RV-ECU: Maximum Assurance In-Vehicle Safety Monitoring

The Runtime Verification ECU (RV-ECU) is a new development platform for checking and enforcing the safety of automotive bus communications and software systems. RV-ECU uses runtime verification, a formal analysis subfield geared at validating and verifying systems as they run, to ensure that all manufacturer and third-party safety specifications are complied with during the operation of the vehicle. By compiling formal safety properties into code using a certifying compiler, the RV-ECU executes only provably correct code that checks for safety violations as the system runs. RV-ECU can also recover from violations of these properties, either by itself in simple cases or together with safe message-sending libraries implementable on third-party control units on the bus. RV-ECU can be updated with new specifications after a vehicle is released, enhancing the safety of vehicles that have already been sold and deployed. Currently a prototype, RV-ECU is meant to eventually be deployed as global and local ECU safety monitors, ultimately responsible for the safety of the entire vehicle system. We describe its overall architecture and implementation, and demonstrate monitoring of safety specifications on the CAN bus. We use past automotive recalls as case studies to demonstrate the potential of updating the RV-ECU as a cost effective and practical alternative to software recalls, while requiring the development of rigorous, formal safety specifications easily sharable across manufacturers, OEMs, regulatory agencies and even car owners. INTRODUCTION Modern automobiles are highly computerized, with 70 to 100 complex and interconnected electronic control units responsible for the operation of automotive systems, and roughly 35 to 40 percent of the development cost of modern automobiles going towards software. In the next 10 years this number is expected to jump to between 50 and 80 percent, and even higher for hybrid vehicles. This will only be more true with the advent of autonomous vehicles [1, 2]. It is not surprising, then, that the automotive industry suffers from nearly every possible software fault and resulting error. Many related stories have recently been featured on the news, including cases where cars are hacked and remotely controlled, including brakes and the engine, completely ignoring driver input. In some cases prior physical access to the car was needed, in others the car was not even touched. Massive automobile recalls in the past few years have been due to software bugs, costing billions [3, 4, 5, 6, 7, 8, 9]. Moreover, almost 80 percent of car innovations currently come from computer software, which has therefore become the major contributor of value in cars [1]. As software becomes more and more integral to the function and economics of vehicles, the safety and security of car software has taken center stage. LIMITATIONS OF CURRENT APPROACHES Traditional software development quality processes rely on static analysis tools and techniques to improve the quality, security and reliability of their code. Static

[1]  Tiziana Margaria,et al.  Tools and algorithms for the construction and analysis of systems: a special issue for TACAS 2017 , 2001, International Journal on Software Tools for Technology Transfer.

[2]  Xavier Leroy,et al.  Formal C Semantics: CompCert and the C Standard , 2014, ITP.

[3]  Marco Caccamo,et al.  BusMOP : a Runtime Monitoring Framework for PCI Peripherals , 2008 .

[4]  Edmund M. Clarke,et al.  Characterizing Correctness Properties of Parallel Programs Using Fixpoints , 1980, ICALP.

[5]  Claude Kirchner,et al.  Weaving rewrite-based access control policies , 2007, FMSE '07.

[6]  Alwyn E. Goodloe,et al.  Copilot: A Hard Real-Time Runtime Monitor , 2010, RV.

[7]  Thomas Kropf,et al.  Introduction to Formal Hardware Verification , 1999, Springer Berlin Heidelberg.

[8]  Yliès Falcone,et al.  Runtime Verification and Enforcement for Android Applications with RV-Droid , 2012, RV.

[9]  Alex Groce,et al.  Rule Systems for Runtime Verification: A Short Tutorial , 2009, RV.

[10]  Grigore Rosu,et al.  Monitoring programs using rewriting , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[11]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[12]  Oleg Sokolsky,et al.  Runtime Verification, 7th International Workshop, RV 2007, Vancouver, Canada, March 13, 2007, Revised Selected Papers , 2007, RV.

[13]  Amir Pnueli,et al.  PSL Model Checking and Run-Time Verification Via Testers , 2006, FM.

[14]  Grigore Rosu,et al.  Parametric Trace Slicing and Monitoring , 2009, TACAS.

[15]  Inria Paris-Rocquencourt,et al.  The CompCert C verified compiler , 2015 .

[16]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[17]  Frank Piessens,et al.  Security Monitor Inlining for Multithreaded Java , 2009, ECOOP.

[18]  Insup Lee,et al.  Monitoring, Checking, and Steering of Real-Time Systems , 2002, Electron. Notes Theor. Comput. Sci..

[19]  Yong Sheng,et al.  Formal Verification of Fault-Tolerant and Recovery Mechanisms for Safe Node Sequence Protocol , 2014, 2014 IEEE 28th International Conference on Advanced Information Networking and Applications.

[20]  Grigore Rosu,et al.  Hardware Runtime Monitoring for Dependable COTS-Based Real-Time Embedded Systems , 2008, 2008 Real-Time Systems Symposium.

[21]  Shinichi Shiraishi,et al.  Test suites for benchmarks of static analysis tools , 2015, 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[22]  Grigore Rosu,et al.  Electronic Notes in Theoretical Computer Science: Preface , 2001 .

[23]  Anderson Santana de Oliveira,et al.  Rewrite Based Specification of Access Control Policies , 2009, Electron. Notes Theor. Comput. Sci..

[24]  Volker Stolz,et al.  Temporal Assertions using AspectJ , 2006, Electron. Notes Theor. Comput. Sci..

[25]  Ondrej Lhoták,et al.  Collaborative Runtime Verification with Tracematches , 2010, J. Log. Comput..

[26]  Radu Grosu,et al.  Aspect-Oriented Instrumentation with GCC , 2010, RV.

[27]  Grigore Rosu,et al.  Mop: an efficient and generic runtime verification framework , 2007, OOPSLA.

[28]  Aaron Kane,et al.  Runtime Monitoring for Safety-Critical Embedded Systems , 2015 .

[29]  Howard Barringer,et al.  Internal versus External DSLs for Trace Analysis - (Extended Abstract) , 2011, RV.

[30]  Dilian Gurov,et al.  Provably correct runtime monitoring , 2008, J. Log. Algebraic Methods Program..

[31]  Christel Baier,et al.  Principles of model checking , 2008 .

[32]  Shin’ichi SHIRAISHI,et al.  Automotive System Development Based on Collaborative Modeling Using Multiple ADLs , 2011 .

[33]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[34]  Christof Fetzer,et al.  Automatically Tolerating Arbitrary Faults in Non-malicious Settings , 2013, 2013 Sixth Latin-American Symposium on Dependable Computing.

[35]  Martin Leucker,et al.  The Good, the Bad, and the Ugly, But How Ugly Is Ugly? , 2007, RV.