Distributed Control Lab - A component-based application Overview - PowerPoint PPT Presentation

Distributed Control Lab - A component-based application Overview Architecture Experiments

Outline � Motivation � The Distributed Control Lab (DCL) Architecture � “Foucault's Pendulum Details” – Hardware / Software Architecture – Control Algorithms � “Hau den Lukas” – Hardware Architecture – Control Software � Additional Experiments � Malicious Code Problem / Solutions

Motivation � Online access to physical experiments over the Web � Test-bed for interconnected middleware- components and embedded systems � Reach a predictable system behaviour in unstable environments � Study techniques to prevent malicious code damaging physical equipment � Foucault's Pendulum demonstrates usage of dynamic reconfiguration for online replacement of user control

Distributed Control Lab � 2001 project start at Hasso-Plattner-Institute � Practice of writing control algorithms for real-time control problems � study of system predictability, availability and security in context of middleware-based dynamic control systems � Extensible architecture for hosting physical control experiments � Investigation of algorithms for user code observation and replacement of control components � Experiment : physical installation and specific control software

The Distributed Control Lab

Distributed Control Lab (V2) Architecture DISCOURSE Users R Ticket Service Tickets Users SOAP Admin R Experiment Service Job Queue R DCL R R Experiment Experiment Frontend Manager Controller User R SOAP Frontend SOAP R R Experiment Result Manager Controller Job Results

DCL Messaging Protocols ASP.NET SOAP DCL- http/html Page Web Service IIS ASP.NET IIS ASP.NET Client Web/Application Web/Application Web-Browser Server Server .NET Remoting DBMS ODBC DCL Embedded DCL TCP/IP Control Experiment- Experiment-/ Device IrDA Controller Resultmanager .NET Remoting RT-Linux PC .NET Remoting .NET Remoting Brick OS Service Service ...

Problem : Malicous Code � Investigation of Solution for malicious code detection – Source code analysis – Experiment-specific languages / Language limitations – .NET code access security – Simulation before execution on physical experiment – Analytic Redundancy � Online observation of user programs � Replacement of user programs before reach of uncontrollable state � Dynamic reconfiguration of component-based control application � Monitoring of environmental settings and component states

Foucault’s Pendulum � First installation 1848 by Leon Foucault in the Pantheon in Paris � Demonstrates earth rotation � Today many installation including one in UN-building in New York � Problem : Pendulum must be kept swinging � Solution : electro magnet under an iron ball � Experiment: Find best control algorithm to keep the pendulum swinging – Using minimum energy – Reaching the highest amplitude

Safety- User- Controller Controller Pendulum Control – detailed • Laser light barriers sampled into Configuration Manager 4KByte FIFO-memorys with 23,4 Event Duplication kHz • USB-Controller checks half-full-Flag Binary Stream Event Creation Generation • 64 Byte blocks of data transferred Binary Reader / via USB 1.1 Binary Writer Filter, Smooth User Mode ReadFile() WriteFile() • Real-Time OS-Threads process in- Kernel Mode coming signals / produce out-going Operating System I/O bit stream Check HalfFull Flag I/O request packet Light Sensor Read USB Host- 64 Byte FIFO-Memory Controller 4 KBytes Write Electro Magnet Cypress EZ-USB

Pendulum-API : Control Event public class ControlEvent { public int nr ; // sensor or actuator identifier public int state ; // actuator 1 ON - 0 OFF // light barrier // 1 light -> dark // 0 dark -> light public long timestamp ; // global time stamp }

Pendulum-API : Interface public interface Pendulum { // Dequeue next event // Blocks if no event present until next event occurs public ControlEvent GetNext(); // Queue next event to put energy on / off public bool SendEvent(ControlEvent input); // Get global time stamp 1 micro seconds logical resolution public long GetTime(); }

Pendulum: Example Control Code while(true) { // get next event ControlEvent ev = pendel.GetNext(); if(ev.state == 1) // pendulum enters light barrier { // switch magnet on pendel.SendEvent(new ControlEvent(ev.timestamp+1000,0,1)); // switch it off after 5 ms pendel.SendEvent(new ControlEvent(ev.timestamp+6000,0,0)); } }

Pendulum Control Process Generation Configuration Code Control Code Public Class UserControl { Public Static void Main(String[] args) { send to DCL compile while(true) { // get next event ControlEvent ev = pendel.GetNext(); if(ev.state == 1) // pendulum enters light barrier user control code { // switch magnet on pendel.SendEvent(new ControlEvent(ev.timestamp+1000,0,1)); // switch it off after 5/23 seconds while(true) pendel.SendEvent(new ControlEvent(ev.timestamp+6000,0,0)); { } // get next event } ControlEvent ev = pendel.GetNext(); } if(ev.state == 1) // pendulum enters light barrier { } // switch magnet on pendel.SendEvent(new ControlEvent(ev.timestamp+1000,0,1)); generate user control class // switch it off after 5/23 seconds pendel.SendEvent(new ControlEvent(ev.timestamp+6000,0,0)); } } control

Pendulum : Increase of amplitude Get current oscillation time T oz ( time for a full 1. oscillation ) Get current time the ball is covers the light 2. barrier T s ( indicates speed ) If ball enters light barrier : 3. Queue Enable Magnet Event at T current + T oz /4 1. Queue Disable Mag. Event at : 2. T current + T oz /2 + Ts/2 – T mf T mf – duration of magnetic field shut down 1. Repeat steps 1-4 4.

Code Access Security-CAS in .NET � Supplements operating system security mechanisms � Trust to assemblies vary depending of origin and publisher � Based on evidences of assemblies – Application directory – Strong name – URL – Signature � Permissions restrict access to system resources � DCL: Configuration of usable class library classes

Code Access Permissions � Represent access to a protected resource or the ability to perform a protected operation � Environment Variables � Printing � File Dialog � Event Log � File I/O � Socket Access � Isolated Storage File � Web Access � Reflection � Performance Counter � Registry � Directory Services � Security � Message Queue � User Interface � Service Controller � DNS � SQL Client

Evidence Based Security � Assembly evidence is matched against code groups to gain permission � Code group consist of – Membership condition – Set of code access permissions � Security policies contain code groups that map assemblies to permissions � Policies in .Net : Enterprise, Machine, User, Application Domain � Policy Evaluation: top-down

.NET Security in the Pendulum Experiment � Code group in machine policy applies only to usercode.exe assembly – Custom Permission Set assign to the code group � No permissions, except: – Execution permission – Access to driver component via .NET Remoting � Localhost, one specified socket, one URI – File I/O in the local directory � Security exception if any restriction is violated – Check required permissions before code execution – .NET Attributes

Pendulum Experiment Dynamic Properties � Code Access Security provides safe environment for execution of foreign code � There are still dynamic properties at the experiment that can not be handled by CAS – Expiration of available execution time (fairness) – Expiration of available energy – Overheating of the coil – the pendulum falls below a critical amplitude (energy) - so it could not be kept swinging – Unexpected termination of user programs – Exaggerated use of memory

Our Approach : Dynamic Reconfiguration as safe-guard mechanism � Mapping of profiles to application configurations based on environmental conditions and component states � Selection of application configuration according to conditions provides best service for a given situation � Definition of – observer : monitoring of environmental settings and component states – profiles : mapping of environmental conditions to application configurations – configurations of component-based applications � Online monitoring of environment and components � Change of application configuration using dynamic reconfiguration if required (changed conditions)

Configuration Creator Tool

Pendulum Experiment Control Configurations Configuration 1 : safety controller Safety Controller Configuration 2 : user program (cold standby) Safety USB-Driver Controller USB User Event Queuing Program Configuration 3 : user program (warm standby) Safety Controller Event Duplicator User Program

Measurements: Abnormal Termination of User Program

„Higher Striker“ – „Hau den Lukas“ � Similar hardware to pendulum experiment – Parallel I/O / 38 kHz sample rate / 256 Byte buffer � Use of Real Time OS – Smaller Buffers, Higher Sampling Frequency – Short control delay – COTS x86 PC � Intel Celeron 633 MHz, 128 MB RAM (max 64 MB usable) � 10 Mbit/s LAN (NE 2000 PCI) � Combination of non-RT .Net and RT application � CE-PC Windows Ce.Net 4.2