
beacon data
B, C, and D are the same distance from A.Note that this pattern changes over time.
Irregular Range of A
A and B areasymmetric
RoutingRouting
• DSR, LAR: – Path-Reversal
technique
Source A
B Dest.RREQ
RREQ
RREP
RREP
Impact on Path-Reversal Technique
Cyber-Physical DependenciesCyber-Physical Dependencies
• Sensing– Sensor properties – Target Properties– Environmental interference
1. An unmanned plane (UAV) deploys motes
2. Motes establish an sensor network with power management
3.Sensor network detects
vehicles and wakes up the sensor nodes
Zzz...
Energy Efficient Surveillance System
Energy Efficient Surveillance System
Sentry
Tracking Tracking
– Magnetic sensor takes 35 ms to stabilize• affects real-time analysis• affects sleep/wakeup logic
– Target itself might block messages needed for fusion algorithms• Tank blocks messages
Environmental Abstraction Layer
(EAL)
Environmental Abstraction Layer
(EAL)Wireless Communication Sensing and Actuation
InterferenceBurst
Losses
WeakLinks
Fading …Target
Properties
Weather Obstacles
Wake Up
Delays
…
Not HW-SW co-design, but rather Cyber-Physical co-design
Open Q: EnvironmentOpen Q: Environment
• How to model
• How to know we have all the issues covered
• Design Tools
Impact of the Physical on the Cyber
Open Q: CorrectnessOpen Q: Correctness
• What does correctness mean in an open system
Formal MethodsDon’t Address
Validate Aware: Run Time Assurance (RTA)
Validate Aware: Run Time Assurance (RTA)
• Safety Critical• Long Lived• Validated• Re-validated
• Dynamics of Environmental Changes Influence Correctness
See Run Time Assurance paper in IPSN 2010.
RTA GoalsRTA Goals
• Validate and Re-validate that system is still operational (at semantics level)
• Anticipatory RTA– Before problems arise
• Robust to evolutionary changesValidate-aware software
RTA SolutionRTA Solution
• Emulate sensor readings
• Reduce tests to focus on key functionality
• Overlap tests and system operation
• Evolve required tests
Current SolutionsCurrent Solutions
• Prior deployment analysis– Testing– Debugging
• Post mortem analysis– Debugging
• Monitoring low-level components of the system– System health monitoring
Necessary, but not sufficient
RTARTA
• Formally specify application level semantics (of correctness)
• Ability to demonstrate that correctness over time
RTA FrameworkRTA Framework
Formal application model
RTA test specifications
Network database
Test generation
Test execution support
Inputs
RTA framework
Code generation
Model-based SpecificationModel-based Specification
S1
S2
Fire
Smoke alarm
Temp. alarm
Sensor Network Event Description Language (SNEDL)
Smoke
Temperature
>80°C
> 30°C
> x
Test SpecificationTest Specification
//Declare the basic elements of the languageTime T1;Region R1, R2;Event FireEvent;
//Define the elements (time and place)T1=07:00:00, */1/2010; //first day of
monthR1={Room1};R2={Room2};
FireEvent = Fire @ T1;
Code GenerationCode Generation
• Code is automatically generated from the formal model
• Advantages of the token – flow model:– efficiently supports self-testing at run time– it is easy to monitor execution states and
collect running traces– we can easily distinguish between real and
test events
Validate-aware SWValidate-aware SW
• High level spec on “function”
• Runtime SW that targets demonstrating “validation”
• SW design for ease of validation
• Framework – to load, run, display tests
• System: Aware of validation mode
Open Q: Run Time Assurance
Open Q: Run Time Assurance
• Open system evolves
• Validate and re-validate (more than monitoring)– Limit number of tests
• Level of detail
Safety Analysis
Real-Time Aware Real-Time Aware
• Hard deadlines• Hard deadlines and safety critical• Soft deadlines• Time based QoS
• Dynamically changing platform (HW and SW)
DeadlinesDeadlines
• If we have enough late messages within groups we can lose the track– Not straightforward deadline– Tied to redundancy, speed of target
• If messages don’t make it to base station in hard deadline we miss activating “IR camera”
• If we don’t act by Deadline D truck carrying bomb explodes – safety critical
Real-Time SchedulingReal-Time Scheduling
1
2
3
1 2 3
Tasks Deadlines
TIME
Algorithm EDF
SchedulableYes
Order1,2,3
How robust?CF=1
Robust RT Scheduling For Real World CPS
Robust RT Scheduling For Real World CPS
1
2
3
1 2 3
Tasks Deadlines
TIME
Algorithm EDF
SchedulableYes
Order1,2,3
How robust?1.8 CF
(1.8)
Real-Time TechnologyReal-Time Technology
• Three possible approaches– Velocity Monotonic– Exact Characterization
– SW-based Control Theory
Feedback Control
Feedback Control
• Front-End– feedback loops based on real
world control– generate timing
requirements/rates– generally fixed – handed to scheduling algorithm
P1
P2
P3
P4
Scheduling
Alg
FC-EDF Scheduling
PID ControllerService Level
Controller
Admission Controller
EDFScheduler
CPU
FC-EDF
Accepted Tasks
Submitted Tasks
MissRatios MissRatio(t)
CPUo
Completed Tasks
CPUi
Real-Time aware SW
Open Q: ControlOpen Q: Control
• With humans in the loop– New system models
• Robustness (and Sensitivity Analysis)
• New on-line system ID techniques
Interacting (dependency among) Control Loops
Privacy-aware: Fingerprint And Timing-based Snoop attack
Privacy-aware: Fingerprint And Timing-based Snoop attack
Front Door
Living Room
Kitchen
Bathroom
Bedroom #1
Bedroom #2
Adversary
Fingerprint and Timestamp Snooping Device
T1
T2
T3
… …
Timestamps FingerprintsLocations and Sensor Types
?
?
?
…
V. Srinivasan, J. Stankovic, K. Whitehouse, Protecting Your Daily In-Home Activity Information fron a Wireless Snooping Attack, Ubicomp, 2007.
PerformancePerformance
• 8 homes - different floor plans– Each home had 12 to 22 sensors
• 1 week deployments• 1, 2, 3 person homes• Violate Privacy - Techniques Created
– 80-95% accuracy of AR via 4 Tier Inference
• FATS solutions– Reduces accuracy of AR to 0-15%
ADL ADL
• ADLs inferred:– Sleeping, Home Occupancy– Bathroom and Kitchen Visits– Bathroom Activities: Showering,
Toileting, Washing– Kitchen Activities: Cooking
• High level medical information inference possible
• HIPAA requires healthcare providers to protect this information
Adversary
Fingerprint and Timestamp Snooping Device
T1
T2
T3
… …
Timestamps FingerprintsLocations and Sensor Types
?
?
?
…
SolutionsSolutions
• Periodic• Delay messages• Add extra cloaking messages• Eliminate electronic fingerprint
– Potentiometer
• Etc.
Privacy-aware software
Open Q: PrivacyOpen Q: Privacy
• Eavesdropping
• Access to information (in DB)
• Power of inference over time
Opt-in StrategiesPublic Places
SummarySummary
• Robustness – to deal with uncertainties: (major environment and system evolution)
• Real-Time – for dynamic and open systems• Openness – great value, but difficult
• Physically-aware • Validate-aware • Real-Time-aware• Privacy/security-aware
• Diversity – coverage of assumptions
• EAL
*awareCPS-aware