1 Trustworthy Operation within Infrastructure-less Networked Embedded Systems William M. Merrill Sensoria Corporation Control-Theoretic Approaches for Dynamic Information Assurance Working Meeting University of California, Berkeley, CA February 5, 2003

2 Networked Embedded Systems Evolution Past: Embedded Platforms –Typically single process, fixed functionality –Limited collaboration with a fixed infrastructure Future: Networked Embedded Platforms –Enabler: Moore’s Law progress –Complex, high performance platforms –Diverse networking and field reconfigurability –Distributed, autonomous, and complex collaboration –Operating within enemy controlled areas New DoD challenges include –Next Generation Unattended Tactical Ground Sensors –Robotic Vehicles: UAV, UGVs, FCS… –Next Generation Autonomous Munitions: Self Healing Minefield

3 Dynamic Networked Embedded Systems Embedded Systems often provide dynamic connectivity –Often lack connection to an external infrastructure Any connections may be transient, unsecured, and/or non-existent Scale and application may require complete autonomy –Wireless Connections to local peers may fluctuate Mobile nodes –Peer-to-peer mobile ad-hoc networks (MANETs) Even static wireless links may change –Embedded nodes fail, are duty-cycled, or new nodes are added

4 Lack of an Energy Infrastructure In Remotely deployed, and wireless system the lack of an energy infrastructure dictates capability –Battery operation: limited volume and weight –Solar or energy scavenging: limited energy budget Processing is more energy efficient than communication –Where possible computation should be done locally –Communication as the highest energy burden –>R -2 propagation loss dictates links with multiple hops save energy R multihop direct

5 Self Healing Minefield as an Example The Self Healing Minefield (SHM) provides an example of dynamic embedded application, requiring information assurance –Planned as an autonomous system Default operational status requires no user intervention In addition must support an external query and control capability –Complex embedded system Power and size constrained –Must operate in a dynamic environment Nodes may appear/disappear at any time SHM used to illustrate considerations for information assurance in networked embedded systems

6 Dr. Tom Altshuler Program Manager

7

8 SHM Dynamic System Electromagnetics Acoustic Ranging Analog Sensor Interfaces Inertial Sensing Self-Assembled Networking Signal Processing Complex Distributed Computing Cooperative Ranging, Breach Detection Low Energy Systems Wireless Systems Healing Mobility

9 SHM Node Networked Embedded System –Volcano Mine (120 mm) –Hardware 32 bit superscalar processor 300 MIPS / 1.1 GFLOPS Wireless Acoustics Sensors Rocket motor systems (8) –Software Linux 2.4 kernel Distributed systems Over 200 simultaneous processes Fort Leonard Wood, Missouri

10 Network Status Geolocation Status Mapping Breach Detection Healing 1m grid

11 Mines Selected Mines Disabled

12 Autonomous Healing

13

14 SHM Robustness Within the system multiple redundancies are in place to increase robustness –Soft-state software approach enables fault tolerance Periodically update information even if not requested Enable processes to operate off the latest information with or without requesting new information Processes can communicate via language independent device file interfaces screening process interdependence –All nodes are redundant have the same capabilities Designed for a statistical response to a passing tank However previous development focus was on inadvertent information corruption not adverse attacks

15 Example Vulnerabilities of SHM Autonomous network self-assembly –Support the appearance and disappearance of nodes, complicating verification –Continuous connect/disconnect events Unique wireless networking issues for networked embedded systems –High loss propagation environment –Multihop network required, with possible high latency –Physical environment leads to intermittent, unpredictable operation –Variable availability, bandwidth, and latency –Communication limited by energy constraints Conventional authentication methods carry excessive payload –Physical layer jamming can impact: RF communications Acoustic ranging Operation dependent on cooperative behavior –Vulnerable to spoofing and/or DoS attacks External control and query capability desired –Users wish to clear a breach for friendly forces or collect status data Nodes operate in region controlled by opponent

16 Trustworthy Operation within SHM To operate effectively each node needs to measure the reliability of and define appropriate information needed To explore the vulnerabilities the current capabilities of the system must be quantified –SHM Software emulator allows evaluation of system performance Operate multiple software stack on a desktop environments Enables exploration of software vulnerabilities –Every vulnerability can not be determined but general guidelines can be developed to establish trust metrics Trust currently pre-determined –Installed at deployment Currently demonstration nodes trust anyone and any node with the capability to communicate with them Trust must evolve through experience –Enables dynamic evolution from a starting point –Requires metrics to measure trust

17 SHM Observability definitions for IA & S What do the nodes need to monitor and measure to support their application –Must monitor their and their neighbors capability to respond to an enemy tank Currently detected through periodic heartbeat packets including the processes operating on each node Monitor neighbors status to detect a “breach” in the field Monitor orientation and tamper status Maintain synchronization with neighbors to enable geolocation –May be utilized to coordinate response to a trust failure Monitor own and neighbors energy remaining –Or as power saving is added neighbors Monitor magnetic sensors to detect a passing tank –Each node monitors its operational processes Watch communication, processing, and memory usage

18 SHM Adaptability for IA & S How can nodes adapt to increase system survivability and information assurance –Local network can reform due to changing links Currently adapt if nodes appear or disappear May route around untrusted locations, nodes Network provides multiple redundant paths between most nodes –Nodes may collaborate to build or deny trust Multi-hop networks provide multiple redundant paths between nodes Each node monitoring its neighbors continuously May warn external users if detect errant nodes Increase or adapt security measures between trusted nodes –Redundant operation at multiple levels Each node includes the same capabilities System designed for graceful degradation

19 Summary New and fundamental tradeoffs –Energy, latency, bandwidth, payload, constraints –Increasing complexity –Unpredictable connectivity –Direct conflicts with conventional approaches –May not rely on an external infrastructure Dynamic Networked Embedded Systems –Self-Organization and Healing –Dynamic Operations –Management and Control –Reconfigurability –Energy Self-Healing Minefield offers an example embedded system requiring a high level of operational trust