524 research outputs found
SOTER: A Runtime Assurance Framework for Programming Safe Robotics Systems
The recent drive towards achieving greater autonomy and intelligence in
robotics has led to high levels of complexity. Autonomous robots increasingly
depend on third party off-the-shelf components and complex machine-learning
techniques. This trend makes it challenging to provide strong design-time
certification of correct operation.
To address these challenges, we present SOTER, a robotics programming
framework with two key components: (1) a programming language for implementing
and testing high-level reactive robotics software and (2) an integrated runtime
assurance (RTA) system that helps enable the use of uncertified components,
while still providing safety guarantees. SOTER provides language primitives to
declaratively construct a RTA module consisting of an advanced,
high-performance controller (uncertified), a safe, lower-performance controller
(certified), and the desired safety specification. The framework provides a
formal guarantee that a well-formed RTA module always satisfies the safety
specification, without completely sacrificing performance by using higher
performance uncertified components whenever safe. SOTER allows the complex
robotics software stack to be constructed as a composition of RTA modules,
where each uncertified component is protected using a RTA module.
To demonstrate the efficacy of our framework, we consider a real-world
case-study of building a safe drone surveillance system. Our experiments both
in simulation and on actual drones show that the SOTER-enabled RTA ensures the
safety of the system, including when untrusted third-party components have bugs
or deviate from the desired behavior
Restart-Based Fault-Tolerance: System Design and Schedulability Analysis
Embedded systems in safety-critical environments are continuously required to
deliver more performance and functionality, while expected to provide verified
safety guarantees. Nonetheless, platform-wide software verification (required
for safety) is often expensive. Therefore, design methods that enable
utilization of components such as real-time operating systems (RTOS), without
requiring their correctness to guarantee safety, is necessary.
In this paper, we propose a design approach to deploy safe-by-design embedded
systems. To attain this goal, we rely on a small core of verified software to
handle faults in applications and RTOS and recover from them while ensuring
that timing constraints of safety-critical tasks are always satisfied. Faults
are detected by monitoring the application timing and fault-recovery is
achieved via full platform restart and software reload, enabled by the short
restart time of embedded systems. Schedulability analysis is used to ensure
that the timing constraints of critical plant control tasks are always
satisfied in spite of faults and consequent restarts. We derive schedulability
results for four restart-tolerant task models. We use a simulator to evaluate
and compare the performance of the considered scheduling models
SOTER on ROS: A Run-Time Assurance Framework on the Robot Operating System
We present an implementation of SOTER, a run-time assurance framework for
building safe distributed mobile robotic (DMR) systems, on top of the Robot
Operating System (ROS). The safety of DMR systems cannot always be guaranteed
at design time, especially when complex, off-the-shelf components are used that
cannot be verified easily. SOTER addresses this by providing a language-based
approach for run-time assurance for DMR systems. SOTER implements the reactive
robotic software using the language P, a domain-specific language designed for
implementing asynchronous event-driven systems, along with an integrated
run-time assurance system that allows programmers to use unfortified components
but still provide safety guarantees. We describe an implementation of SOTER for
ROS and demonstrate its efficacy using a multi-robot surveillance case study,
with multiple run-time assurance modules. Through rigorous simulation, we show
that SOTER enabled systems ensure safety, even when using unknown and untrusted
components.Comment: 20th International Conference on Runtime Verificatio
A Retrospective Look at the Monitoring and Checking (MaC) Framework
The Monitoring and Checking (MaC) project gave rise to a framework for runtime monitoring with respect to formally specified properties, which later came to be known as runtime verification. The project also built a pioneering runtime verification tool, Java-MaC, that was an instantiation of the approach to check properties of Java programs. In this retrospective, we discuss decisions made in the design of the framework and summarize lessons learned in the course of the project
A Multi-Agent Systems Approach for Analysis of Stepping Stone Attacks
Stepping stone attacks are one of the most sophisticated cyber-attacks, in which attackers make a chain of compromised hosts to reach a victim target. In this Dissertation, an analytic model with Multi-Agent systems approach has been proposed to analyze the propagation of stepping stones attacks in dynamic vulnerability graphs. Because the vulnerability configuration in a network is inherently dynamic, in this Dissertation a biased min-consensus technique for dynamic graphs with fixed and switching topology is proposed as a distributed technique to calculate the most vulnerable path for stepping stones attacks in dynamic vulnerability graphs. We use min-plus algebra to analyze and provide necessary and sufficient convergence conditions to the shortest path in the fixed topology case. A necessary condition for the switching topology case is provided.
Most cyber-attacks involve an attacker launching a multi-stage attack by exploiting a sequence of hosts. This multi-stage attack generates a chain of ``stepping stones” from the origin to target. The choice of stepping stones is a function of the degree of exploitability, the impact, attacker’s capability, masking origin location, and intent. In this Dissertation, we model and analyze scenarios wherein an attacker employs multiple strategies to choose stepping stones. The problem is modeled as an Adjacency Quadratic Shortest Path using dynamic vulnerability graphs with multi-agent dynamic system approach. With this approach, the shortest stepping stone path with maximum node degree and the shortest stepping stone path with maximum impact are modeled and analyzed.
Because embedded controllers are omnipresent in networks, in this Dissertation as a Risk Mitigation Strategy, a cyber-attack tolerant control strategy for embedded controllers is proposed. A dual redundant control architecture that combines two identical controllers that are switched periodically between active and restart modes is proposed. The strategy is addressed to mitigate the impact due to the corruption of the controller software by an adversary. We analyze the impact of the resetting and restarting the controller software and performance of the switching process. The minimum requirements in the control design, for effective mitigation of cyber-attacks to the control software that implies a “fast” switching period is provided. The simulation results demonstrate the effectiveness of the proposed strategy when the time to fully reset and restart the controller is faster than the time taken by an adversary to compromise the controller. The results also provide insights into the stability and safety regions and the factors that determine the effectiveness of the proposed strategy
How Useful is Learning in Mitigating Mismatch Between Digital Twins and Physical Systems?
In the control of complex systems, we observe two diametrical trends: model-based control derived from digital twins, and model-free control through AI. There are also attempts to bridge the gap between the two by incorporating learning-based AI algorithms into digital twins to mitigate mismatches between the digital twin model and the physical system. One of the most straightforward approaches to this is direct input adaptation. In this paper, we ask whether it is useful to employ a generic learning algorithm in such a setting, and our conclusion is "not very". We denote an algorithm to be more useful than another algorithm based on three aspects: 1) it requires fewer data samples to reach a desired minimal performance, 2) it achieves better performance for a reasonable number of data samples, and 3) it accumulates less regret. In our evaluation, we randomly sample problems from an industrially relevant geometry assurance context and measure the aforementioned performance indicators of 16 different algorithms. Our conclusion is that blackbox optimization algorithms, designed to leverage specific properties of the problem, generally perform better than generic learning algorithms, once again finding that "there is no free lunch"
- …