From Control Model to Program: Investigating Robotic Aerial Vehicle - PowerPoint PPT Presentation

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu Kim 1 , Chung Hwan Kim 2 , Altay Ozen 1 , Fan Fei 1 , Zhan Tu 1 , Xiangyu Zhang 1 , Xinyan Deng 1 , Dave (Jing) Tian 1 , Dongyan Xu 1 1 Purdue University 2 UT Dallas

Drone (Robotic Aerial Vehicle) Accidents

RAV Control and Control-Semantic Bugs 𝑨 𝑧𝑏𝑥 𝑞𝑗𝑢𝑑ℎ Control Program Observed vehicle states in “6DoFs” 𝑧 𝑦 𝑠𝑝𝑚𝑚 Control Control-Semantic Bug Mission Sensor Station Module Module • Accident root cause inside control program • Incorrect or incomplete Control Model Physical implementation of Environment control model Motor Aerodynamics

A Motivating Accident

Challenges in Investigating the Accident Control-level Attack Log impact • “Two Gaps” Control Control Model • Domain gap ? Domain Gap • Control domain → Program domain Program Control Program • Time gap Root Cause • Attack time → Impact time 80 Velocity (cm/s) • Our solution: M AYDAY 60 Attack CMD 40 • Bridge the gaps Reference Velocity 20 Impact Actual Velocity 0 • Enable cross-domain investigation 4800 4900 5000 5100 5200 Control Loop Iteration Time Gap

MAYDAY Workflow Control-level Control Program Program Log Program Crash Investigation (Source Code) Instrumentation Analysis Result Program-level Control Variable Investigation Dependency Graph (CVDG) Runtime Offline Analysis & Instrumentation Post-Accident Investigation Logging

ሷ ሷ ሷ ሶ ሷ ሶ ሷ ሶ ሶ ሶ ሷ ሶ ሶ ሷ ሷ ሶ ሶ ሶ ሶ ሷ ሷ ሶ ሷ ሶ ሷ ሶ ሷ ሶ ሷ ሶ ሶ ሶ ሷ ሷ ሷ ሷ RAV Control Model Control Variable Dependency Graph (CVDG) S M P S M P S M P 𝑠 𝜔 𝑦 𝜔 𝑙 𝜔 ANGLE 𝑦 𝑦 𝑠 𝑙 𝑦 POS 𝑦 𝑧 𝑠 𝑙 𝑧 POS 𝑦 𝑧 Controller Controller Controller 𝑠 𝜔 VEL VEL VEL 𝑦 𝜔 𝑦 𝑦 𝑠 𝑦 𝑧 𝑠 𝑙 𝜔 𝑙 𝑦 𝑙 𝑧 6DoF 𝑦 𝑧 Controller Controller Controller ACCEL ACCEL ACCEL 𝑦 𝜔 𝑠 𝜔 𝑦 𝑦 𝑠 𝑦 𝑧 𝑠 𝑙 𝜔 𝑙 𝑦 𝑙 𝑧 Controller 𝑦 Controller 𝑧 Controller X-axis Cascading Yaw Cascading Y-axis Cascading Controller Controller Controller Cascading 𝜒 = 𝑏𝑢𝑏𝑜 − ሷ 𝑦𝑡𝑗𝑜𝜔 + ሷ 𝑧𝑑𝑝𝑡𝜔 𝜄 = −𝑏𝑢𝑏𝑜 ሷ 𝑦𝑑𝑝𝑡𝜔 + ሷ 𝑧𝑡𝑗𝑜𝜔 𝑕 𝑕 controller S M P S M P S M P 𝑠 𝑠 𝑠 𝜄 𝑦 𝑨 𝑙 𝑨 POS 𝑦 𝜒 𝑙 𝜒 ANGLE 𝑦 𝜄 𝑙 𝜄 ANGLE 𝑨 𝜒 Controller Controller Controller VEL 𝑦 𝑨 𝑠 𝑠 VEL VEL 𝑙 𝑨 𝑦 𝜒 𝑙 𝜒 𝑦 𝜄 𝑠 𝜄 𝑙 𝜄 𝑨 𝜒 Controller Controller Controller Inter- ACCEL ACCEL ACCEL 𝑦 𝑨 𝑠 𝑙 𝑨 𝑦 𝜒 𝑠 𝑙 𝜒 𝑦 𝜄 𝑠 𝜄 𝑙 𝜄 𝑨 Controller 𝜒 Controller Controller S dependency Z-axis Cascading Roll Cascading Pitch Cascading Controller Controller Controller between Motor Controller controllers : Sensor Input S P : Parameter Input x 4 M : Mission Input

ሶ ሶ ሷ ሷ ሶ ሷ ሶ ሶ ሶ Mapping Control Model to Control Program Control Model S M P Control Program void AC_PosControl::rate_to_accel_z( POS 𝑠 𝑦 𝑨 𝑙 𝑨 𝑨 Controller … Mapping vel_err.z = vel_target.z - cur_vel.z VEL p = _p_velz._kP() * vel_err.z; 𝑦 𝑨 𝑠 𝑙 𝑨 𝑨 Controller accel_target.z = accel_ff.z + p ; … ACCEL 𝑠 𝑦 𝑨 𝑙 𝑨 Controller 𝑨 : Parameter : Reference : Vehicle state 𝑠 𝑦 𝑨 𝑙 𝑨 𝑨 : Sensor input : Parameter input : Mission input S M P • Control model variable → Control program variable • Control model data flow → Control program execution paths

Logging Enhancement • Control/vehicle operation log • Recorded by default • Supported by major drone control programs • Recorded by control-level logging functions • Program execution log If err.z -= cur.z; else err.z = 0.0; p = kP* err.z; • Enabled by M AYDAY • Logging functions inserted via LLVM-level instrumentation • Guided by mapping between control model and program

Control-Level Investigation Initial Investigation Digression 1000 Initial 800 X-axis Velocity Digression 600 400 200 0 -200 8000 15000 22000 29000 36000 Control Loop Iteration : Reference • Identify initial digressing controller : Actual state • [Controller, corrupted variable, initial digression time] • Infer control-level corruption path based on CVDG

Moving from Control Domain to Program Domain Initial Investigation Digression 1000 Initial 800 X-axis Velocity Digression 600 400 200 0 -200 8000 15000 22000 29000 36000 Control Loop Iteration : Reference • Corrupted control variable → Corrupted program variable : Actual state

Program-Level Investigation Initial Investigation Digression 1000 Initial 800 X-axis Velocity Digression 600 400 Attack Input 200 0 -200 Attack Input Program-level 8000 15000 22000 29000 36000 Corruption Path Control Loop Iteration : Reference • Control-level corruption path → Program-level corruption path : Actual state • From initial digression to attack input • Bug localized in basic blocks that implement the corruption path

Evaluation: Effectiveness of M AYDAY

Evaluation: Solving the Earlier Case Control-Level Log 1000 Initial 800 X-axis Velocity Digression • Initial digressing controller: X, Y-axis velocity controller 600 400 Attack • Corrupted control variable: X, Y-axis acceleration reference Input 200 • Control-level corruption path: 0 -200 8000 15000 22000 29000 36000 Control Loop Iteration Program-Level Log • Attack input: Control gain k P • Number of BBs on corruption path: 34 • Source LoC: 89

Evaluation: Runtime Overhead of M AYDAY

Conclusion • Drone accident may be caused by control semantic bugs • Control-level logs alone are not sufficient for bug-tracing • M AYDAY : a cross-domain accident investigation tool • Bridging the domain gap and the time gap • Mapping control model to control program • Integrating control-level and program-level logging • Connecting control-level and program-level investigation

Thank you! This work was supported in part by ONR Grant #N00014-17-1-2045. tgkim@purdue.edu