From Control Model to Program: Investigating Robotic Aerial Vehicle - - PowerPoint PPT Presentation

SLIDE 1

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with MAYDAY

Taegyu Kim1, Chung Hwan Kim2, Altay Ozen1, Fan Fei1, Zhan Tu1, Xiangyu Zhang1, Xinyan Deng1, Dave (Jing) Tian1, Dongyan Xu1

1Purdue University 2UT Dallas

SLIDE 2

Drone (Robotic Aerial Vehicle) Accidents

SLIDE 3

RAV Control and Control-Semantic Bugs

Sensor Module Mission Module Control Program Observed vehicle states in “6DoFs” Physical Environment Control Station Control Model Aerodynamics Motor

Control-Semantic Bug

• Accident root cause

inside control program

• Incorrect or incomplete

implementation of control model 𝑨 𝑧 𝑦 𝑧𝑏𝑥 𝑠𝑝𝑚𝑚 𝑞𝑗𝑢𝑑ℎ

SLIDE 4

A Motivating Accident

SLIDE 5

Challenges in Investigating the Accident

• “Two Gaps”
• Domain gap
• Control domain
• Time gap
• Attack time → Impact time

Domain Gap

Control Model

Control

Attack impact

Control Program

Program

Root Cause

• Our solution: MAYDAY
• Bridge the gaps
• Enable cross-domain investigation

→ Program domain

Reference Velocity Actual Velocity

20 40 60 80 4800 4900 5000 5100 5200

Control Loop Iteration Velocity (cm/s)

Time Gap

Attack CMD

Control-level Log

?

Impact

SLIDE 6

MAYDAY Workflow

Control Program (Source Code) Program Instrumentation Program Analysis Crash Log

Offline Analysis & Instrumentation Runtime Logging Post-Accident Investigation

Program-level Investigation Control-level Investigation Control Variable Dependency Graph (CVDG) Result

SLIDE 7

RAV Control Model

6DoF Inter- dependency between controllers Cascading controller

x 4

X-axis Cascading Controller Y-axis Cascading Controller Z-axis Cascading Controller Pitch Cascading Controller Roll Cascading Controller

Motor Controller

Yaw Cascading Controller P S M

: Sensor Input : Mission Input : Parameter Input

ANGLE Controller

𝑦𝜔 ሶ 𝑦𝜔 ሷ 𝑦𝜔 𝑠𝜔 ሶ 𝑠𝜔 ሷ 𝑠𝜔 𝑙𝜔 ሶ 𝑙𝜔 ሷ 𝑙𝜔

VEL Controller ACCEL Controller

P S M

ሶ 𝑦𝑦 ሷ 𝑦𝑦 ሶ 𝑠

𝑦

ሷ 𝑠

𝑦

POS Controller

𝑦𝑦 𝑠

𝑦

𝑙𝑦 ሶ 𝑙𝑦 ሷ 𝑙𝑦

VEL Controller ACCEL Controller

P S M

ሶ 𝑦𝑧 ሷ 𝑦𝑧 ሶ 𝑠

𝑧

ሷ 𝑠

𝑧

POS Controller

𝑦𝑧 𝑠

𝑧

𝑙𝑧 ሶ 𝑙𝑧 ሷ 𝑙𝑧

VEL Controller ACCEL Controller

P S M

ANGLE Controller

𝑦𝜒 𝑠

𝜒

𝑙𝜒 ሶ 𝑦𝜒 ሶ 𝑠

𝜒

ሶ 𝑙𝜒

VEL Controller

ሷ 𝑦𝜒 ሷ 𝑠

𝜒

ሷ 𝑙𝜒

ACCEL Controller

P S M

ANGLE Controller

𝑦𝜄 𝑠𝜄 𝑙𝜄 ሶ 𝑦𝜄 ሶ 𝑠𝜄 ሶ 𝑙𝜄

VEL Controller

ሷ 𝑦𝜄 ሷ 𝑠𝜄 ሷ 𝑙𝜄

ACCEL Controller

P S M

POS Controller

𝑦𝑨 ሶ 𝑦𝑨 ሷ 𝑦𝑨 𝑠

𝑨

ሶ 𝑠

𝑨

ሷ 𝑠

𝑨

𝑙𝑨 ሶ 𝑙𝑨 ሷ 𝑙𝑨

VEL Controller ACCEL Controller

P S M 𝜒 = 𝑏𝑢𝑏𝑜 − ሷ 𝑦𝑡𝑗𝑜𝜔 + ሷ 𝑧𝑑𝑝𝑡𝜔 𝑕 𝜄 = −𝑏𝑢𝑏𝑜 ሷ 𝑦𝑑𝑝𝑡𝜔 + ሷ 𝑧𝑡𝑗𝑜𝜔 𝑕 S

Control Variable Dependency Graph (CVDG)

SLIDE 8

Mapping Control Model to Control Program

void AC_PosControl::rate_to_accel_z( … vel_err.z = vel_target.z p = * vel_err.z; accel_target.z = accel_ff.z + p ; …

POS Controller

𝑦𝑨 ሶ 𝑦𝑨 ሷ 𝑦𝑨 𝑠

𝑨

ሶ 𝑠

𝑨

ሷ 𝑠

𝑨

𝑙𝑨 ሶ 𝑙𝑨 ሷ 𝑙𝑨

VEL Controller ACCEL Controller

P S M

• Control model variable → Control program variable
• Control model data flow

: Parameter : Vehicle state : Reference

• cur_vel.z

ሶ 𝑦𝑨 ሶ 𝑠

𝑨

ሶ 𝑙𝑨

Control Model

P S M

: Sensor input : Mission input : Parameter input

→ Control program execution paths

Control Program

_p_velz._kP()

Mapping

SLIDE 9

Logging Enhancement

• Control/vehicle operation log
• Recorded by default
• Supported by major drone control programs
• Recorded by control-level logging functions
• Program execution log
• Enabled by MAYDAY
• Logging functions inserted via LLVM-level instrumentation
• Guided by mapping between control model and program

If err.z -= cur.z; else err.z = 0.0; p = kP* err.z;

SLIDE 10

Control-Level Investigation

• 200

200 400 600 800 1000 8000 15000 22000 29000 36000 X-axis Velocity

Initial Digression

Investigation

• Identify initial digressing controller
• [Controller, corrupted variable, initial digression time]
• Infer control-level corruption path based on CVDG

: Reference : Actual state

Initial Digression

Control Loop Iteration

SLIDE 11

Moving from Control Domain to Program Domain

• Corrupted control variable → Corrupted program variable

Initial Digression

Investigation

• 200

200 400 600 800 1000 8000 15000 22000 29000 36000 X-axis Velocity

Initial Digression

: Reference : Actual state

Control Loop Iteration

SLIDE 12

Program-Level Investigation

Program-level Corruption Path

Initial Digression

Investigation

• 200

200 400 600 800 1000 8000 15000 22000 29000 36000 X-axis Velocity

Initial Digression

: Reference : Actual state

Control Loop Iteration

Attack Input Attack Input

• Control-level corruption path →
• From initial digression to attack input
• Bug localized in basic blocks that implement the corruption path

Program-level corruption path

SLIDE 13

Evaluation: Effectiveness of MAYDAY

SLIDE 14

Evaluation: Solving the Earlier Case

• 200

200 400 600 800 1000 8000 15000 22000 29000 36000 X-axis Velocity Control Loop Iteration

Initial Digression Attack Input

Control-Level Log Program-Level Log

• Initial digressing controller: X, Y-axis velocity controller
• Corrupted control variable: X, Y-axis acceleration reference
• Control-level corruption path:
• Attack input:

Control gain kP

• Number of BBs on

corruption path: 34

• Source LoC: 89

SLIDE 15

Evaluation: Runtime Overhead of MAYDAY

SLIDE 16

Conclusion

• Drone accident may be caused by control semantic bugs
• Control-level logs alone are not sufficient for bug-tracing
• MAYDAY: a cross-domain accident investigation tool
• Bridging the domain gap and the time gap
• Mapping control model to control program
• Integrating control-level and program-level logging
• Connecting control-level and program-level investigation

SLIDE 17

Thank you!

This work was supported in part by ONR Grant #N00014-17-1-2045.

tgkim@purdue.edu