*-aware Software for

Cyber Physical Systems

John A. StankovicBP America Professor

University of VirginiaFeb 3, 2012

What is a CPS?What is a CPS?

• Isn’t is just an embedded system?

• Not the main question

• Simply parsing “CPS” -> Many systems are CPS, but that is not the issue

• REALLY INTERESTED IN– New research needed for the next

generation of physical-cyber systems

Confluence of Key AreasConfluence of Key Areas

Real-Time

Control

CostForm FactorSevere ConstraintsSmall ScaleClosed

SchedulingFault ToleranceWired networksLevel of Uncertainty

Noisy C.SensingScaleReal-Time/ActuationOpen

Wireless SensorNetworks

EmbeddedSystems

LinearAdaptiveDistributedDecentralizedOpenHuman Models

ArchitecturePrinciples

What’s NewWhat’s New

• Openness• Scale

– World covered by trillions of sensors

• Systems of systems• Confluence of physical, wireless and

computing• Human (in the loop) Participation

ThemeTheme

• How can we build practical cyber physical systems of the future?

• 3 Critical (Foundational) Issues: must be addressed together

– Robustness– Real-Time– Openness

Foundational PrincipleFoundational Principle

• Scientific and systematic approach for the impact of the physical on the cyber

• Propose:– Physically-aware SW– Validate-aware SW– Privacy/security aware SW

Real-timeaware SW

“Open” Smart Living Space

“Open” Smart Living Space

EavesdropBuilding HVAC

OpennessOpenness

• Typical embedded systems closed systems design not applicable

• Added value• Systems interact with other systems• Evolve over long time• Physical system itself changes

• High levels of uncertainty: Guarantees

Computing in Physical Systems

Computing in Physical Systems

BodyNetworks

Road and Street Networks

Battlefield Networks

VehicleNetworks

IndustrialNetworks

BuildingNetworks

Environmental Networks Open, Heterogeneous

Wireless Networks withSensors and Actuators

OutlineOutline

• Physically-aware software

• Validate-aware software

• Real-Time-aware software

• Privacy-aware software

Physically Aware: Impact of the Physical

Physically Aware: Impact of the Physical

• For Wireless Communications (things we know)– Noise– Bursts– Fading– Multi-path– Location (on ground)– Interference– Orientation of Antennas– Weather– Obstacles– Energy – Node failures

AsymmetryAsymmetry

AC

D

Bbeacon

data

beacon

data

beacon data

B, C, and D are the same distance from A.Note that this pattern changes over time.

Irregular Range of A

A and B areasymmetric

RoutingRouting

• DSR, LAR: – Path-Reversal

technique

Source A

B Dest.RREQ

RREQ

RREP

RREP

Impact on Path-Reversal Technique

Uncertainties -VoidsUncertainties -Voids

Destination

Source

VOID

Left Hand RulePhysically-aware SW

Cyber-Physical DependenciesCyber-Physical Dependencies

• Sensing– Sensor properties – Target Properties– Environmental interference

1. An unmanned plane (UAV) deploys motes

2. Motes establish an sensor network with power management

3.Sensor network detects

vehicles and wakes up the sensor nodes

Zzz...

Energy Efficient Surveillance System

Energy Efficient Surveillance System

Sentry

Tracking Tracking

– Magnetic sensor takes 35 ms to stabilize• affects real-time analysis• affects sleep/wakeup logic

– Target itself might block messages needed for fusion algorithms• Tank blocks messages

Environmental Abstraction Layer

(EAL)

Environmental Abstraction Layer

(EAL)Wireless Communication Sensing and Actuation

InterferenceBurst

Losses

WeakLinks

Fading …Target

Properties

Weather Obstacles

Wake Up

Delays

…

Not HW-SW co-design, but rather Cyber-Physical co-design

Open Q: EnvironmentOpen Q: Environment

• How to model

• How to know we have all the issues covered

• Design Tools

Impact of the Physical on the Cyber

Open Q: CorrectnessOpen Q: Correctness

• What does correctness mean in an open system

Formal MethodsDon’t Address

Validate Aware: Run Time Assurance (RTA)

Validate Aware: Run Time Assurance (RTA)

• Safety Critical• Long Lived• Validated• Re-validated

• Dynamics of Environmental Changes Influence Correctness

See Run Time Assurance paper in IPSN 2010.

RTA GoalsRTA Goals

• Validate and Re-validate that system is still operational (at semantics level)

• Anticipatory RTA– Before problems arise

• Robust to evolutionary changesValidate-aware software

RTA SolutionRTA Solution

• Emulate sensor readings

• Reduce tests to focus on key functionality

• Overlap tests and system operation

• Evolve required tests

Current SolutionsCurrent Solutions

• Prior deployment analysis– Testing– Debugging

• Post mortem analysis– Debugging

• Monitoring low-level components of the system– System health monitoring

Necessary, but not sufficient

RTARTA

• Formally specify application level semantics (of correctness)

• Ability to demonstrate that correctness over time

RTA FrameworkRTA Framework

Formal application model

RTA test specifications

Network database

Test generation

Test execution support

Inputs

RTA framework

Code generation

Model-based SpecificationModel-based Specification

S1

S2

Fire

Smoke alarm

Temp. alarm

Sensor Network Event Description Language (SNEDL)

Smoke

Temperature

>80°C

> 30°C

> x

Test SpecificationTest Specification

//Declare the basic elements of the languageTime T1;Region R1, R2;Event FireEvent;

//Define the elements (time and place)T1=07:00:00, */1/2010; //first day of

monthR1={Room1};R2={Room2};

FireEvent = Fire @ T1;

Token Flow Token Flow

S1

S2

Fire

Smoke alarm

Temp. alarm

Smoke

Temperature

>80°C

>30°C

> x

Code GenerationCode Generation

• Code is automatically generated from the formal model

• Advantages of the token – flow model:– efficiently supports self-testing at run time– it is easy to monitor execution states and

collect running traces– we can easily distinguish between real and

test events

Validate-aware SWValidate-aware SW

• High level spec on “function”

• Runtime SW that targets demonstrating “validation”

• SW design for ease of validation

• Framework – to load, run, display tests

• System: Aware of validation mode

Open Q: Run Time Assurance

Open Q: Run Time Assurance

• Open system evolves

• Validate and re-validate (more than monitoring)– Limit number of tests

• Level of detail

Safety Analysis

Real-Time Aware Real-Time Aware

• Hard deadlines• Hard deadlines and safety critical• Soft deadlines• Time based QoS

• Dynamically changing platform (HW and SW)

Example: Group Management

(Tracking)

Example: Group Management

(Tracking)

Base Station

DeadlinesDeadlines

• If we have enough late messages within groups we can lose the track– Not straightforward deadline– Tied to redundancy, speed of target

• If messages don’t make it to base station in hard deadline we miss activating “IR camera”

• If we don’t act by Deadline D truck carrying bomb explodes – safety critical

Real-Time SchedulingReal-Time Scheduling

1

2

3

1 2 3

Tasks Deadlines

TIME

Algorithm EDF

SchedulableYes

Order1,2,3

How robust?CF=1

Robust RT Scheduling For Real World CPS

Robust RT Scheduling For Real World CPS

1

2

3

1 2 3

Tasks Deadlines

TIME

Algorithm EDF

SchedulableYes

Order1,2,3

How robust?1.8 CF

(1.8)

Real-Time TechnologyReal-Time Technology

• Three possible approaches– Velocity Monotonic– Exact Characterization

– SW-based Control Theory

Feedback Control

Feedback Control

• Front-End– feedback loops based on real

world control– generate timing

requirements/rates– generally fixed – handed to scheduling algorithm

P1

P2

P3

P4

Scheduling

Alg

FC-EDF Scheduling

PID ControllerService Level

Controller

Admission Controller

EDFScheduler

CPU

FC-EDF

Accepted Tasks

Submitted Tasks

MissRatios MissRatio(t)

CPUo

Completed Tasks

CPUi

Real-Time aware SW

Open Q: ControlOpen Q: Control

• With humans in the loop– New system models

• Robustness (and Sensitivity Analysis)

• New on-line system ID techniques

Interacting (dependency among) Control Loops

Privacy-aware: Fingerprint And Timing-based Snoop attack

Privacy-aware: Fingerprint And Timing-based Snoop attack

Front Door

Living Room

Kitchen

Bathroom

Bedroom #1

Bedroom #2

Adversary

Fingerprint and Timestamp Snooping Device

T1

T2

T3

… …

Timestamps FingerprintsLocations and Sensor Types

?

?

?

…

V. Srinivasan, J. Stankovic, K. Whitehouse, Protecting Your Daily In-Home Activity Information fron a Wireless Snooping Attack, Ubicomp, 2007.

PerformancePerformance

• 8 homes - different floor plans– Each home had 12 to 22 sensors

• 1 week deployments• 1, 2, 3 person homes• Violate Privacy - Techniques Created

– 80-95% accuracy of AR via 4 Tier Inference

• FATS solutions– Reduces accuracy of AR to 0-15%

ADL ADL

• ADLs inferred:– Sleeping, Home Occupancy– Bathroom and Kitchen Visits– Bathroom Activities: Showering,

Toileting, Washing– Kitchen Activities: Cooking

• High level medical information inference possible

• HIPAA requires healthcare providers to protect this information

Adversary

Fingerprint and Timestamp Snooping Device

T1

T2

T3

… …

Timestamps FingerprintsLocations and Sensor Types

?

?

?

…

SolutionsSolutions

• Periodic• Delay messages• Add extra cloaking messages• Eliminate electronic fingerprint

– Potentiometer

• Etc.

Privacy-aware software

Open Q: PrivacyOpen Q: Privacy

• Eavesdropping

• Access to information (in DB)

• Power of inference over time

Opt-in StrategiesPublic Places

SummarySummary

• Robustness – to deal with uncertainties: (major environment and system evolution)

• Real-Time – for dynamic and open systems• Openness – great value, but difficult

• Physically-aware • Validate-aware • Real-Time-aware• Privacy/security-aware

• Diversity – coverage of assumptions

• EAL

*awareCPS-aware