1

Trustworthy Operation within Infrastructure-less Networked

Embedded Systems

William M. MerrillSensoria Corporation

Control-Theoretic Approaches for Dynamic Information Assurance Working Meeting

University of California, Berkeley, CA

February 5, 2003

2

Networked Embedded Systems Evolution

• Past: Embedded Platforms– Typically single process, fixed functionality– Limited collaboration with a fixed infrastructure

• Future: Networked Embedded Platforms– Enabler: Moore’s Law progress– Complex, high performance platforms– Diverse networking and field reconfigurability– Distributed, autonomous, and complex collaboration– Operating within enemy controlled areas

• New DoD challenges include– Next Generation Unattended Tactical Ground Sensors– Robotic Vehicles: UAV, UGVs, FCS…– Next Generation Autonomous Munitions: Self Healing

Minefield

3

Dynamic Networked Embedded Systems

• Embedded Systems often provide dynamic connectivity– Often lack connection to an external infrastructure

• Any connections may be transient, unsecured, and/or non-existent

• Scale and application may require complete autonomy

– Wireless Connections to local peers may fluctuate• Mobile nodes

– Peer-to-peer mobile ad-hoc networks (MANETs)

• Even static wireless links may change– Embedded nodes fail, are duty-cycled, or new nodes are added

4

Lack of an Energy Infrastructure

• In Remotely deployed, and wireless system the lack of an energy infrastructure dictates capability– Battery operation: limited volume and weight– Solar or energy scavenging: limited energy budget

• Processing is more energy efficient than communication– Where possible computation should be done locally– Communication as the highest energy burden– >R-2 propagation loss dictates links with multiple hops save

energy R

multihop

direct

5

Self Healing Minefield as an Example

• The Self Healing Minefield (SHM) provides an example of dynamic embedded application, requiring information assurance– Planned as an autonomous system

• Default operational status requires no user intervention• In addition must support an external query and control capability

– Complex embedded system• Power and size constrained

– Must operate in a dynamic environment• Nodes may appear/disappear at any time

• SHM used to illustrate considerations for information assurance in networked embedded systems

6

Dr. Tom Altshuler Program Manager

7

Dr. Tom Altshuler Program Manager

               

                              

8

SHM Dynamic System

Electromagnetics

AcousticRangingAnalog

SensorInterfaces

InertialSensing

Self-AssembledNetworking

SignalProcessing

ComplexDistributedComputing

CooperativeRanging,

Breach Detection

Low EnergySystems

Wireless Systems

Healing Mobility

9

SHM Node

• Networked Embedded System– Volcano Mine (120 mm)– Hardware

• 32 bit superscalar processor• 300 MIPS / 1.1 GFLOPS• Wireless• Acoustics• Sensors• Rocket motor systems (8)

– Software• Linux 2.4 kernel• Distributed systems• Over 200 simultaneous

processes

Fort Leonard Wood, Missouri

10

Network StatusGeolocation StatusMappingBreach DetectionHealing

1m grid

11

Mines SelectedMines Disabled

12

Autonomous Healing

13

14

SHM Robustness

• Within the system multiple redundancies are in place to increase robustness– Soft-state software approach enables fault tolerance

• Periodically update information even if not requested• Enable processes to operate off the latest information with or

without requesting new information• Processes can communicate via language independent device

file interfaces screening process interdependence

– All nodes are redundant have the same capabilities• Designed for a statistical response to a passing tank

• However previous development focus was on inadvertent information corruption not adverse attacks

15

Example Vulnerabilities of SHM• Autonomous network self-assembly

– Support the appearance and disappearance of nodes, complicating verification

– Continuous connect/disconnect events• Unique wireless networking issues for networked embedded systems

– High loss propagation environment– Multihop network required, with possible high latency– Physical environment leads to intermittent, unpredictable operation – Variable availability, bandwidth, and latency– Communication limited by energy constraints

• Conventional authentication methods carry excessive payload– Physical layer jamming can impact:

• RF communications• Acoustic ranging

• Operation dependent on cooperative behavior– Vulnerable to spoofing and/or DoS attacks

• External control and query capability desired– Users wish to clear a breach for friendly forces or collect status data

• Nodes operate in region controlled by opponent

16

Trustworthy Operation within SHM

• To operate effectively each node needs to measure the reliability of and define appropriate information needed

• To explore the vulnerabilities the current capabilities of the system must be quantified– SHM Software emulator allows evaluation of system

performance• Operate multiple software stack on a desktop environments• Enables exploration of software vulnerabilities

– Every vulnerability can not be determined but general guidelines can be developed to establish trust metrics

• Trust currently pre-determined– Installed at deployment

• Currently demonstration nodes trust anyone and any node with the capability to communicate with them

• Trust must evolve through experience– Enables dynamic evolution from a starting point– Requires metrics to measure trust

17

SHM Observability definitions for IA & S

• What do the nodes need to monitor and measure to support their application– Must monitor their and their neighbors capability to

respond to an enemy tank• Currently detected through periodic heartbeat packets

including the processes operating on each node• Monitor neighbors status to detect a “breach” in the field• Monitor orientation and tamper status• Maintain synchronization with neighbors to enable

geolocation– May be utilized to coordinate response to a trust failure

• Monitor own and neighbors energy remaining– Or as power saving is added neighbors

• Monitor magnetic sensors to detect a passing tank

– Each node monitors its operational processes• Watch communication, processing, and memory usage

18

SHM Adaptability for IA & S

• How can nodes adapt to increase system survivability and information assurance– Local network can reform due to changing links

• Currently adapt if nodes appear or disappear• May route around untrusted locations, nodes• Network provides multiple redundant paths between most

nodes

– Nodes may collaborate to build or deny trust• Multi-hop networks provide multiple redundant paths between

nodes• Each node monitoring its neighbors continuously• May warn external users if detect errant nodes• Increase or adapt security measures between trusted nodes

– Redundant operation at multiple levels• Each node includes the same capabilities• System designed for graceful degradation

19

Summary• New and fundamental tradeoffs

– Energy, latency, bandwidth, payload, constraints– Increasing complexity– Unpredictable connectivity– Direct conflicts with conventional approaches– May not rely on an external infrastructure

• Dynamic Networked Embedded Systems– Self-Organization and Healing– Dynamic Operations– Management and Control– Reconfigurability– Energy

• Self-Healing Minefield offers an example embedded system requiring a high level of operational trust