RV-ECU: Certifiable Runtime Verification for Automobiles Grigore Rosu

Slides:

Advertisements

Similar presentations

Automotive Embedded System Development in AUTOSAR

Advertisements

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.

Understand and appreciate Object Oriented Programming (OOP) Objects are self-contained modules or subroutines that contain data as well as the functions.

Chapter 2: Software Process

A Survey of Runtime Verification Jonathan Amir 2004.

CS 325: Software Engineering January 13, 2015 Introduction Defining Software Engineering SWE vs. CS Software Life-Cycle Software Processes Waterfall Process.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

Car Hacking Patrick, James, Penny.

©Centre for Development of Advanced Computing 1 State e-governance Service Delivery Gateway (SSDG)‏ A Messaging Middleware for.

1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

PGP An example of Public Key Encryption software.

Slide 7B.1 Copyright © 2004 by The McGraw-Hill Companies, Inc. All rights reserved. An Introduction to Object-Oriented Systems Analysis and Design with.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

(c) 2007 Mauro Pezzè & Michal Young Ch 1, slide 1 Software Test and Analysis in a Nutshell.

REMOTE CONTROL CARS Jonathan Chandler CSCE April 21, 2011.

Department of Computer Science & Engineering College of Engineering Dr. Betty H.C. Cheng, Laura A. Campbell, Sascha Konrad The demand for distributed real-time.

Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Quality Assurance. Function Quality program Quality Assurance –Covers everything from raw materials and GMP verification through finished-product release.

Introduction to Software Testing

Top Tactics for Maximizing GMP Compliance in Blue Mountain RAM Jake Jacanin, Regional Sales Manager September 18, 2013.

Copyrighted material John Tullis 8/13/2015 page 1 Blaze Software John Tullis DePaul Instructor

Chapter 5 Application Software.

Caleb Walter. iPhone style charger Malware channel Exploit Vehicle CAN network Create Covert Channel at Public Charging Stations Custom Arduino CAN EVSE.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Expert System Presentation On…. Software Certification for Industry - Verification and Validation Issues in Expert Systems By Anca I. Vermesan Presented.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

IT in automobile Abon. The name stands for… Automotive open system architecture Japan automotive software platform architecture.

Static and Dynamic Analysis at JPL Klaus Havelund.

© Andrew IrelandDependable Systems Group ITI Techmedia and Technology Transfer Andrew Ireland Dependable Systems Group School of Mathematical & Computer.

1 CAR 1 st Dec Core-group on Automotive R&D (CAR) Ministry of Science & Technology, Govt. of India. Constituted by Dr.R. Chidambaram,

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

Composing Adaptive Software Authors Philip K. McKinley, Seyed Masoud Sadjadi, Eric P. Kasten, Betty H.C. Cheng Presented by Ana Rodriguez June 21, 2006.

1 New Development Techniques: New Challenges for Verification and Validation Mats Heimdahl Critical Systems Research Group Department of Computer Science.

Advancements in Automotive Electronics JORDAN YANDEAU.

© Paradigm Publishing Inc. 5-1 Chapter 5 Application Software.

Formal Methods in Software Engineering

SD3049 Formal Methods. Formal Methods Module Leader Dr Aaron Kans

Handling Mixed-Criticality in SoC- based Real-Time Embedded Systems Rodolfo Pellizzoni, Patrick Meredith, Min-Young Nam, Mu Sun, Marco Caccamo, Lui Sha.

Intelligent Systems Software Assurance Symposium 2004 Bojan Cukic & Yan Liu, Robyn Lutz & Stacy Nelson, Chris Rouff, Johann Schumann, Margaret Smith July.

Graciela Saunders.  Introduction / Review  Challenges to Embedded Security  Approaches to Embedded Security  Security Analysis & Attack Taxonomy 

High Confidence Software and Systems HCMDSS Workshop Brad Martin June 2, 2005.

Static WCET Analysis vs. Measurement: What is the Right Way to Assess Real-Time Task Timing? Worst Case Execution Time Prediction by Static Program Analysis.

Software Quality Assurance SOFTWARE DEFECT. Defect Repair Defect Repair is a process of repairing the defective part or replacing it, as needed. For example,

CrossCheckSimulation Results Conclusions References Model Instrumentation Modeling with CUTS Property Specification SPRUCE Challenge Problem Checking Model.

This is an introduction to Soft Assess – an assessment software solution for FET colleges, and schools.

SEA Side – Extreme Programming 1 SEA Side Software Engineering Annotations Architectural Patterns Professor Sara Stoecklin Director of Software Engineering-

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

Technology and Products

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

MBSE with Specificity - A Paradigm Shift in System Engineering These Document Markings apply to all pages of this document SECURITY CLASSIFICATION: UNCLASSIFIED.

Technologietag Baugruppentest ISO – Funktionale Sicherheit mit dem TestStand Toolkit Daniel Riedelbauch Marketing Manager CER, National Instruments.

T.Russell Shields, Co-Chair, Collaboration on ITS Communication Standards Martin Adolph, Programme Coordinator, ITU ITU activities on secure vehicle software.

KPIT Cummins Confidential - Version 1.0 On- board Diagnostics OBD – II Experience 1.

Operating systems depend on device drivers to communicate with attached hardware. A device driver is a collection of subroutines written in a low-level.

AUTOMOBILE CYBER SECURITY David McPeak. EVOLUTION IN DESIGN/TECHNOLOGY.

Chapter 18 Maintaining Information Systems

runtime verification Brief Overview Grigore Rosu

Efficient Decentralized Monitoring of Safety in Distributed Systems

Koushik Sen Abhay Vardhan Gul Agha Grigore Rosu

Introduction to Software Testing

RV-ECU: Maximum Assurance In-Vehicle Safety Monitoring

Datary Search Engine Allows Users to Update Data Automatically, Synchronized from its Source, to Any Microsoft Office 365 Files and Power BI Dashboards.

Software Engineering for Safety: a Roadmap

Process Modeling Tool (PMT) Very Short Overview

Presentation transcript:

RV-ECU: Certifiable Runtime Verification for Automobiles Grigore Rosu https://runtimeverification.com RV-ECU: Certifiable Runtime Verification for Automobiles Grigore Rosu President and CEO at Runtime Verification, Inc. Professor of Computer Science at the University of Illinois at Urbana-Champaign

Why Bother? NSF (Phase I) and NASA (Phase II) SBIR grants Want to be sure technology is useful before developing it What you can get from it Reduce or avoid car recalls Safety requirements not violated, dynamically updatable Even if car is hacked (no distinction between hacked or malfunctioning ECU) Easier compliance to ISO 26262 for safety Safety monitors generated automatically (provably correct) Enhanced communication between OEMs and suppliers Formal safety specifications will be required and shared Easier, better, faster testing Separation of major concerns: safety versus functionality

Background Modern automobiles highly computerized, including dozens of Electronic Control Units (ECUs) communicating over the CAN bus

The Importance of Recall Recall is the most important unsolved problem in automotive Recalls are costly ($2B+) and bad for business, and software related recalls are (increasingly) common

Software Complexity Trends More ECUs, more money on electronics, more features, more code Source: "Automotive Embedded Software Verification and Validation Strategies", Shankar Akella, Emmeskay Advanced Technology Solutions

ISO 26262 Reshapes Safety ISO 26262 changing the face of automotive: first functional safety standard, in response to growing software complexity trends Both OEMs and suppliers scrambling for compliance

Problem Current state-of-the-art not ideal Formal safety requirements not available OEMs blame suppliers, suppliers blame OEMs ECUs developed by suppliers; code not available Poor CAN bus architecture Any ECU can send messages to any other ECU ECU sent messages cannot be stopped

Proposal RV- RV-ECU: in charge of monitoring global safety Local monitors RV-ECU: in charge of monitoring global safety Provably correct (both monitoring and recovery code) ECUs locally monitored Their critical CAN bus messages “approved” by local monitors Local monitors communicate with RV-ECU Local monitors achieved by instrumentation or API RV- Global monitor

Local vs. Global (RV-ECU) Monitor Usual ECU Code ECU RV-ECU Local monitor CAN Bus All monitoring code (red) generated automatically from safety requirements; recovery code verified Certifiably correct (checkable proofs also generated) Local monitors added through instrumentation (automatically) or provided API, and can Prevent ECU from sending wrong messages Consult with RV-ECU to assure global safety Add authentication

Example Informal requirements Formal requirements Monitor for each d Safe door lock Doors should always open only if they were unlocked in the past and not locked since then; at violation, close door. …(hundreds of these)  d : always (Open(d) implies not Lock since UnLock) @violation : Close(d) Formalize requirements (by domain experts, using various formalisms; here an interval logic) Automatically generated Monitor for each d // One such monitor instance // in RV-ECU for each door d State: one bit, b b = UnLock || !Lock && b if (Open && !b) then send(Close) Provably correct

Current RV-ECU Progress Prototype RV-ECU on an STM ECU board STM3210C-EVAL Working on a real car (model omitted) controlling wipers, windows, doors soon engine and brakes For the time being, local monitors intended to be as simple as just requesting acknowledgements for messages to be sent on the bus from RV-ECU So RV-ECU does all monitoring, but local monitors ensure that safety violating messages are not sent

Wrap Up Certifiable runtime monitoring code generation Technology developed at the University of Illinois over a period of more than 12 years, funded with more than $6M by NSF, NASA, DARPA, NSA, Boeing Product for increasing safety in cars to be developed in our small company with SBIR funding from NSF, NASA, and research collaborations with automotive companies Main insight: separate safety from functionality and take no chances with safety (use highest assurance known for it!) Practical impact sought: Looking for collaboration, partnership, leverage, matching funding (for our NASA and NSF grants)