John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins

Slides:



Advertisements
Similar presentations
Threads, SMP, and Microkernels
Advertisements

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
The System-Level Simplex Architecture Stanley Bak Olugbemiga Adekunle Deepti Kumar Chivukula Mu Sun Marco Caccamo Lui Sha.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
W EEK S IX O PERATING S YSTEM S TRUCTURE. T HE C ONCEPT OF L OADING AND L INKING Loader – Loader is a utility program which takes object code as input,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Computer Systems/Operating Systems - Class 8
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Operating System Organization
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Virtualization for Cloud Computing
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
An Overview of Virtual Machine Architectures by J.E. Smith and Ravi Nair presented by Sebastian Burckhardt University of Pennsylvania CIS 700 – Virtualization.
Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Operating System A program that controls the execution of application programs An interface between applications and hardware 1.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
UNIX System Administration OS Kernal Copyright 2002, Dr. Ken Hoganson All rights reserved. OS Kernel Concept Kernel or MicroKernel Concept: An OS architecture-design.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
A Cloud is a type of parallel and distributed system consisting of a collection of inter- connected and virtualized computers that are dynamically provisioned.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
© Copyright 2014 Rockwell Collins, Inc. All rights reserved. Resolute: An Assurance Case Language for Architecture Models Andrew Gacek, John Backes, Darren.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
C o n f i d e n t i a l 1 Course: BCA Semester: III Subject Code : BC 0042 Subject Name: Operating Systems Unit number : 1 Unit Title: Overview of Operating.
CS551 - Lecture 5 1 CS551 Lecture 5: Quality Attributes Yugi Lee FH #555 (816)
Operating System Organization Chapter 3 Michelle Grieco.
Virtual Infrastructure By: Andy Chau Farzana Mohsini Anya Mojiri Virginia Nguyen Bobby Phimmasane.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
1 Operating System Overview Chapter 2. 2 Operating System A program that controls the execution of application programs An interface between applications.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Chapter 2 Operating System Overview Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.
1.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 1: Introduction What Operating Systems Do √ Computer-System Organization.
Computer System Structures
Cyber Physical System Security
Component Based Software Engineering
CHAPTER 2 CREATING AN ARCHITECTURAL DESIGN.
Real-time Software Design
By Dunlap, King, Cinar, Basrai, Chen
Mach Kernel Kris Ambrose Kris Ambrose 2003.
LAB 01 Installation of VIRTUAL MACHINE and LINUX
Design pattern for cloud Application
An Introduction to Software Architecture
An Overview of Virtual Machine Architectures
The Design & Implementation of Hyperupcalls
Operating Systems: A Modern Perspective, Chapter 3
Sai Krishna Deepak Maram, CS 6410
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
Design Yaodong Bi.
System calls….. C-program->POSIX call
Chapter 2 Operating System Overview
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Enable Extreme Security with
Presentation transcript:

John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins UxAS on seL4 John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins

Task/Service Modeling What is UxAS? UxAS: Unmanned Systems Autonomy Services Collection of software modules that interconnect to automate mission-level decision making Task assignment Cooperative control Sensor steering Used to conduct experiments and demonstrations of cooperative control and human-machine teaming Services are deployed across multiple entities Task/Service Modeling

What would we like to prove about UxAS? Safety properties “Services do not throw exceptions” “Services implement their formal specification” “The vehicle stays within a safe flight envelope” “Multiple vehicles maintain safe separation” Quality of service properties “Messages are processed and delivered in a timely manner” Security properties “Services cannot alter each other’s state except through defined channels” “Only trusted commands are executed” “Services do not consume resources not allocated to them” Task/Service Modeling

Problems with initial UxAS Services/Tasks written in C++ Not type safe and difficult to reason about formally Services/Tasks are dispatched sporadically with no bounds on IAT Framework all runs on Linux (there are bugs) All Services/Tasks run as threads within the same memory space Task/Service Modeling

Baseline UxAS Architecture All Services/Tasks run in untrusted Linux OS All Services/Tasks have equal priority and criticality Route Planner Assignment Opt Zyre: External Cooperation Waypoint Manager * Point Line Area Overwatch Persistent ISR * Utilities: Timing, Logging, Conversions, * Fabric: ZeroMQ, CMASI LINUX Task/Service Modeling

Baseline UxAS Architecture All Services/Tasks run in untrusted Linux OS All Services/Tasks have equal priority and criticality Route Planner Assignment Opt Zyre: External Cooperation Waypoint Manager * Point Line Area Overwatch Persistent ISR * Utilities: Timing, Logging, Conversions, * Fabric: ZeroMQ, CMASI LINUX Task/Service Modeling

Possible Solutions to fix UxAS Change how Services/Tasks are dispatch so system is schedulable Middleware group did this Prove correctness of all UxAS Services/Tasks Plausible with significant effort Prove isolation and correctness of critical tasks so UxAS can meet minimal QoS This is what we worked on  Task/Service Modeling

Task/Service Modeling Key Technologies The seL4 Microkernel Formally verified microkernel maintained by Data61 Proof is from HOL specification down to the assembly Provides formally proven isolation between components Can be used as a hypervisor to host guest OS Requires specific x86 or ARM instruction sets Isabelle/HOL and AutoCorres Isabelle/HOL is an interactive theorem prover AutoCorres is an Isabelle/HOL extension that provides a framework for reasoning about C programs Task/Service Modeling

Task/Service Modeling Key Technologies Resolute Assurance Case Architecture Models OSATE AGREE Behavioral Analysis Trusted Build Architecture Translation seL4 eChronos SIM Simulator A B C Guarantee: Output < 2*Input Assumption: Input < 20 Guarantee: Output < Input + 15 Guarantee: Output = Input1 + Input2 Assumption: none Guarantee: Output < 50 Assumption: Input < 10 Architecture Analysis Kind/JKind Task/Service Modeling

UxAS + seL4 Architecture All Services/Tasks run in untrusted Linux Virtual Machine on top of seL4 Critical services run as isolated native seL4 Services/Tasks Route Planner Assignment Opt Zyre: External Cooperation Waypiont Manager * Point Line Area Overwatch Persistent ISR * Utilities: Timing, Logging, Conversions, * Fabric: ZeroMQ, CMASI Waypoint Manager LINUX seL4 Task/Service Modeling

UxAS + seL4 Architecture All Services/Tasks run in untrusted Linux Virtual Machine on top of seL4 Critical services run as isolated native seL4 Services/Tasks Route Planner Assignment Opt Zyre: External Cooperation * Point Line Area Overwatch Persistent ISR * Utilities: Timing, Logging, Conversions, * Fabric: ZeroMQ, CMASI Waypoint Manager LINUX seL4 Task/Service Modeling

Task/Service Modeling AADL Specification Component Features Component Instances Component Connections Component Configuration Task/Service Modeling

Task/Service Modeling Demonstration Launch attack against UxAS Kill UxAS process Exhaust all resource in Linux Simulates malicious adversary Simulates latent bug in UxAS Service Demonstrate that system still maintains minimal QoS The waypoint manager continues to deliver waypoints to the autopilot Task/Service Modeling

Task/Service Modeling Demonstration Mission Computer (seL4) Serial Bus Linux Virtual Machine Waypoint Manager Comm Plan Assign FCC Route Planner Payload Asset Manager Task/Service Modeling

Verification of Waypoint Manager The purpose of the Waypoint Manager is to send subsets of the mission’s waypoints to the flight control computer “Correctness” means: The component never sends more waypoints than the autopilot can handle The component sends the next N waypoints whenever the autopilot reaches waypoint N/2 Task/Service Modeling

Arguments for Task/Services and seL4 Argument Purpose: Examine ability of UxAS to return home Under normal behavior and failure Provide rationale/organization for benefits of seL4 Decomposed target UxAS service goal into sub-claims based on architectural components Virtual machine (VM) running tasks Waypoint manager (WM) running on seL4 kernel with VM Connection to Autopilot Autopilot running independently SeL4: proven mico kernel Tasks and services running on VM on the micro kernel Even if VM crashes, WP will get you home Task/Service Modeling

Future changes to architecture Assignment Opt Route Planner Assignment Opt Zyre: External Cooperation * Point Line Area Overwatch Persistent ISR * Route Planner Utilities: Timing, Logging, Conversions, * Fabric: ZeroMQ, CMASI Waypoint Manager LINUX seL4 Task/Service Modeling Task/Service Modeling

What would we like to prove about UxAS? Safety properties “Services do not throw exceptions” “Services implement their formal specification” “The vehicle stays within a safe flight envelope” “Multiple vehicles maintain safe separation” Quality of service properties “Messages are processed and delivered in a timely manner” Security properties “Services cannot alter each other’s state except through defined channels” “Only trusted commands are executed” “Services do not consume resources not allocated to them” Task/Service Modeling

Task/Service Modeling Questions? Find links to project description, code, and other research at: loonwerks.com Task/Service Modeling

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.