High-assurance software for autonomous ground systems

Transcription

1 High-assurance software for autonomous ground systems Aleksey Nogin HRL Laboratories, LLC December 15, 2016 Acknowledgment: This material is based upon work supported by the United States Air Force and DARPA, under contract number FA C Disclaimer: The views, opinions, and/or findings expressed are those of the author(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

2 HACMS Goal: High-Assurance Cyber-Physical Systems The HACMS program is creating technology for the construction of high-assurance cyber-physical systems HACMS utilizes formal methods to create mathematical proofs about properties of software = 5 2 Testing shows the presence, not the absence of bugs -Edsger Dijkstra 1969 Software that does what it is supposed to and nothing else Being able to trust the math rather than needing to trust programmers and testers

3 HACMS Performers are Utilizing a Variety of Techniques Code Synthesis Domain Specific Languages (DSLs) Interactive Theorem Prover as PL CMU, Galois, Kestrel, NICTA, SRI, UPenn Performers CMU, Galois, Kestrel, UPenn Kestrel, NICTA, Princeton, UPenn, HRL s Mixed Assurance Software Toolchain (MAST) for Integration of HACMS Components

4 Applying HACMS to Ground Vehicles Proof-of-Concept Integration and Testing of HACMS Software Components Integration of HACMS Tools and Techniques HACMS implementation of a proof-ofconcept cruise controller Autonomous Mobility Appliqué System

5 Resilient Software for Cyber-Physical Systems Resilience against malicious digital interference WMA file with malformed metadata Get into victim s hands through social engineering Buffer overflow in the media player metadata parser Propagate over CAN buses through other vulnerable ECUs Attacker has the full control of the car. Resilience against malicious physical interference Front Wheels Rear Wheels GPS Images courtesy: WMA Free icon CC BY from CAN bus image CC BY-SA 3.0 from CARTOON DEVIL HEAD by luyzit0 CC BY-ND 3.0 from Engine RPM Engine Noise Gear

6 Control Algorithms Synthesizing High-Assurance Control with KeYmaera X and Spiral KeYmaera X (CMU) + Spiral (SpiralGen) Toolchain The dynamcis + control algorithms yield a hybrid automaton Vehicle Dynamics KeYmaeraX Safety properties of hybrid automata are verified in the KeYmaeraX prover Spiral.c Control and monitoring algorithms are then sent to the Spiral tool, which, via a verified procedure, transforms these into high performance C code We used KeYmaeraX to verify safety properties (e.g., role-over prevention) of control algorithms for autonomous vehicle functionality We integrated Spiral generated C code (e.g., obstacle avoidance) on a car Formally verified high-performance control code is being synthesized from high-level specifications

7 Protecting High-Assurance Control Code with Microkernel / Micro-Hypervisor Microkernel requires a very small trusted code base Most of the services / drivers / etc are in user space Provides provable isolation between partitions Partitions can only affect each other through pre-defined communication channels Only the Gateway can access the CAN hardware Hypervisor capabilities provides virtualization for the legacy OS We are collaborating with two teams that are developing such solutions: Yale CertiKOS (used in passenger car integration, ) CSIRO (formerly NICTA) (Australia) sel4 (using in truck integration, 2015-)

8 Integrating High-Assurance Control Code with other High-Assurance Modules Gateway makes sure only legitimate traffic makes it to and off the box Definition of legitimate may change depending on the state of the vehicle Safety Monitor would alarm if / when vehicle approaches the boundary of its safety envelope Including when it detects that sensor inconsistency or actuator/sensor inconsistency indicates an attack or failure. Control arbiter would transfer control from default controller to highassurance limp home emergency controller when it gets an alarm High-assurance modules make sure the safety requirements would remain satisfied even if the Legacy OS is completely under attacker s control

9 High-Assurance Message Handling Goal: Tool that allows users to automatically generate high-assurance message (de)serializers source code directly from the message definitions, with specifications and proofs auto-generated as well. CAN node specification Points to a.dbc file Compiles with HRL CAN Tool (1) Yes (3) Analyzable Artifacts in the Coq Theorem Prover (2) No Generated C/assembly code + Proofs Fail We are creating similar tools for other protocols (e.g. JAUS used for TCP/IP teleop on AMAS)

10 Proof-of-Concept Demonstration (Aug 15): See HACMS Software Controlling a Car CertiKOS HA Microkernel High-assurance code makes sure: The vehicle speed is known even when some of the sensors are under attack The vehicle can remain within the prescribed safety boundary (the distance to an obstacle related to speed is sufficient to be able to stop) The control is switch to the emergency stop module when the state of the vehicle is too close to the safety boundary

11 Putting it all Together Consistently: Mixed-Assurance Software Toolchain MAST goal enable non-experts to produce mixed assurance software Protect the high-assurance components from being undermined by low- /medium-assurance components Synthesize high-assurance components, particularly glue code Manage the architecture between components, avoid inconsistencies Replace individual components with higher-assurance versions without having to tweak unrelated components manually On track to allow non-experts to have confidence in software they produce

12 Current Focus: Transition We seek to demonstrate by April 2017: It s possible to apply HACMS technology to develop high-assurance software for real vehicles In a reasonable amount of time Without prohibitive performance overhead People other than tool developers themselves can use HACMS tools effectively We are focusing on using other performers tools, rather than just getting high-assurance components created by other people Once experts (e.g., at HRL) have configured and used the tools to create a particular codebase, non-experts (e.g., at TARDEC) can make (small?) changes to high-assurance components while maintaining the assurance level. We can get this technology into TARDEC s hands Both high-assurance software for specific vehicle, and reusable general-purpose components In a way that they can continue building upon without further help from us Full end-to-end functional correctness proofs for the most critical control components are within reach We want to have a clear path for getting there; but not necessarily walk it all the way right now.

13 Questions?