*-aware Software for Cyber Physical Systems John A. Stankovic BP America Professor University of Virginia Feb 3, 2012
What is a CPS? Isn’t is just an embedded system? Not the main question Simply parsing “CPS” -> Many systems are CPS, but that is not the issue REALLY INTERESTED IN –New research needed for the next generation of physical-cyber systems
Confluence of Key Areas Real-Time Control Cost Form Factor Severe Constraints Small Scale Closed Scheduling Fault Tolerance Wired networks Level of Uncertainty Noisy C. Sensing Scale Real-Time/Actuation Open Wireless Sensor Networks Embedded Systems Linear Adaptive Distributed Decentralized Open Human Models ArchitecturePrinciples
What’s New Openness Scale –World covered by trillions of sensors Systems of systems Confluence of physical, wireless and computing Human (in the loop) Participation
Theme How can we build practical cyber physical systems of the future? 3 Critical (Foundational) Issues: must be addressed together –Robustness –Real-Time –Openness
Foundational Principle Scientific and systematic approach for the impact of the physical on the cyber Propose: –Physically-aware SW –Validate-aware SW –Privacy/security aware SW Real-time aware SW
“Open” Smart Living Space Eavesdrop Building HVAC
Openness Typical embedded systems closed systems design not applicable Added value Systems interact with other systems Evolve over long time Physical system itself changes High levels of uncertainty: Guarantees
Computing in Physical Systems Body Networks Road and Street Networks Battlefield Networks Vehicle Networks Industrial Networks Building Networks Environmental Networks Open, Heterogeneous Wireless Networks with Sensors and Actuators
Outline Physically-aware software Validate-aware software Real-Time-aware software Privacy-aware software
Physically Aware: Impact of the Physical For Wireless Communications (things we know) –Noise –Bursts –Fading –Multi-path –Location (on ground) –Interference –Orientation of Antennas –Weather –Obstacles –Energy –Node failures
Asymmetry B, C, and D are the same distance from A. Note that this pattern changes over time. Irregular Range of A A and B are asymmetric
Routing DSR, LAR: –Path-Reversal technique Impact on Path-Reversal Technique
Uncertainties -Voids Destination Source VOID Left Hand Rule Physically-aware SW
Cyber-Physical Dependencies Sensing –Sensor properties –Target Properties –Environmental interference
1. An unmanned plane (UAV) deploys motes 2. Motes establish an sensor network with power management 3.Sensor network detects vehicles and wakes up the sensor nodes Zzz... Energy Efficient Surveillance System Sentry
Tracking –Magnetic sensor takes 35 ms to stabilize affects real-time analysis affects sleep/wakeup logic –Target itself might block messages needed for fusion algorithms Tank blocks messages
Environmental Abstraction Layer (EAL) Wireless CommunicationSensing and Actuation Interference Burst Losses Weak Links Fading … Target Properties WeatherObstacles Wake Up Delays … Not HW-SW co-design, but rather Cyber-Physical co-design
Open Q: Environment How to model How to know we have all the issues covered Design Tools Impact of the Physical on the Cyber
Open Q: Correctness What does correctness mean in an open system Formal Methods Don’t Address
Validate Aware: Run Time Assurance (RTA) Safety Critical Long Lived Validated Re-validated Dynamics of Environmental Changes Influence Correctness See Run Time Assurance paper in IPSN 2010.
RTA Goals Validate and Re-validate that system is still operational (at semantics level) Anticipatory RTA –Before problems arise Robust to evolutionary changes Validate-aware software
RTA Solution Emulate sensor readings Reduce tests to focus on key functionality Overlap tests and system operation Evolve required tests
Current Solutions Prior deployment analysis –Testing –Debugging Post mortem analysis –Debugging Monitoring low-level components of the system –System health monitoring Necessary, but not sufficient
RTA Formally specify application level semantics (of correctness) Ability to demonstrate that correctness over time
RTA Framework Inputs RTA framework
Model-based Specification Sensor Network Event Description Language (SNEDL) Smoke Temperature >80°C > 30°C > x
Test Specification //Declare the basic elements of the language Time T1; Region R1, R2; Event FireEvent; //Define the elements (time and place) T1=07:00:00, */1/2010; //first day of month R1={Room1}; R2={Room2}; FireEvent = T1;
Token Flow Smoke Temperature >80°C >30°C > x
Code Generation Code is automatically generated from the formal model Advantages of the token – flow model: –efficiently supports self-testing at run time –it is easy to monitor execution states and collect running traces –we can easily distinguish between real and test events
Validate-aware SW High level spec on “function” Runtime SW that targets demonstrating “validation” SW design for ease of validation Framework – to load, run, display tests System: Aware of validation mode
Open Q: Run Time Assurance Open system evolves Validate and re-validate (more than monitoring) –Limit number of tests Level of detail Safety Analysis
Real-Time Aware Hard deadlines Hard deadlines and safety critical Soft deadlines Time based QoS Dynamically changing platform (HW and SW)
Example: Group Management (Tracking) Base Station
Deadlines If we have enough late messages within groups we can lose the track –Not straightforward deadline –Tied to redundancy, speed of target If messages don’t make it to base station in hard deadline we miss activating “IR camera” If we don’t act by Deadline D truck carrying bomb explodes – safety critical
Real-Time Scheduling TasksDeadlines TIME Algorithm EDF Schedulable Yes Order 1,2,3 How robust? CF=1
Robust RT Scheduling For Real World CPS TasksDeadlines TIME Algorithm EDF Schedulable Yes Order 1,2,3 How robust? 1.8 CF (1.8)
Real-Time Technology Three possible approaches –Velocity Monotonic –Exact Characterization –SW-based Control Theory
Feedback Control Front-End –feedback loops based on real world control –generate timing requirements/rates –generally fixed –handed to scheduling algorithm P1 P2 P3 P4 SchedulingAlgSchedulingAlg
FC-EDF Scheduling PID Controller Service Level Controller Admission Controller EDF Scheduler CPU FC-EDF Accepted Tasks Submitted Tasks MissRatio s MissRatio(t) CPU o Completed Tasks CPU i Real-Time aware SW
Open Q: Control With humans in the loop –New system models Robustness (and Sensitivity Analysis) New on-line system ID techniques Interacting (dependency among) Control Loops
Privacy-aware: Fingerprint And Timing-based Snoop attack Front Door Living Room Kitchen Bathroom Bedroom #1 Bedroom #2 Adversary Fingerprint and Timestamp Snooping Device T1 T2 T3 … … TimestampsFingerprints Locations and Sensor Types ? ? ? … V. Srinivasan, J. Stankovic, K. Whitehouse, Protecting Your Daily In-Home Activity Information fron a Wireless Snooping Attack, Ubicomp, 2007.
Performance 8 homes - different floor plans –Each home had 12 to 22 sensors 1 week deployments 1, 2, 3 person homes Violate Privacy - Techniques Created –80-95% accuracy of AR via 4 Tier Inference FATS solutions –Reduces accuracy of AR to 0-15%
ADL ADLs inferred: –Sleeping, Home Occupancy –Bathroom and Kitchen Visits –Bathroom Activities: Showering, Toileting, Washing –Kitchen Activities: Cooking High level medical information inference possible HIPAA requires healthcare providers to protect this information Adversary Fingerprint and Timestamp Snooping Device T1 T2 T3 … … TimestampsFingerprints Locations and Sensor Types ???…???…
Solutions Periodic Delay messages Add extra cloaking messages Eliminate electronic fingerprint –Potentiometer Etc. Privacy-aware software
Open Q: Privacy Eavesdropping Access to information (in DB) Power of inference over time Opt-in Strategies Public Places
Summary Robustness – to deal with uncertainties: (major environment and system evolution) Real-Time – for dynamic and open systems Openness – great value, but difficult Physically-aware Validate-aware Real-Time-aware Privacy/security-aware Diversity – coverage of assumptions EAL *aware CPS-aware