Urban Sensoria : Human-Centered Computing in Practice Dr. Alejandro Jaimes
1 Trustworthy Operation within Infrastructure-less Networked Embedded Systems William M. Merrill...
-
Upload
brent-nash -
Category
Documents
-
view
218 -
download
0
Transcript of 1 Trustworthy Operation within Infrastructure-less Networked Embedded Systems William M. Merrill...
1
Trustworthy Operation within Infrastructure-less Networked
Embedded Systems
William M. MerrillSensoria Corporation
Control-Theoretic Approaches for Dynamic Information Assurance Working Meeting
University of California, Berkeley, CA
February 5, 2003
2
Networked Embedded Systems Evolution
• Past: Embedded Platforms– Typically single process, fixed functionality– Limited collaboration with a fixed infrastructure
• Future: Networked Embedded Platforms– Enabler: Moore’s Law progress– Complex, high performance platforms– Diverse networking and field reconfigurability– Distributed, autonomous, and complex collaboration– Operating within enemy controlled areas
• New DoD challenges include– Next Generation Unattended Tactical Ground Sensors– Robotic Vehicles: UAV, UGVs, FCS…– Next Generation Autonomous Munitions: Self Healing
Minefield
3
Dynamic Networked Embedded Systems
• Embedded Systems often provide dynamic connectivity– Often lack connection to an external infrastructure
• Any connections may be transient, unsecured, and/or non-existent
• Scale and application may require complete autonomy
– Wireless Connections to local peers may fluctuate• Mobile nodes
– Peer-to-peer mobile ad-hoc networks (MANETs)
• Even static wireless links may change– Embedded nodes fail, are duty-cycled, or new nodes are added
4
Lack of an Energy Infrastructure
• In Remotely deployed, and wireless system the lack of an energy infrastructure dictates capability– Battery operation: limited volume and weight– Solar or energy scavenging: limited energy budget
• Processing is more energy efficient than communication– Where possible computation should be done locally– Communication as the highest energy burden– >R-2 propagation loss dictates links with multiple hops save
energy R
multihop
direct
5
Self Healing Minefield as an Example
• The Self Healing Minefield (SHM) provides an example of dynamic embedded application, requiring information assurance– Planned as an autonomous system
• Default operational status requires no user intervention• In addition must support an external query and control capability
– Complex embedded system• Power and size constrained
– Must operate in a dynamic environment• Nodes may appear/disappear at any time
• SHM used to illustrate considerations for information assurance in networked embedded systems
6
Dr. Tom Altshuler Program Manager
7
Dr. Tom Altshuler Program Manager
8
SHM Dynamic System
Electromagnetics
AcousticRangingAnalog
SensorInterfaces
InertialSensing
Self-AssembledNetworking
SignalProcessing
ComplexDistributedComputing
CooperativeRanging,
Breach Detection
Low EnergySystems
Wireless Systems
Healing Mobility
9
SHM Node
• Networked Embedded System– Volcano Mine (120 mm)– Hardware
• 32 bit superscalar processor• 300 MIPS / 1.1 GFLOPS• Wireless• Acoustics• Sensors• Rocket motor systems (8)
– Software• Linux 2.4 kernel• Distributed systems• Over 200 simultaneous
processes
Fort Leonard Wood, Missouri
10
Network StatusGeolocation StatusMappingBreach DetectionHealing
1m grid
11
Mines SelectedMines Disabled
12
Autonomous Healing
13
14
SHM Robustness
• Within the system multiple redundancies are in place to increase robustness– Soft-state software approach enables fault tolerance
• Periodically update information even if not requested• Enable processes to operate off the latest information with or
without requesting new information• Processes can communicate via language independent device
file interfaces screening process interdependence
– All nodes are redundant have the same capabilities• Designed for a statistical response to a passing tank
• However previous development focus was on inadvertent information corruption not adverse attacks
15
Example Vulnerabilities of SHM• Autonomous network self-assembly
– Support the appearance and disappearance of nodes, complicating verification
– Continuous connect/disconnect events• Unique wireless networking issues for networked embedded systems
– High loss propagation environment– Multihop network required, with possible high latency– Physical environment leads to intermittent, unpredictable operation – Variable availability, bandwidth, and latency– Communication limited by energy constraints
• Conventional authentication methods carry excessive payload– Physical layer jamming can impact:
• RF communications• Acoustic ranging
• Operation dependent on cooperative behavior– Vulnerable to spoofing and/or DoS attacks
• External control and query capability desired– Users wish to clear a breach for friendly forces or collect status data
• Nodes operate in region controlled by opponent
16
Trustworthy Operation within SHM
• To operate effectively each node needs to measure the reliability of and define appropriate information needed
• To explore the vulnerabilities the current capabilities of the system must be quantified– SHM Software emulator allows evaluation of system
performance• Operate multiple software stack on a desktop environments• Enables exploration of software vulnerabilities
– Every vulnerability can not be determined but general guidelines can be developed to establish trust metrics
• Trust currently pre-determined– Installed at deployment
• Currently demonstration nodes trust anyone and any node with the capability to communicate with them
• Trust must evolve through experience– Enables dynamic evolution from a starting point– Requires metrics to measure trust
17
SHM Observability definitions for IA & S
• What do the nodes need to monitor and measure to support their application– Must monitor their and their neighbors capability to
respond to an enemy tank• Currently detected through periodic heartbeat packets
including the processes operating on each node• Monitor neighbors status to detect a “breach” in the field• Monitor orientation and tamper status• Maintain synchronization with neighbors to enable
geolocation– May be utilized to coordinate response to a trust failure
• Monitor own and neighbors energy remaining– Or as power saving is added neighbors
• Monitor magnetic sensors to detect a passing tank
– Each node monitors its operational processes• Watch communication, processing, and memory usage
18
SHM Adaptability for IA & S
• How can nodes adapt to increase system survivability and information assurance– Local network can reform due to changing links
• Currently adapt if nodes appear or disappear• May route around untrusted locations, nodes• Network provides multiple redundant paths between most
nodes
– Nodes may collaborate to build or deny trust• Multi-hop networks provide multiple redundant paths between
nodes• Each node monitoring its neighbors continuously• May warn external users if detect errant nodes• Increase or adapt security measures between trusted nodes
– Redundant operation at multiple levels• Each node includes the same capabilities• System designed for graceful degradation
19
Summary• New and fundamental tradeoffs
– Energy, latency, bandwidth, payload, constraints– Increasing complexity– Unpredictable connectivity– Direct conflicts with conventional approaches– May not rely on an external infrastructure
• Dynamic Networked Embedded Systems– Self-Organization and Healing– Dynamic Operations– Management and Control– Reconfigurability– Energy
• Self-Healing Minefield offers an example embedded system requiring a high level of operational trust