high assu ssurance ce modeling and rapid en engineering
play

High Assu ssurance ce Modeling and Rapid En Engineering (HAM - PowerPoint PPT Presentation

High Assu ssurance ce Modeling and Rapid En Engineering (HAM HAMR) R) for Embedded Syst ystems s AADL Tool Expo October 28, 2019 Robby Jason Belt, John Hatcliff Hariharan Thiagarajan Professor University Distinguished Professor


  1. High Assu ssurance ce Modeling and Rapid En Engineering (HAM HAMR) R) for Embedded Syst ystems s AADL Tool Expo – October 28, 2019 Robby Jason Belt, John Hatcliff Hariharan Thiagarajan Professor University Distinguished Professor Kansas State University Lucas-Rathbone Professor of Research Associates Engineering Kansas State University Kansas State University In collaboration with Adventium Labs, SEI, and Collins Aerospace This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CDS) BAA HSHQDC- 14-R-B0005, the Government of Israel and the National Cyber Bu- reau in the Government of Israel via contract number D16PC00057, as well as the US National Science Foundation FDA Scholar-in-Residence Program.

  2. DARPA CASE Approach ch DARPA CASE provides tools to develop cyber-resiliency requirements , refactor/transform system architectures , and generate code/builds of modified systems that achieve cyber-resiliency n Capture requirements for cyber-resiliency n Analyze design n Transform design Transform Control non-interference by allocating components to Architecture n Verify new different partitions in microkernel design against requirements n Build / Deploy On DARPA CASE, KSU is partnered with Adventium Labs, Collins Aerospace, Data61 (SeL4 verified microkernel) Wrap legacy untrusted Insert attestation managers component in a VM in to ensure data is coming micro-kernel partition from a trusted source. AADL Tool Expo - Oct 2019 2

  3. Deeply y Integrate Models s and Programming Acr cross ss Multiple Leve vels s of Abst stract ction System Modeling and Analysis (AADL) Analysis and verification results moved up and down abstraction layers Code Generation -- Slang + AADL Run-Time Reference Implementation AADL OSATE Source Code , Simulation, Analysis, Verification Semantic Consistency Analyses - Information Flow - Functional Integration Constraints (component contracts - Scheduleability - … Deployment on Embedded/Distributed Platforms Slang – Subset of Scala for critical systems Micro-kernels & OS SeL4 • Minex 3 (enhanced) • Xen • Linux • Code Generation, e.g., FreeRTOS • • C + Platform Run-Time System (primitives for controlling communication between partitions in a partitioning architecture) Partitioned Architectures • C compatible with CompCERT verified compiler AADL Tool Expo - Oct 2019 3

  4. Exa xample Domains Medical Devices (US Dept of Homeland Security) Targetting development and n verification of embedded Code deployed using systems Genode OS framework using Xen Hypervisor and SeL4 Emphasizing platform n microkernel development on using separation kernel and Building Controls (US Dept of Homeland Security) hypervisor technology Introduce rigorous use of Code deployed using n enhanced Minix 3 modeling and abstractions micro-kernel without significant disruption Containment labs for critical agriculture of workflows experiments UxAS – Unmanned (AFRL, DARPA) NASA/JPL Code deployed on machine-verified micro-kernel SEL4 Unmanned Systems Autonomy Services AADL Tool Expo - Oct 2019 4

  5. AAD AADL C L Com omputati putational onal M Model odel Developer configures AADL Port & Connection AADL Thread computational Property Options Property Options model Event Periodic Data Sporadic Temporal Hybrid Separation … … Selected thread Implied API Selected pattern Pattern for communication pattern application code to access AADL Run-Time Services AADL Tool Expo - Oct 2019 5

  6. HA HAMR MR Co Code Genera ratio ion Code gen for Application APIs Code gen for Code gen for Component & Communication Threading Infrastructure Infrastructure Application Code Development System Build Application Application Application Auto-Generated Auto-Generated Code Code Code Run-Time Run-Time Communication Communication Infrastructure Infrastructure Auto-generated Auto-generated Code for Platform Code for Platform Auto-generated Component Infrastructure Component Infrastructure Component Infrastructure Code for Platform Code for Platform Code for Platform Platform configuration information AADL Tool Expo - Oct 2019 6

  7. HA HAMR MR Co Code Genera ratio ion Use Case: Example HAMR instantiation for C-based development on SeL4 microkernel (e.g., DARPA CASE) Platform- independent generation for C code AADL RT APIs generation pathways for Code SeL4 SeL4 Application code in Interpartition C -- Platform- Communication independent in C because it only talks to AADL RT APIs Component Infrastucture in C, talking to SeL4 communication mechanisms The “platform independent” story above applies to application logic, not hardware based I/O e.g., for AADL Tool Expo - Oct 2019 7 sensors, actuators.

  8. HA HAMR MR Co Code Genera ratio ion Use Case: Example HAMR instantiation for C-based development on Linux (e.g., DARPA CASE) Platform- independent generation for C code AADL RT APIs generation pathways for Code Linux Linux inter- Application code in process C -- Platform- communication independent in C because it only talks to AADL RT APIs Component Infrastucture in C, talking to Linux inter-proocess communication The “platform independent” story above applies to application logic, not hardware based I/O e.g., for AADL Tool Expo - Oct 2019 8 sensors, actuators.

  9. HA HAMR MR Co Code Genera ratio ion Use Case: High-Assurance Development in Slang , with a C-based deployment System Modeling and Analysis …in AADL AADL to Slang Code Generation Source Code , Simulation, Analysis, Verification …in Slang – a safety- critical subset of Scala Slang to C Code Generation Deployment on Embedded/Distributed Platforms …ie.g., in C with platform infrastructure AADL Tool Expo - Oct 2019 9

  10. HAM HAMR R Ru Run-time Reference ce Implementation The Slang-based infrastructure of AADL run-time provides a reference implementation System Modeling and Analysis …in AADL Reference Implementation for AADL Computational Model in Slang HAMR AADL reference implementation is analogous to an abstract machine n for analyzeable real-time embedded computation Because Slang (subset of Scala) is a JVM-based language it is easy to n integrate with Java resources to obtain a simulation, visualization, and run-time verification environment for AADL-derived applications Sensor, actuator, UI elements not a part of core application logic can be mocked up in Java or n Scala AADL Tool Expo - Oct 2019 10

  11. High Assu ssurance ce High-Leve vel Deve velopment in Slang (su subse set of Sca cala) In addition to supporting C development, we also support “higher- level” development in Slang (subset of Scala) which supports integration with Java Slang -- A verifiable subset of a modern programming language — Scala n imperative OO & FP : generics, pattern matching, higher-order functions, n etc. benefits: existing Java ecosystems and talent pools, n available (customizable) industrial tool support, including compiler toolchain & IDEs … yet able to generate code suitable for safety/security-critical embedded n systems (Currently) supports two memory models : n SPARK/Ada-like (static memory allocation): targeted for embedded systems n Swift-like (DAG, immutable sharing, automatic reference counting): targeted n for large-application development n including for developing Sireum/Slang itself! AADL Tool Expo - Oct 2019 11

  12. Sl Slang ang-to to-C Transl slations n C Standard : C99, Compilers : CompCert (proven correct C compiler), clang, gcc n OS/platforms : macOS, Linux, Windows, and others (opportunity-based) n Memory models : static alloc. (done); ref-counting & full tracing-GC ( future ) n Platform Backends n Conventional C applications running on Linux, Windows, macOS n SeL4 (part of Rockwell Collins, Adventium, Data61 team on DARPA CASE) n Experimental translations for… n Genode operating system framework n Minix 3 enhanced for separation (DHS CPSSec project) n FreeRTOS AADL Tool Expo - Oct 2019 12

  13. Abst stract ction Leve vels s – AADL State Mach chines The simulation has a dynamic visualization of the BLESS/BA state machines of each AADL thread AADL State Machine Specifications Simulation Compilation to, e.g., C Army SBIR ”GUMBO” Adventium/KSU AADL Tool Expo - Oct 2019 13

  14. Component Implementations s in in S Sla lang …Slang can be used to implement component handle business logic (corresponding to event handlers for incoming interface events) AADL Tool Expo - Oct 2019 14

  15. Component Implementations s in in S Sla lang …Slang implementations include calls to publish events on output ports and get/set values of data Get Send ports Reading a value from the currentTemp data port (behind the scenes mapped to generic AADL RT service GetValue ) Sending an event (with ‘cmd’ payload) out the fanCmd port (behind the scenes mapped to generic AADL RT service PutValue ) AADL Tool Expo - Oct 2019 15

Recommend


More recommend