high assurance spiral
play

High Assurance Spiral 18-847E Spiral: Formal Approaches to Hardware - PowerPoint PPT Presentation

Apr 04, 2023 •159 likes •684 views

Carnegie Mellon Carnegie Mellon DARPA HACMS High Assurance Spiral 18-847E Spiral: Formal Approaches to Hardware & Software Design & Algorithm Verification Franz Franchetti Carnegie Mellon University www.ece.cmu.edu/~franzf Lecture

  1. Carnegie Mellon Carnegie Mellon DARPA HACMS High Assurance Spiral 18-847E Spiral: Formal Approaches to Hardware & Software Design & Algorithm Verification Franz Franchetti Carnegie Mellon University www.ece.cmu.edu/~franzf Lecture based on joint work with CMU, UIUC, Drexel, and SpirlaGen, Inc.

  2. Carnegie Mellon Carnegie Mellon The DARPA HACMS Program (K. Fisher) Source: DARPA-BAA-12- 21 “High -Assurance Cyber Military Systems (HACMS )” Proposer’s Day Slides by K. Fisher, HACMS Program Manager

  3. Carnegie Mellon Carnegie Mellon The DARPA HACMS Program (K. Fisher) Source: DARPA-BAA-12- 21 “High -Assurance Cyber Military Systems (HACMS )” Proposer’s Day Slides by K. Fisher, HACMS Program Manager

  4. Carnegie Mellon Carnegie Mellon The DARPA HACMS Program (K. Fisher) Source: DARPA-BAA-12- 21 “High -Assurance Cyber Military Systems (HACMS )” Proposer’s Day Slides by K. Fisher, HACMS Program Manager

  5. Carnegie Mellon Carnegie Mellon Our Approach: Model-Based High Assurance Multi-sensor UGVs Multiple sensors: GPS, compass,  accelerometer, IMU, etc. Control: waypoints, joystick vector  Vehicle model: laws of physics,  vehicle state Map data: Terrain,  possible paths, obstacles Assurance Through Consistency GPS @ t 0 Model-based consistency checks  v @ t 0 Model vs. vehicle state  GPS @ t 0 + Δ t Map-based path validation  Exception signal if inconsistency  threshold is exceeded

  6. Carnegie Mellon Carnegie Mellon Virtual High Assurance Sensors Untrusted Secure output inputs State History Model GPS Model-based ? vVelocity velocity prediction Mission exception control Trusted input Verified implementation Assurance Through Consistency Model-based consistency checks Model vs. vehicle state  Utilizes maps, physics, history, anticipated behavior, mission control  Trusted virtual sensor output if model and sensors agree  Exception if divergence beyond security threshold 

  7. Carnegie Mellon Carnegie Mellon High Assurance Controller Trusted sensors Secure or unsecure and output to actuator State History Model secure set points vVelocity v t ? Control algorithm Actuator setting Set point v 0 exception exception Verified implementation Assurance Through Guaranteed Controller Input and Output Controller input: virtual high-assurance sensor outputs  Controller output: trusted or untrusted message to actuator  Controller algorithm: PID or MPC, may use state, history and model  Failsafe: use model-derived actuator setting if exception detected 

  8. Carnegie Mellon Carnegie Mellon Organization  Overview  Approach  Example: Dynamic Window Monitor  More HCOL examples  Other research components  Demos  Concluding remarks

  9. Carnegie Mellon Carnegie Mellon HCOL: Hybrid Control Operator Language Sensor values and model-based predictions Euler step: x t + h x t + h x t v t + h Numerical differentiation: v t + h v t I 3 : 3 x 3 identity matrix time step = matrix-vector product Assurance through guaranteed controller input and output Declarative representation of physics, data and control algorithms  Enables rule-based software synthesis and variant generation,  verification and proof co-synthesis Extends Spiral’s OL and SPL languages into the control domain 

  10. Carnegie Mellon Carnegie Mellon HCOL: Control Operator Examples Time step residue: Disagreement between model and sensors Error operator: L 2 norm of time step residue PID controller: Control velocity at set point v 0 Usual PID controller definition:

  11. Carnegie Mellon Carnegie Mellon Detection Through Feasible Region of State Self-consistency equation Region of self-consistency Overapproximation Inside a polyhedra Test: attack-free, if

  12. Carnegie Mellon Carnegie Mellon Rule-Based Code Synthesis High Level Rules: Transformations within high level abstraction Code generation rules: Translate high level abstraction into code

  13. Carnegie Mellon Carnegie Mellon Co-Synthesis of Code and Correctness Proofs Code generation: rule application until convergence RuleSet := rec( SumSAG_In := Rule(@(I(@1)),(@, @1)->Let(i := Idx(@1), ISum(i, @1, e(@1, i) * I(1) * e(@1, i)^T))), SumDist := ..., ...); let(y:=var(TArray(TReal, 3)), xv:=var(TArray(TReal, 6)), h := TReal(1/100), func([inparam(xv), outparam(y)], loop(i, [0..3], chain( assign(nth(y, i), add(nth(xv, i), mul(h, nth(xv, add(i,3))))))))) Proof generation: trail of rule application rule: “ SumSAG_In ” matched: BlockMat([[-I(3), 1/100*I(3), I(3), O(3)], [100*I(3), O(3), 100*I(3), @(I(3))]]) wildcards: @=“I(3)”, @1=“3” rewritten: “ ISum (k, 3, e(3, k) * I(1) * e(3, k)^T))” proof: “I(3) == ISum (k, 3, e(3, k) * I(1) * e(3, k)^T))” result: BlockMat([[-I(3), 1/100*I(3), I(3), O(3)], [100*I(3), O(3), 100*I(3), ISum(k, 3, e(3, k)*I(1)*e(3, k)^T)]])

  14. Carnegie Mellon Carnegie Mellon Symbolic Rule Verification  Rule replaces left-hand side by right-hand side when preconditions match  Test rule by symbolically evaluating expressions before and after rule application and compare result = ?

  15. Carnegie Mellon Carnegie Mellon Putting It All Together Landshark HW, SW and sensors Attack-detection Detection bound algorithms proof HCOL formalization HCOL formal compilation Proof of HCOL rules HCOL backend compilation

  16. Carnegie Mellon Carnegie Mellon Organization  Overview  Approach  Example: Dynamic Window Monitor  More HCOL examples  Other research components  Demos  Concluding remarks

  17. Carnegie Mellon Carnegie Mellon Dynamic Window Safety Monitor State History Model target Dynamic Window ? Actuator setting Algorithm Sensor data exception Verified monitor Dynamic Window Approach Primer

  18. Carnegie Mellon Carnegie Mellon Algorithm Verified in KeYmaera Theorem and proof Resulting safety monitor condition

  19. Carnegie Mellon Carnegie Mellon Proof/Code Co-Synthesis: HA Spiral

  20. Carnegie Mellon Carnegie Mellon Details: Formal Compilation  HCOL Breakdown Rules  Fully Expanded HCOL Expression

  21. Carnegie Mellon Carnegie Mellon Final Synthesized C Code int dwmonitor(float *X, double *D) { __m128d u1, u2, u3, u4, u5, u6, u7, u8 , x1, x10, x13, x14, x17, x18, x19, x2, x3, x4, x6, x7, x8, x9; int w1; { unsigned _xm = _mm_getcsr(); _mm_setcsr(_xm & 0xffff0000 | 0x0000dfc0); u5 = _mm_set1_pd(0.0); u2 = _mm_cvtps_pd(_mm_addsub_ps(_mm_set1_ps(FLT_MIN), _mm_set1_ps(X[0]))); u1 = _mm_set_pd(1.0, (-1.0)); for(int i5 = 0; i5 <= 2; i5++) { x6 = _mm_addsub_pd(_mm_set1_pd((DBL_MIN + DBL_MIN)), _mm_loaddup_pd(&(D[i5]))); x1 = _mm_addsub_pd(_mm_set1_pd(0.0), u1); x2 = _mm_mul_pd(x1, x6); x3 = _mm_mul_pd(_mm_shuffle_pd(x1, x1, _MM_SHUFFLE2(0, 1)), x6); x4 = _mm_sub_pd(_mm_set1_pd(0.0), _mm_min_pd(x3, x2)); u3 = _mm_add_pd(_mm_max_pd(_mm_shuffle_pd(x4, x4, _MM_SHUFFLE2(0, 1)), _mm_max_pd(x3, x2)), _mm_set1_pd(DBL_MIN)); u5 = _mm_add_pd(u5, u3); x7 = _mm_addsub_pd(_mm_set1_pd(0.0), u1); x8 = _mm_mul_pd(x7, u2); x9 = _mm_mul_pd(_mm_shuffle_pd(x7, x7, _MM_SHUFFLE2(0, 1)), u2); x10 = _mm_sub_pd(_mm_set1_pd(0.0), _mm_min_pd(x9, x8)); u1 = _mm_add_pd(_mm_max_pd(_mm_shuffle_pd(x10, x10, _MM_SHUFFLE2(0, 1)), _mm_max_pd(x9, x8)), _mm_set1_pd(DBL_MIN)); } u6 = _mm_set1_pd(0.0); for(int i3 = 0; i3 <= 1; i3++) { u8 = _mm_cvtps_pd(_mm_addsub_ps(_mm_set1_ps(FLT_MIN), _mm_set1_ps(X[(i3 + 1)]))); u7 = _mm_cvtps_pd(_mm_addsub_ps(_mm_set1_ps(FLT_MIN), _mm_set1_ps(X[(3 + i3)]))); x14 = _mm_add_pd(u8, _mm_shuffle_pd(u7, u7, _MM_SHUFFLE2(0, 1))); x13 = _mm_shuffle_pd(x14, x14, _MM_SHUFFLE2(0, 1)); u4 = _mm_shuffle_pd(_mm_min_pd(x14, x13), _mm_max_pd(x14, x13), _MM_SHUFFLE2(1, 0)); u6 = _mm_shuffle_pd(_mm_min_pd(u6, u4), _mm_max_pd(u6, u4), _MM_SHUFFLE2(1, 0)); } x17 = _mm_addsub_pd(_mm_set1_pd(0.0), u6); x18 = _mm_addsub_pd(_mm_set1_pd(0.0), u5); x19 = _mm_cmpge_pd(x17, _mm_shuffle_pd(x18, x18, _MM_SHUFFLE2(0, 1))); w1 = (_mm_testc_si128(_mm_castpd_si128(x19), _mm_set_epi32(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff)) – (_mm_testnzc_si128(_mm_castpd_si128(x19), _mm_set_epi32(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff)))); __asm nop; if (_mm_getcsr() & 0x0d) { _mm_setcsr(_xm); return -1; } _mm_setcsr(_xm); } return w1; }

  22. Carnegie Mellon Carnegie Mellon Assembly Generated By Intel C Compiler dwmonitor PROC sub rsp, 120 vstmxcsr DWORD PTR [112+rsp] mov r8d, DWORD PTR [112+rsp] mov eax, r8d and eax, -65536 or eax, 57280 mov DWORD PTR [112+rsp], eax vldmxcsr DWORD PTR [112+rsp] vmovaps xmm3, XMMWORD PTR [_2il0floatpacket.2] vmovss xmm0, DWORD PTR [rcx] vshufps xmm1, xmm0, xmm0, 0 vmovaps xmm0, XMMWORD PTR [_2il0floatpacket.3] vxorps xmm5, xmm5, xmm5 vmovaps xmm2, xmm5 vaddsubps xmm4, xmm3, xmm1 vmovaps xmm1, XMMWORD PTR [_2il0floatpacket.4] 64-bit mode vcvtps2pd xmm4, xmm4 xor eax, eax AVX/VEX encoding vmovaps XMMWORD PTR [32+rsp], xmm11 3 operand instructions vmovaps xmm11, XMMWORD PTR [_2il0floatpacket.5] ... SSE 4.1 vmovddup xmm15, QWORD PTR [rdx+rax*8] inc rax 1-1 mapping to C source vaddsubpd xmm13, xmm1, xmm15 vaddsubpd xmm15, xmm5, xmm0 150 lines of assembly vminpd xmm13, xmm14, xmm12 ... <100 more lines> On SandyBridge: ... add rsp, 120 100 – 240 cycles ret ALIGN 16 30ns – 80ns @ 3 GHz dwmonitor ENDP

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

1 CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410 Ken Birman, Cornell University High Assurance in Cloud Settings 2 A wave of applications that need high assurance is fast approaching

672 views • 40 slides
Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth

Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth

Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth guy.haworth@bnc.oxon.org 1 Data Assurance - ACG12, 2009-05-11 Topics Motivation Systems Engineering Cycle Definition: the Problem Domain and the

824 views • 27 slides
Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory Center for High-Assurance Computer Systems http:/ / chacs.nrl.navy.mil Xenon Xen Beyond Buffer Overflows high-assurance Policy flaws Use the

565 views • 24 slides
Spiral Computer Generation of Performance Libraries Applications Jos M. F. Moura Markus

Spiral Computer Generation of Performance Libraries Applications Jos M. F. Moura Markus

Carnegie Mellon Performance Spiral Computer Generation of Performance Libraries Applications Jos M. F. Moura Markus Pschel Franz Franchetti Platforms &amp; the Spiral Team Carnegie Mellon What is Spiral? Traditionally Spiral

429 views • 12 slides
Spiral Structure and Mass Inflows In Spiral Galaxies Yonghwi Kim, Woong-Tae Kim CEOU, Astronomy

Spiral Structure and Mass Inflows In Spiral Galaxies Yonghwi Kim, Woong-Tae Kim CEOU, Astronomy

The 7 e 7 th Kor orean Astrop ophysics W Wor orkshop op Spiral Structure and Mass Inflows In Spiral Galaxies Yonghwi Kim, Woong-Tae Kim CEOU, Astronomy Program, Dept. of Physics &amp; Astronomy, Seoul National University The 7 th Korean

370 views • 17 slides
Spiral-CT Benjamin Keck 21. March 2006 1 Motivation Spiral-CT offers reconstruction of long

Spiral-CT Benjamin Keck 21. March 2006 1 Motivation Spiral-CT offers reconstruction of long

Spiral-CT Benjamin Keck 21. March 2006 1 Motivation Spiral-CT offers reconstruction of long objects compared to circular filtered backprojection, where reconstruction is limited in z-direction. While the object moves constantly throw and

533 views • 5 slides
Spiral 2-1 Datapath Components: Counters Adders Design Example: Crosswalk Controller 2-1.2

Spiral 2-1 Datapath Components: Counters Adders Design Example: Crosswalk Controller 2-1.2

2-1.1 Spiral 2-1 Datapath Components: Counters Adders Design Example: Crosswalk Controller 2-1.2 Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory Project Design Design Design and Tools

852 views • 61 slides
Carnegie Mellon Generating High Performance Generating High Performance General Size Linear

Carnegie Mellon Generating High Performance Generating High Performance General Size Linear

Carnegie Mellon Generating High Performance Generating High Performance General Size Linear Transform General Size Linear Transform Libraries Using Spiral Libraries Using Spiral Yevgen Voronenko Franz Franchetti Frdric de Mesmay Markus

300 views • 28 slides
High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B. Almeida, M. Barbosa, G. Barthe, B. Grgoire, A. Koutsos , V. La- porte, T. Oliveira, P-Y. Strub Octobre 9th, 2019 1 Context 2 Context Cryptographic

985 views • 57 slides
Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory

Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory

2-1.1 2-1.2 Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory Project Design Design Design and Tools Performance Decoders and Structural Verilog 1 metrics (latency muxes

742 views • 15 slides
Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

440 views • 31 slides
Spiral 1 / Unit 1 Combinational vs. Sequential Logic Latency vs. Throughput (Pipelining) Digital

Spiral 1 / Unit 1 Combinational vs. Sequential Logic Latency vs. Throughput (Pipelining) Digital

1-1.1 Spiral 1 / Unit 1 Combinational vs. Sequential Logic Latency vs. Throughput (Pipelining) Digital Design Goals Logic Functions 1-1.2 Spiral Content Mapping Combinational Sequential System Level Implementation Spiral Theory Project

975 views • 66 slides
Usable High-Assurance Operating Systems Doug McIlroy Sean Smith Sergey Bratus Alex Ferguson

Usable High-Assurance Operating Systems Doug McIlroy Sean Smith Sergey Bratus Alex Ferguson

Usable High-Assurance Operating Systems Doug McIlroy Sean Smith Sergey Bratus Alex Ferguson Motivation Available high-assurance systems have large monolithic policies Hard to write and maintain Crafted by trial and error E.g.:

455 views • 16 slides
Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the Programatica team WG2.8 08 1 Functional Languages for High- Assurance Applications Goal: rely on properties of functional languages to

774 views • 59 slides
MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why

Luanna Cambas, P.E. LADOTD District 02 Lab Engineer Jason Davis, P.E. LADOTD Field Quality Assurance Administrator MATERIALS AND TESTING QUALITY ASSURANCE QUALITY ASSURANCE What is Quality Assurance? Why needed? Sampling &amp;

1.01k views • 63 slides
Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of captured and coded data Quality assurance of downstream processes (including data security and integrity) Quality assurance of population counts,

129 views • 12 slides
Darrell Bethea May 19, 2011 1 Assignments: Homework 0 grades up Program 1 due

Darrell Bethea May 19, 2011 1 Assignments: Homework 0 grades up Program 1 due

Darrell Bethea May 19, 2011 1 Assignments: Homework 0 grades up Program 1 due yesterday Program 2 due Monday Program 3 assigned today Updated yesterdays slides 2 3 Loops Body Initializing Statements

643 views • 60 slides
How to Develop a Program Logic Model Learning objectives By the end of this presentation, you

How to Develop a Program Logic Model Learning objectives By the end of this presentation, you

How to Develop a Program Logic Model Learning objectives By the end of this presentation, you will be able to: Describe what a logic model is, and how it can be useful to your daily program operations Identify the key components of a

520 views • 36 slides
EC487 Advanced Microeconomics, Part I: Lecture 2 Leonardo Felli 32L.LG.04 6 October, 2017

EC487 Advanced Microeconomics, Part I: Lecture 2 Leonardo Felli 32L.LG.04 6 October, 2017

EC487 Advanced Microeconomics, Part I: Lecture 2 Leonardo Felli 32L.LG.04 6 October, 2017 Properties of the Profit Function Recall the following property of the profit function ( p , w ) = max p f ( x ) w x = p f ( x ( p , w )) w x

1.14k views • 49 slides
Chapter 8 Evaluation Statistical Machine Translation Evaluation How good is a given machine

Chapter 8 Evaluation Statistical Machine Translation Evaluation How good is a given machine

Chapter 8 Evaluation Statistical Machine Translation Evaluation How good is a given machine translation system? Hard problem, since many different translations acceptable semantic equivalence / similarity Evaluation metrics

456 views • 42 slides
Fusion of Continuous Output Classifiers Classifiers Jacob Hays Amit Pillay James DeFelice

Fusion of Continuous Output Classifiers Classifiers Jacob Hays Amit Pillay James DeFelice

Fusion of Continuous Output Classifiers Classifiers Jacob Hays Amit Pillay James DeFelice Definitions x feature vector c number of classes L number of classifiers { 1 , 2 , ., c } Set of class

668 views • 53 slides
Bernsteins 34 th Annual Strategic Decisions Conference Mike Mahoney Chairman and Chief

Bernsteins 34 th Annual Strategic Decisions Conference Mike Mahoney Chairman and Chief

Bernsteins 34 th Annual Strategic Decisions Conference Mike Mahoney Chairman and Chief Executive Officer Safe Harbor for Forward-Looking Statements This presentation contains forward-looking statements within the meaning of Section 27A of

489 views • 20 slides
Alternative &amp; Emerging Technologies in Health Services Research Joseph Kim, MD, MPH Miriam

Alternative &amp; Emerging Technologies in Health Services Research Joseph Kim, MD, MPH Miriam

Alternative &amp; Emerging Technologies in Health Services Research Joseph Kim, MD, MPH Miriam Komaromy, MD &amp; Wesley Pak, MBA Kamal Jethwani, MD, MPH April 11th, 2012 1 Agenda Welcome Mark Belanger, TA Team, Massachusetts

1.12k views • 99 slides
Thank you for joining us. The program will commence momentarily. Recent Advances in Medical

Thank you for joining us. The program will commence momentarily. Recent Advances in Medical

Thank you for joining us. The program will commence momentarily. Recent Advances in Medical Oncology: Urothelial Bladder Carcinoma Monday, August 3, 2020 5:00 PM 6:00 PM ET Faculty Arjun Balar, MD Thomas Powles, MBBS, MRCP, MD Arlene

1.55k views • 106 slides

More recommend