Todd Carpenter, Chief Engineer, Adventium Labs Dr. John Hatcliff, Dr. Robby, Kansas State University This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CDS) BAA HSHQDC‐14‐R‐B0005, the Government of Israel and the National Cyber Bureau in the Government of Israel via contract number D16PC00057. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security, the U.S. Government, the Government of Israel or the National Cyber Bureau in the Government of Israel. Modeling, Analysis, and Code Generation for Applications Targeting seL4 This work is supported by the Air Force Research Laboratory under Contract No. FA8750‐19‐C‐0527. The views, opinions and/or findings contained in this presentation are those of the authors and should not be construed as an official Air Force Research Laboratory position. This work is supported by DARPA under CASE. The views, opinions and/or findings contained in this presentation are those of the authors and should not be construed as an official DARPA position.
20
Embed
Modeling, Analysis, and Code Generation for …...Todd Carpenter, Chief Engineer, Adventium Labs Dr. John Hatcliff, Dr. Robby, Kansas State University This material is based on research
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Todd Carpenter, Chief Engineer, Adventium LabsDr. John Hatcliff, Dr. Robby, Kansas State University
This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency (HSARPA), Cyber Security Division (DHS S&T/HSARPA/CDS) BAA HSHQDC‐14‐R‐B0005, the Government of Israel and the National Cyber Bureau in the Government of Israel via contract number D16PC00057. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland
Security, the U.S. Government, the Government of Israel or the National Cyber Bureau in the Government of Israel.
Modeling, Analysis, and Code Generationfor Applications Targeting seL4
This work is supported by the Air Force Research Laboratory under Contract No. FA8750‐19‐C‐0527. The views, opinions and/or findings contained in this presentation are those of the authors and should not be construed as an official Air Force Research Laboratory position.
This work is supported by DARPA under CASE. The views, opinions and/or findings contained in this presentation are those of the authors and should not be construed as an official DARPA position.
Agenda
• Starting point – seL4‐based cyber‐physical‐system
• Deployment Challenges – the need
• Modeling and Code Generation – the approach
• System‐level Analysis and Integration – the benefits
file system storage– Secure logging, remote drug library update,
network time protocol• Highly disaggregated platform – no VM• Genode (18.08) on seL4 or NOVA• seL4 total image size: ~47MB• Intel x86, Intel Atom, QEMU, VirtualBox• Auto‐generated C++ for safety‐critical component• Auto‐generated Genode configuration from AADL• Continuous integration development
Resources• Data Bandwidth• CPU Bandwidth• Memory• Power• Weight
Increase key length
Increases CPU demandWhich increases WCETImpacts temporal correctness
New hazard
AADL supports virtual integration on Joint Multi‐Role Future Vertical Lift
MILS, RMF,MAILLE (future)
Architecture Analysis & Design Language (AADL) • Originated from DARPA, Standardized by SAE in 2004 (SAE AS 5506)• Enables architectural analysis to predict the effects of integrating software,
hardware and system components• Strong, well‐defined semantics promotes model exchange and reuse• Deferred specification makes AADL easy to use throughout the design lifecycle• Annexes address:– ARINC 653– Behavior– Communication– Code Generation– Error Modeling (Safety)– Requirements– Security
Example data modeling concerns• Which altitude• Units• Representation
AADL
Example system integration concerns• Temporal and spatial separation• Communications mechanism• Dispatch model• Information flow• Rates• Latency• Dispatch state
Selection of dispatch protocol property specifies the component structure and the infrastructure code linking the communication and scheduler to the component business logic.
The run‐time system invokes auser‐programmed method
timeTriggered() at regular intervalsas specified via the PERIOD property.
PeriodicSporadicEvents from other threads
inP1: in event port
inP2: in event data port
The run‐time system invokesa user‐programmed methodhandle<port name>(…) uponthe arrival of an event atthe associated port.
properties Dispatch_Protocol => Periodic; Period => 5 Hz;
properties Dispatch_Protocol => Sporadic; Period => 20 Hz;
Formal semantics support both analysis and generation
Current Status• Model‐driven reference separation architecture provides strong foundation for safety and security
• Analysis and reporting tools for regulatory artifacts reduces burden on manufacturers and reviewers
• Code generation from AADL to CAmkES and C• Code generation can be factored through Slang –a safety‐critical subset of Scala – to provide automated source code verification and integration with JVM‐based languages like Java, Scala
• Flexible backend can support a variety of middleware and platform targets
• Ongoing focus on information flow analysis (DARPA CASE, AFRL MAILLE)