Techniques for the realization of ultrareliable spaceborne computers Interim scientific report

Error-free ultrareliable spaceborne computer

Advanced software techniques for space shuttle data management systems Final report

Airborne/spaceborn computer design and techniques for space shuttle data management system

A LISP-Ada connection

The prototype demonstrates the feasibility of using Ada for expert systems and the implementation of an expert-friendly interface which supports knowledge entry. In the Ford LISP-Ada Connection (FLAC) system LISP and Ada are used in ways which complement their respective capabilities. Future investigation will concentrate on the enhancement of the expert knowledge entry/debugging interface and on the issues associated with multitasking and real-time expert systems implementation in Ada

Aspect structure of compilers

Compilers are among the most widely-studied pieces of software; and, modularizing these valuable artifacts is a recurring theme in research. However, modularization of cross-cutting concerns in compilers is not yet well explored. Even today, implementation of one compiler concern scatters across and tangles with the implementation of several other concerns, thereby leading to a mismatch between different compiler modules and the operations they represent. Essentially, current compiler implementations fail to explicitly identify the control dependencies of different phases, and separately characterize the actions to execute during those phases. As a result, information about their program-execution path remains non-intuitive: it stays hidden within the program structure and cuts-across several phase implementations. Consequently, this makes compiler designs and artifacts difficult to comprehend, maintain and reuse. Such limitations occur primarily as a result of the inability of mainstream object-oriented languages, such as Java, to organize the cross-cutting concerns into clean modular units. This thesis demonstrates how such modularity-issues in compilers can be addressed with the help of a relatively new, yet powerful programming paradigm called aspect-oriented programming

Fault tolerant architectures for integrated aircraft electronics systems, task 2

The architectural basis for an advanced fault tolerant on-board computer to succeed the current generation of fault tolerant computers is examined. The network error tolerant system architecture is studied with particular attention to intercluster configurations and communication protocols, and to refined reliability estimates. The diagnosis of faults, so that appropriate choices for reconfiguration can be made is discussed. The analysis relates particularly to the recognition of transient faults in a system with tasks at many levels of priority. The demand driven data-flow architecture, which appears to have possible application in fault tolerant systems is described and work investigating the feasibility of automatic generation of aircraft flight control programs from abstract specifications is reported

Ada (trademark) projects at NASA. Runtime environment issues and recommendations

Ada practitioners should use this document to discuss and establish common short term requirements for Ada runtime environments. The major current Ada runtime environment issues are identified through the analysis of some of the Ada efforts at NASA and other research centers. The runtime environment characteristics of major compilers are compared while alternate runtime implementations are reviewed. Modifications and extensions to the Ada Language Reference Manual to address some of these runtime issues are proposed. Three classes of projects focusing on the most critical runtime features of Ada are recommended, including a range of immediately feasible full scale Ada development projects. Also, a list of runtime features and procurement issues is proposed for consideration by the vendors, contractors and the government

Binary Program Integrity Models for Defeating Code-Reuse Attacks

During a cyber-attack, an adversary executes offensive maneuvers to target computer systems. Particularly, an attacker often exploits a vulnerability within a program, hijacks control-flow, and executes malicious code. Data Execution Prevention (DEP), a hardware-enforced security feature, prevents an attacker from directly executing the injected malicious code. Therefore, attackers have resorted to code-reuse attacks, wherein carefully chosen fragments of code within existing code sections of a program are sequentially executed to accomplish malicious logic. Code-reuse attacks are ubiquitous and account for majority of the attacks in the wild. On one hand, due to the wide use of closed-source software, binary-level solutions are essential. On the other hand, without access to source-code and debug-information, defending raw binaries is hard. A majority of defenses against code-reuse attacks enforce control-flow integrity , a program property that requires the runtime execution of a program to adhere to a statically determined control-flow graph (CFG) -- a graph that captures the intended flow of control within the program. While defenses against code-reuse attacks have focused on reducing the attack space, due to the lack of high-level semantics in the binary, they lack in precision, which in turn results in smaller yet significant attack space. This dissertation presents program integrity models aimed at narrowing the attack space available to execute code-reuse attacks. First, we take a semantic-recovery approach to restrict the targets of indirect branches in a binary. Then, we further improve the precision by recovering C++-level semantics, and enforce a strict integrity model that improves precision for virtual function calls in the binary. Finally, in order to further reduce the attack space, we take a different perspective on defense against code-reuse attacks, and introduce Stack-Pointer Integrity -- a novel integrity model targeted at ensuring the integrity of stack pointer as opposed to the instruction pointer. Our results show that the semantic-recovery-based approaches can help in significantly reducing the attack space by improving the precision of the underlying CFG. Function-level semantic recovery can eliminate 99.47% of inaccurate targets, whereas recovering virtual callsites and VTables at a C++ level can eliminate 99.99% of inaccurate targets

Memory safety and untrusted extensions for TinyOS

Journal ArticleSensor network applications should be reliable. However, TinyOS, the dominant sensor net OS, lacks basic building blocks for reliable software systems: memory protection, isolation, and safe termination. These features are typically found in general-purpose operating systems but are believed to be too expensive for tiny embedded systems with a few kilobytes of RAM. We dispel this notion and show that CCured, a safe dialect of C, can be leveraged to provide memory safety for largely unmodified TinyOS applications. We build upon safety to implement two very different environments for TinyOS applications. The first, Safe TinyOS, provides a minimal kernel for safely executing trusted applications. Safe execution traps and identifies bugs that would otherwise have silently corrupted RAM. The second environment, UTOS, implements a user-kernel boundary that supports isolation and safe termination of untrusted code. Existing TinyOS components can often be ported to UTOS with little effort. To create our environments, we substantially augmented the CCured toolchain to emit code that is safe under interrupt-driven concurrency, to reduce storage requirements by compressing error messages, to refactor direct hardware access into calls to trusted helper functions, and to make safe programs more efficient using whole-program optimization. A surprising result of our work is that a safe, optimized TinyOS program can be faster than the original unsafe, unoptimized application

Real-time fault identification for developmental turbine engine testing

Hundreds of individual sensors produce an enormous amount of data during developmental turbine engine testing. The challenge is to ensure the validity of the data and to identify data and engine anomalies in a timely manner. An automated data validation, engine condition monitoring, and fault identification process that emulates typical engineering techniques has been developed for developmental engine testing.An automated data validation and fault identification approach employing enginecycle-matching principles is described. Engine cycle-matching is automated by using an adaptive nonlinear component-level computer model capable of simulating both steady state and transient engine operation. Automated steady-state, transient, and real-time model calibration processes are also described. The model enables automation of traditional data validation, engine condition monitoring, and fault identification procedures. A distributed parallel computing approach enables the entire process to operate in real-time.The result is a capability to detect data and engine anomalies in real-time during developmental engine testing. The approach is shown to be successful in detecting and identifying sensor anomalies as they occur and distinguishing these anomalies from variations in component and overall engine aerothermodynamic performance. The component-level model-based engine performance and fault identification technique of the present research is capable of: identifying measurement errors on the order of 0.5 percent (e.g., sensor bias, drift,level shift, noise, or poor response) in facility fuel flow, airflow, and thrust measurements; identifying measurement errors in engine aerothermodynamic measurements (rotorspeeds, gas path pressures and temperatures); identifying measurement errors in engine control sensors (e.g., leaking/biased pressure sensor, slowly responding pressure measurement) and variable geometry rigging (e.g., misset guide vanes or nozzle area) that would invalidate a test or series of tests; identifying abrupt faults (e.g., faults due to domestic object damage, foreign object damage, and control anomalies); identifying slow faults (e.g., component or overall engine degradation, and sensor drift). Specifically, the technique is capable of identifying small changes in compressor (or fan) performance on the order of 0.5 percent; and being easily extended to diagnose secondary failure modes and to verify any modeling assumptions that may arise for developmental engine tests (e.g., increase in turbine flow capacity, inaccurate measurement of facility bleed flows, horsepower extraction, etc.).The component-level model-based engine performance and fault identification method developed in the present work brings together features which individually and collectively advance the state-of-the-art. These features are separated into three categories: advancements to effectively quantify off-nominal behavior, advancements to provide a fault detection capability that is practical from the viewpoint of the analysis,implementation, tuning, and design, and advancements to provide a real-time fault detection capability that is reliable and efficient