Fault Tolerance - Applied Physics Laboratoryflightsoftware.jhuapl.edu/files/2015/Day-1/For_PC_FFT...Fault Tolerance United 737/800 Hacked “PASS OXYGEN ON anyone?” Flight Software
Post on 16-Jul-2020
0 Views
Preview:
Transcript
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 1
Fault
Tolerance
United 737/800
Hacked
“PASS OXYGEN ON anyone?”
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 2
Virology 101
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 3
“Although particular virus attacks may be guarded
against,
no general defense within one domain of
reference is possible;
viruses are a natural consequence of a stored-
program computation.”
Virology 101 Douglas McIlroy – Bell Laboratories 1989
Multi-Domain
Architecture
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 4
Multi-Domain Architecture
Fault Tolerant –
Hardware and Software
Component Failure Analysis
Virus Prevention at Multiple Levels
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 5
What is Multi-Domain
Architecture
Divides a system into two parts (Domains):
1.Computation (DID)
2.Housekeeping (PAD)
Its an architecture
Can use any old COTS parts and it still
works.
All of the existing software still works.
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 6
Graphical
Illustration
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 7
Von Neumann Architecture
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 8
Control
UnitAccumulator
Arithmetic Logic
Unit
CPU
Input Output
Mem-1 Mem-2 Mem-3 Mem-4 Mem-5 Mem-6
System
CPU
System
Scheduling (Job & Thread)
Data & Instruction
Address Space
Control Signals (interupts)
Single Domain
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 9
Multi-Domain
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 10
CPU
System
Controller
PAD Controller
Control Signals
Scheduling
Address Space
DID
Data & Instruction
PAD Virtualizer
Address Space
(Scheduler Relay)
Virtualizer
Comparison
Single Domain Multiple Domain
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 11
User Layer
Kernel Layer
CPU
Physical Layer
Kernel
Layer
MDA Switch
Scheduler, Virtual Memory,
Virtual File System
Memory
Meta
Controller
Inter Process
Communication
Device Driver,
Dispatcher
Applications
User Layer
Kernel Layer
Virtual File System
Inter Process
Communication
Scheduler, Virtual
Memory
Device Driver,
Dispatcher
(CPU, memory, I/O )
Physical Layer
Applications
I/O
Block Diagram
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 12
Mentor
Controller
KAC
CPU
Proc PC CPU Memory/Notes
Input
Output
Memory
Mem-1 Mem-2 Mem-3 Mem-4 Mem-5 Mem-6
Control
Unit
Arithmetic
UnitAccumulator
Run Time RBAC
CPU
Control
Unit
Arithmetic
UnitAccumulator
MDA Switch
Multi-Domain Architecture
Doesn’t do anything different
Does them differently
Does things single domain can’t do
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 13
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 14
FEATURES
FEATURES
• Hardware Fault Tolerant
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 15
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 15
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 15
How
WHEN WHERE
Attack Triangle
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 17
DID(HOW)
PAD(WHEN) PAD(WHERE)
Attack Triangle
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 18
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
• Fault isolation
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 19
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
• Fault isolation
• Reconfigurable HW and SW
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 19
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
• Fault isolation
• Reconfigurable HW and SW
• Combinatorial Mathematics
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 19
Simultaneous Failures
Hardware Failure
Virus Problem
Graphical Example
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 20
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-2
Mem-1
Mem-0P-0
P-1
Display - 0
Display - 1
Mem-3
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 2
Graeco-Latin Square Graeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 21
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin Square Graeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 22
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process TIme
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin Square Graeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 23
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 24
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 25
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 26
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
93P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 27
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
93P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 28
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
93P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 29
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 30
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 31
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
52155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 32
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
52155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 33
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
52155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 34
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
5215552P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 35
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
5215552P-1
5252155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265265P-1
939393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 36
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
1555252P-0
5215552P-1
5252155P-2
CPU-3CPU-2CPU-0
Process Time
265265265P-0
265265265P-1
939393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
OutputMem-2
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 37
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
1555252P-0
5215552P-1
5252155P-2
CPU-3CPU-2CPU-0
Process Time
265265265P-0
265265265P-1
939393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 38
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Reconfigurable System • Component level analysis
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 39
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Virus Protection • 35 year legacy
• Reconfigurable System • Component level analysis
• Virus Protection • Disjoint domains • Reconfigurable system
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 39
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Virus Protection • 35 year legacy
• Computational Speed • CPU does all the work
• Reconfigurable System • Component level analysis
• Virus Protection • Disjoint domains • Secure communications
• Computational Speed • Overhead on separate RISC
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 39
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Virus Protection • 35 year legacy
• Computational Speed • CPU does all the work
• Software • The Standard
• Reconfigurable System • Component level analysis
• Virus Protection • Disjoint domains • Reconfigurable system
• Computational Speed • Overhead on separate RISC
• Software
• No change / instruction sets • Updates protection
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 39
Multi-Domain
Architecture
Q&A
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 40
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology ft@ft-technology.com 40
top related