Safety Guard: Runtime Enforcement for Safety-Critical Cyber-Physical Systems: Invited

Due to their safety-critical nature, cyber-physical systems (CPS) must tolerate faults and security attacks to remain fail-operational. However, conventional techniques for improving safety, such as testing and validation, do not meet this requirement, as shown by many of the real-world system failures in recent years, often with major economic and public-safety implications. We aim to improve the safety of critical CPS through synthesis of runtime enforcers, named safety guards, which are reactive components attached to the original systems to protect them against catastrophic failures. That is, even if the system occasionally malfunctions due to unknown defects, transient errors, or malicious attacks, the guard always reacts instantaneously to ensure that the combined system satisfies a predefined set of safety properties, and the deviation from the original system is kept at minimum. We illustrate the main ideas of this approach with examples, discuss the advantages compared to existing approaches, and point out some research challenges.

[1]  Alberto L. Sangiovanni-Vincentelli,et al.  Synthesis of Multitask Implementations of Simulink Models With Minimum Delays , 2010, IEEE Transactions on Industrial Informatics.

[2]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[3]  Stephan Merz,et al.  Model Checking , 2000 .

[4]  Robert E. Lyons,et al.  The Use of Triple-Modular Redundancy to Improve Computer Reliability , 1962, IBM J. Res. Dev..

[5]  Ruchir Chauhan,et al.  A platform for false data injection in frequency modulated continuous wave radar , 2014 .

[6]  T. Anderson Kernels for Safety ? , 1989 .

[7]  Peng Deng,et al.  Robust and extensible task implementations of synchronous finite state machines , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[8]  Samarjit Chakraborty Keynote Talk: Challenges in Automotive Cyber-physical Systems Design , 2012, VLSI Design.

[9]  Haibo Zeng,et al.  Schedulability Analysis of Periodic Tasks Implementing Synchronous Finite State Machines , 2012, 2012 24th Euromicro Conference on Real-Time Systems.

[10]  Haibo Zeng,et al.  Task implementation of synchronous finite state machines , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[11]  Yliès Falcone,et al.  What can you verify and enforce at runtime? , 2012, International Journal on Software Tools for Technology Transfer.

[12]  Wang Yi,et al.  Hardness Results for Static Priority Real-Time Scheduling , 2012, 2012 24th Euromicro Conference on Real-Time Systems.

[13]  Chao Wang,et al.  Shield Synthesis: Runtime Enforcement for Reactive Systems , 2015, TACAS.

[14]  George S. Avrunin,et al.  Patterns in property specifications for finite-state verification , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[15]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[16]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[17]  Amir Pnueli,et al.  Synthesis of Reactive(1) designs , 2006, J. Comput. Syst. Sci..

[18]  Francisco J. Cazorla,et al.  RunPar: An allocation algorithm for automotive applications exploiting runnable parallelism in multicores , 2014, 2014 International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[19]  Aaron Kane,et al.  Runtime Monitoring for Safety-Critical Embedded Systems , 2015 .

[20]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[21]  Christoph Grote Keynote: IoT on the move: The ultimate driving machine as the ultimate mobile thing , 2014, 2014 IEEE International Conference on Pervasive Computing and Communications (PerCom).

[22]  Tiziano Villa,et al.  VIS: A System for Verification and Synthesis , 1996, CAV.

[23]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[24]  Armin Wasicek Protection of Intellectual Property Rights in Automotive Control Units , 2014 .

[25]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[26]  Sanjit A. Seshia,et al.  Mining Requirements From Closed-Loop Control Models , 2015, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[27]  Kenneth R. Butts,et al.  Powertrain control verification benchmark , 2014, HSCC.

[28]  Akihito Iwai,et al.  RV-ECU: Maximum Assurance In-Vehicle Safety Monitoring , 2016 .

[29]  Meng Wu,et al.  Synthesizing Runtime Enforcer of Safety Properties Under Burst Error , 2016, NFM.

[30]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[31]  Jason Staggs How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles , 2013 .

[32]  Kewal K. Saluja,et al.  Fault tolerance through re-execution in multiscalar architecture , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[33]  BaekGyu Kim,et al.  Automotive software certification: current status and challenges , 2016 .

[34]  Paulo Tabuada,et al.  Non-invasive Spoofing Attacks for Anti-lock Braking Systems , 2013, CHES.

[35]  Charlie McCarthy,et al.  National Institute of Standards and Technology (NIST) Cybersecurity Risk Management Framework Applied to Modern Vehicles , 2014 .

[36]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[37]  Thomas Peyrin,et al.  Security challenges in automotive hardware/software architecture design , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).