CarRing IV- Real-time Computer Network

Ob in der Automobil-, Avionik- oder Automatisierungstechnik, die Fortschritte in der Echtzeitkommunikation richten sich auf weitere Verbesserungen bereits existierender Lösungen. Im Kfz-Bereich führen die steigenden Zahlen computerbasierter Systeme, Anwendungen und Anschlüsse sowie die Verwendung mehrerer proprietärer Kommunikationsstandards zu einem immer komplexeren Kabelbaum. Ursächlich hierfür sind inkompatible Standards, wodurch nicht nur die Kosten, sondern auch das Gewicht und damit der Kraftstoffverbrauch negativ beeinflusst werden. Im ersten Teil der Dissertation wird das Echtzeitprotokoll von CarRing IV (CRIV) vorgestellt. Es bietet isochrone und harte Echtzeitgarantien, ohne dass eine netzwerkweite Synchronisation erforderlich ist. Mit bis zu 16 Knoten pro Ring kann ein CR-IV-Netz aus bis zu 256 Ringen bestehen, die durch Router miteinander verbunden sind. CR-IV verwendet ein reduziertes OSI-Modell (Schichten 1-3, 7), das für seine Anwendungsbereiche sowohl typisch als auch vorteilhaft ist. Außerdem unterstützt es sowohl ereignis- als auch zeitgesteuerte Kommunikationsparadigmen. Der Transparent-Modus ermöglicht es CR-IV, als Backbone für bestehende Netze zu verwenden, wodurch Inkompatibilitätsprobleme beseitigt werden und der Wechsel zu einer einheitlicheren Netzlösung erleichtert wird. Mit dieser Funktionalität können Nutzergeräte über ein CR-IV-Netz miteinander verbunden werden, ohne dass der Nutzer eingreifen oder etwas ändern muss. Durch Multicast unterstützt CRIV auch die Emulation von Feldbussen. Der zweite Teil der Dissertation stellt den anderen wichtigen Aspekt von CR-IV vor. Alle Schichten des OSI-Modells sind in einem FPGA mit Hardware Description Languages (HDLs) ohne Hard- oder Softprozessoren implementiert. Das Register-Transfer-Level (RTL)-Hardwaredesign von CR-IV wird mit einem neuen Ansatz erstellt, der am besten als tokenbasierter Datenfluss beschrieben werden kann. Der Ansatz ist sowohl vertikal als auch horizontal skalierbar. Er verwendet lose gekoppelte Processing Elements (PEs), die stateless arbeiten, sowie Arbiter/Speicherzuordnungspaare. Durch die granulare Kontrolle und die Aufteilung aller Aspekte einer Lösung eignet sich der Ansatz für die Implementierung anderer Software-Level-Lösungen in Hardware. Viele Testszenarios werden durchgeführt, um die in CR-IV erzielten Ergebnisse zu verdeutlichen und zu überprüfen. Diese Szenarien reichen von direkten Leistungsmessungen bis hin zu verhaltensspezifischen Tests. Zusätzlich wird eine Labor-Demo erstellt, die grundsätzlich auf ein Proof of Concept zielt. Die Demo stellt einen praktischen Test anstelle szenariospezifischer Tests dar. Alle Testszenarien und die Labor-Demo werden mit den Prototyp-Boards des Projekts durchgef¨uhrt, d.h. es sind keine Simulationstests. Die Ergebnisse stellen die realistischen Leistungen von CR-IV mit bis zu 13,61 Gbit/s dar.Whether be it automotive, avionics or automation, advances in their respective real-time communication technology focus on further improving preexisting solutions. For in-vehicle communication, the ever-increasing number of computer-based systems, applications and connections as well as the use of multiple proprietary communication standards results in an increasingly complex wiring harness. This is in-part due to those standards being incompatible with one another. In addition to cost, this also impacts weight, which in turn affects fuel consumption. The work presented in this thesis is in-part theoretical and in-part applied. The former is represented by a new protocol, while the latter corresponds to the protocol’s hardware implementation. In the first part of the thesis, the real-time communication protocol of CarRing IV (CR-IV) is presented. It provides isochronous and hard real-time guarantees without requiring network-wide clock synchronization. With up to 16 nodes per ring, a CR-IV network can consist of as many as 256 rings interconnected by routers. CR-IV uses a reduced OSI model (layers 1-3, 7), which is both typical of and preferable for its application areas. Moreover, it supports both event- and time-triggered communication paradigms. The transparent mode feature allows CR-IV to act as a backbone for existing networks, thereby addressing incompatibility concerns and easing the transition into a more unified network solution. Using this feature, user devices can communicate with one another via a CR-IV network without requiring user interference, or any user device or application changes. Combined with the protocol’s reliable multicast, the feature extends CR-IV’s capabilities to include field bus emulation. The second part of the thesis presents the other important aspect of CR-IV. All of its OSI model layers are implemented in a FPGA using Hardware Description Languages (HDLs) without relying-on or including any hard or soft processors. CR-IV’s Register-Transfer Level (RTL) hardware design is created using a new approach that can best be described as token-based data-flow. The approach is both vertically and horizontally scalable. It uses stateless and loosely coupled Processing Elements (PEs) as well as arbiter/memory allocation pairs. By having granular control and compartmentalizing every aspect of a solution, the approach lends itself to being used for implementing other software-level solutions in hardware. Many test scenarios are conducted to both highlight and examine the results achieved in CR-IV. Those scenarios range from direct performance measurements to behavior-specific tests. Moreover, a lab-demo is created that essentially amounts to a proof of concept. The demo represents a practical test as opposed to a scenariospecific one. Whether be it test scenarios or the lab-demo, all are carried-out using the project’s prototype boards, i.e. no simulation tests. The results obtained represent CR-IV’s real-world realistic outcomes with up to 13.61 Gbps

Robust and secure resource management for automotive cyber-physical systems

2022 Spring.Includes bibliographical references.Modern vehicles are examples of complex cyber-physical systems with tens to hundreds of interconnected Electronic Control Units (ECUs) that manage various vehicular subsystems. With the shift towards autonomous driving, emerging vehicles are being characterized by an increase in the number of hardware ECUs, greater complexity of applications (software), and more sophisticated in-vehicle networks. These advances have resulted in numerous challenges that impact the reliability, security, and real-time performance of these emerging automotive systems. Some of the challenges include coping with computation and communication uncertainties (e.g., jitter), developing robust control software, detecting cyber-attacks, ensuring data integrity, and enabling confidentiality during communication. However, solutions to overcome these challenges incur additional overhead, which can catastrophically delay the execution of real-time automotive tasks and message transfers. Hence, there is a need for a holistic approach to a system-level solution for resource management in automotive cyber-physical systems that enables robust and secure automotive system design while satisfying a diverse set of system-wide constraints. ECUs in vehicles today run a variety of automotive applications ranging from simple vehicle window control to highly complex Advanced Driver Assistance System (ADAS) applications. The aggressive attempts of automakers to make vehicles fully autonomous have increased the complexity and data rate requirements of applications and further led to the adoption of advanced artificial intelligence (AI) based techniques for improved perception and control. Additionally, modern vehicles are becoming increasingly connected with various external systems to realize more robust vehicle autonomy. These paradigm shifts have resulted in significant overheads in resource constrained ECUs and increased the complexity of the overall automotive system (including heterogeneous ECUs, network architectures, communication protocols, and applications), which has severe performance and safety implications on modern vehicles. The increased complexity of automotive systems introduces several computation and communication uncertainties in automotive subsystems that can cause delays in applications and messages, resulting in missed real-time deadlines. Missing deadlines for safety-critical automotive applications can be catastrophic, and this problem will be further aggravated in the case of future autonomous vehicles. Additionally, due to the harsh operating conditions (such as high temperatures, vibrations, and electromagnetic interference (EMI)) of automotive embedded systems, there is a significant risk to the integrity of the data that is exchanged between ECUs which can lead to faulty vehicle control. These challenges demand a more reliable design of automotive systems that is resilient to uncertainties and supports data integrity goals. Additionally, the increased connectivity of modern vehicles has made them highly vulnerable to various kinds of sophisticated security attacks. Hence, it is also vital to ensure the security of automotive systems, and it will become crucial as connected and autonomous vehicles become more ubiquitous. However, imposing security mechanisms on the resource constrained automotive systems can result in additional computation and communication overhead, potentially leading to further missed deadlines. Therefore, it is crucial to design techniques that incur very minimal overhead (lightweight) when trying to achieve the above-mentioned goals and ensure the real-time performance of the system. We address these issues by designing a holistic resource management framework called ROSETTA that enables robust and secure automotive cyber-physical system design while satisfying a diverse set of constraints related to reliability, security, real-time performance, and energy consumption. To achieve reliability goals, we have developed several techniques for reliability-aware scheduling and multi-level monitoring of signal integrity. To achieve security objectives, we have proposed a lightweight security framework that provides confidentiality and authenticity while meeting both security and real-time constraints. We have also introduced multiple deep learning based intrusion detection systems (IDS) to monitor and detect cyber-attacks in the in-vehicle network. Lastly, we have introduced novel techniques for jitter management and security management and deployed lightweight IDSs on resource constrained automotive ECUs while ensuring the real-time performance of the automotive systems

A dynamically reconfigurable hard-real-time communication protocol for embedded systems

Echtzeitkommunikation ist eine Grundanforderung für viele verteilte eingebettete Systeme. Für eine neue Klasse von Anwendungen sind jedoch nicht nur Echtzeitfähigkeit, sondern auch Flexibilität und Anpassungsfähigkeit notwendige System-Attribute. Um die Flexibilität zu erhöhen, wurde in dieser Arbeit ein neues Kommunikationsprotokoll namens TrailCable konzipiert. Es profitiert von den Eigenschaften des Earliest Deadline First Scheduling-Verfahrens, wie z. B. der optimalen Ausnutzung von Ressourcen und der Unterstützung von heterogenen Tasks. Ein Kommunikationsnetzwerk wird aufgebaut mit Hilfe von voll-Duplex-, Punkt-zu-Punkt-Verbindungen, wobei die Knoten Datenpakete weiterleiten können, um eine Multi-hop Übertragung zu gewährleisten. Es werden Methoden vorgestellt, die es erlauben, automatisch die Kommunikationsanforderungen erfüllende Echtzeit-Kanäle auf das Netzwerk abzubilden. Echtzeit-Kanäle können nur dann aktiviert werden, wenn im Voraus ein Akzeptanztest erfolgreich durchgeführt wurde. Solch eine Prüfung kann mittels eines Tools automatisch erfolgen. Alle dafür notwendigen Netzwerkinformationen werden aus XML-Dateien eingelesen. Zur Laufzeit prüft ein Mechanismus, der Bandbreitenwächter genannt wird, ob die eingelesenen Pakete mit ihrer Spezifikation übereinstimmen, damit Fehler die Echzeitfähigkeit anderer Kanäle nicht beeinträchtigen können. Zeitkritische Funktionen des Kommunikationsprotokolls, wie Scheduling, Bandbreitenwächter, Routing und Uhrsynchronisation, sind mittels dedizierter Hardware implementiert. Ein voll funktionsfähiger FPGA-basierter Prototyp wurde aufgebaut und in zahlreichen Tests evaluiert, um das Echtzeit-Verhalten des Protokolls unter realen Bedingungen zu testen und zu analysieren.Real-time communication is a basic requirement for many distributed embedded systems. However, for an emerging new class of applications not only real-time behavior but also flexibility and adaptability will become necessary system attributes. In order to increase the flexibility of real-time communication systems a new protocol called TrailCable was designed. It takes advantage of the properties of Earliest Deadline First (EDF) scheduling, which include optimal utilization bounds and the possibility to cope with heterogeneous task sets. A communication network is built with full-duplex, point-to-point links, and nodes can route packets to allow multi-hop message delivery. This work introduces methods for automatically mapping real-time channels on a given network directly from communication requirement specifications. The activation of real-time channels in the network is permitted only after a successful schedulability analysis, which can be executed automatically by a tool that checks XML-based network configuration models. At run-time, the characteristics of all incoming packets are checked against their specification by an admission control technique called bandwidth guardian, which is used to ensure that occasional faults will not impair the timeliness of other real-time channels. Time-critical functions of the communication protocol, such as scheduling, admission control, packet routing, and clock synchronization, are implemented by means of dedicated hardware. A fully operational FPGA-based prototype was built and used in different measurement experiments to validate the real-time behavior of the protocol under real conditions.Tag der Verteidigung: 02.04.2012Paderborn, Univ., Diss., 201

Wireless Sensor Data Transport, Aggregation and Security

abstract: Wireless sensor networks (WSN) and the communication and the security therein have been gaining further prominence in the tech-industry recently, with the emergence of the so called Internet of Things (IoT). The steps from acquiring data and making a reactive decision base on the acquired sensor measurements are complex and requires careful execution of several steps. In many of these steps there are still technological gaps to fill that are due to the fact that several primitives that are desirable in a sensor network environment are bolt on the networks as application layer functionalities, rather than built in them. For several important functionalities that are at the core of IoT architectures we have developed a solution that is analyzed and discussed in the following chapters. The chain of steps from the acquisition of sensor samples until these samples reach a control center or the cloud where the data analytics are performed, starts with the acquisition of the sensor measurements at the correct time and, importantly, synchronously among all sensors deployed. This synchronization has to be network wide, including both the wired core network as well as the wireless edge devices. This thesis studies a decentralized and lightweight solution to synchronize and schedule IoT devices over wireless and wired networks adaptively, with very simple local signaling. Furthermore, measurement results have to be transported and aggregated over the same interface, requiring clever coordination among all nodes, as network resources are shared, keeping scalability and fail-safe operation in mind. Furthermore ensuring the integrity of measurements is a complicated task. On the one hand Cryptography can shield the network from outside attackers and therefore is the first step to take, but due to the volume of sensors must rely on an automated key distribution mechanism. On the other hand cryptography does not protect against exposed keys or inside attackers. One however can exploit statistical properties to detect and identify nodes that send false information and exclude these attacker nodes from the network to avoid data manipulation. Furthermore, if data is supplied by a third party, one can apply automated trust metric for each individual data source to define which data to accept and consider for mentioned statistical tests in the first place. Monitoring the cyber and physical activities of an IoT infrastructure in concert is another topic that is investigated in this thesis.Dissertation/ThesisDoctoral Dissertation Electrical Engineering 201

Cyber-Physical Systems of Systems: Foundations – A Conceptual Model and Some Derivations: The AMADEOS Legacy

Computer Systems Organization and Communication Networks; Software Engineering; Complex Systems; Information Systems Applications (incl. Internet); Computer Application

Anpassen verteilter eingebetteter Anwendungen im laufenden Betrieb

The availability of third-party apps is among the key success factors for software ecosystems: The users benefit from more features and innovation speed, while third-party solution vendors can leverage the platform to create successful offerings. However, this requires a certain decoupling of engineering activities of the different parties not achieved for distributed control systems, yet. While late and dynamic integration of third-party components would be required, resulting control systems must provide high reliability regarding real-time requirements, which leads to integration complexity. Closing this gap would particularly contribute to the vision of software-defined manufacturing, where an ecosystem of modern IT-based control system components could lead to faster innovations due to their higher abstraction and availability of various frameworks. Therefore, this thesis addresses the research question: How we can use modern IT technologies and enable independent evolution and easy third-party integration of software components in distributed control systems, where deterministic end-to-end reactivity is required, and especially, how can we apply distributed changes to such systems consistently and reactively during operation? This thesis describes the challenges and related approaches in detail and points out that existing approaches do not fully address our research question. To tackle this gap, a formal specification of a runtime platform concept is presented in conjunction with a model-based engineering approach. The engineering approach decouples the engineering steps of component definition, integration, and deployment. The runtime platform supports this approach by isolating the components, while still offering predictable end-to-end real-time behavior. Independent evolution of software components is supported through a concept for synchronous reconfiguration during full operation, i.e., dynamic orchestration of components. Time-critical state transfer is supported, too, and can lead to bounded quality degradation, at most. The reconfiguration planning is supported by analysis concepts, including simulation of a formally specified system and reconfiguration, and analyzing potential quality degradation with the evolving dataflow graph (EDFG) method. A platform-specific realization of the concepts, the real-time container architecture, is described as a reference implementation. The model and the prototype are evaluated regarding their feasibility and applicability of the concepts by two case studies. The first case study is a minimalistic distributed control system used in different setups with different component variants and reconfiguration plans to compare the model and the prototype and to gather runtime statistics. The second case study is a smart factory showcase system with more challenging application components and interface technologies. The conclusion is that the concepts are feasible and applicable, even though the concepts and the prototype still need to be worked on in future -- for example, to reach shorter cycle times.Eine große Auswahl von Drittanbieter-Lösungen ist einer der Schlüsselfaktoren für Software Ecosystems: Nutzer profitieren vom breiten Angebot und schnellen Innovationen, während Drittanbieter über die Plattform erfolgreiche Lösungen anbieten können. Das jedoch setzt eine gewisse Entkopplung von Entwicklungsschritten der Beteiligten voraus, welche für verteilte Steuerungssysteme noch nicht erreicht wurde. Während Drittanbieter-Komponenten möglichst spät -- sogar Laufzeit -- integriert werden müssten, müssen Steuerungssysteme jedoch eine hohe Zuverlässigkeit gegenüber Echtzeitanforderungen aufweisen, was zu Integrationskomplexität führt. Dies zu lösen würde insbesondere zur Vision von Software-definierter Produktion beitragen, da ein Ecosystem für moderne IT-basierte Steuerungskomponenten wegen deren höherem Abstraktionsgrad und der Vielzahl verfügbarer Frameworks zu schnellerer Innovation führen würde. Daher behandelt diese Dissertation folgende Forschungsfrage: Wie können wir moderne IT-Technologien verwenden und unabhängige Entwicklung und einfache Integration von Software-Komponenten in verteilten Steuerungssystemen ermöglichen, wo Ende-zu-Ende-Echtzeitverhalten gefordert ist, und wie können wir insbesondere verteilte Änderungen an solchen Systemen konsistent und im Vollbetrieb vornehmen? Diese Dissertation beschreibt Herausforderungen und verwandte Ansätze im Detail und zeigt auf, dass existierende Ansätze diese Frage nicht vollständig behandeln. Um diese Lücke zu schließen, beschreiben wir eine formale Spezifikation einer Laufzeit-Plattform und einen zugehörigen Modell-basierten Engineering-Ansatz. Dieser Ansatz entkoppelt die Design-Schritte der Entwicklung, Integration und des Deployments von Komponenten. Die Laufzeit-Plattform unterstützt den Ansatz durch Isolation von Komponenten und zugleich Zeit-deterministischem Ende-zu-Ende-Verhalten. Unabhängige Entwicklung und Integration werden durch Konzepte für synchrone Rekonfiguration im Vollbetrieb unterstützt, also durch dynamische Orchestrierung. Dies beinhaltet auch Zeit-kritische Zustands-Transfers mit höchstens begrenzter Qualitätsminderung, wenn überhaupt. Rekonfigurationsplanung wird durch Analysekonzepte unterstützt, einschließlich der Simulation formal spezifizierter Systeme und Rekonfigurationen und der Analyse der etwaigen Qualitätsminderung mit dem Evolving Dataflow Graph (EDFG). Die Real-Time Container Architecture wird als Referenzimplementierung und Evaluationsplattform beschrieben. Zwei Fallstudien untersuchen Machbarkeit und Nützlichkeit der Konzepte. Die erste verwendet verschiedene Varianten und Rekonfigurationen eines minimalistischen verteilten Steuerungssystems, um Modell und Prototyp zu vergleichen sowie Laufzeitstatistiken zu erheben. Die zweite Fallstudie ist ein Smart-Factory-Demonstrator, welcher herausforderndere Applikationskomponenten und Schnittstellentechnologien verwendet. Die Konzepte sind den Studien nach machbar und nützlich, auch wenn sowohl die Konzepte als auch der Prototyp noch weitere Arbeit benötigen -- zum Beispiel, um kürzere Zyklen zu erreichen

Fault-tolerant satellite computing with modern semiconductors

Miniaturized satellites enable a variety space missions which were in the past infeasible, impractical or uneconomical with traditionally-designed heavier spacecraft. Especially CubeSats can be launched and manufactured rapidly at low cost from commercial components, even in academic environments. However, due to their low reliability and brief lifetime, they are usually not considered suitable for life- and safety-critical services, complex multi-phased solar-system-exploration missions, and missions with a longer duration. Commercial electronics are key to satellite miniaturization, but also responsible for their low reliability: Until 2019, there existed no reliable or fault-tolerant computer architectures suitable for very small satellites. To overcome this deficit, a novel on-board-computer architecture is described in this thesis.Robustness is assured without resorting to radiation hardening, but through software measures implemented within a robust-by-design multiprocessor-system-on-chip. This fault-tolerant architecture is component-wise simple and can dynamically adapt to changing performance requirements throughout a mission. It can support graceful aging by exploiting FPGA-reconfiguration and mixed-criticality.  Experimentally, we achieve 1.94W power consumption at 300Mhz with a Xilinx Kintex Ultrascale+ proof-of-concept, which is well within the powerbudget range of current 2U CubeSats. To our knowledge, this is the first COTS-based, reproducible on-board-computer architecture that can offer strong fault coverage even for small CubeSats.European Space AgencyComputer Systems, Imagery and Medi