Quest(-V): A Secure and Predictable System for Smart IoT Devices - - PowerPoint PPT Presentation
Quest(-V): A Secure and Predictable System for Smart IoT Devices Richard West richwest@cs.bu.edu Computer Science Emerging Smart Devices Need an OS Multiple cores GPIOs PWM Virtualization support Integrated Graphics
Richard West richwest@cs.bu.edu
Computer Science
2
security requirements
3
Sandbox M Monitor Sandbox 1
VCPU
. . .
Monitor Sandbox 2
VCPU VCPU
Monitor Communication + Migration
VCPU VCPU
Sandbox Address Space Thread IO Devices IO Devices IO Devices PCPU(s) PCPU(s) PCPU(s)
Exploit VT-x/EPT capabilities on Intel multicore processors for efficient sandboxing
4
Main VCPUs I/O VCPUs Threads PCPUs (Cores) Address Space
scheme
short-lived interrupts
5
[Done]
Minnowboard Max [Quest is working]
– Now working on QduinoMC [In progress]
manufacturing, robotics, secure home automation, UAVs, etc [In progress]
6
– Requires remote inputs to function – No autonomy
– Ability to make own decisions, at least partly, based on sensory inputs that determine the state of the environment and the device itself
– Spool requests via webserver – High level (STL file) requests rather than g-codes – Local slicer engine & g-code parser – Local verifier for “correctness” of requests – Possible communication/coordination with other smart devices
7
– MinnowMax/Turbot – RAMPS 1.4 – ADS7828 I2C Analog-to-Digital Converter – 4 x 4988 Pololu Stepper Motor drivers – PNP/NPN transistors, resistors etc for level shifting
– See: www.cs.bu.edu/fac/richwest/smartprint3d.php
8
– Used Intel IoT devkit libmraa library to interface w/
I2C ADC and GPIOs via sysfs
– Developed test scenarios for 3D print objects – Details to follow
– Qduino – RTSS'15 – Quest-V – ACM TOCS
9
– Loop: read G-code commands, translate them to
motor movements and fan/heater operations
– A high frequency, sporadic timer interrupt to drive
motors (up to 10 Khz)
– A low frequency, periodic timer interrupt to read
extruder temperature (1 KHz)
10
– B = gear pitch (e.g., 2mm for GT2 pulley) – C = gear tooth count (e.g., 20) – S = stepper motor steps per revolution (e.g., 200) – α = microstepping (e.g., 16 for 4988 driver) – V = feedrate in given axis (e.g., 125mm/s)
– F = (V * S * α) / (B * C) = 10kHz using above params – Requires 100 microsecond pulse timing – Won't work with Linux scheduling accuracy!
11
– Replaced hardware timer interrupts with high
resolution software timers
– Replaced architecture-dependent I/O operations
with mraa library functions
– Cons: approach fails to utilize underlying
hardware parallelism
12
Read Gcode Translate coordinates to steps Use temperature to do PID control Extract steps from the block and pulse the steppers
Buffer: each block contains steps for one command File system Motors
Read temperature and adjust Fan & heater Temperature PID output
Fan & Heater
13
– Added I2C Driver – Added GPIO Driver – Updated ACPI firmware to latest version
– I2C Module (read/write bytes on I2C bus) – GPIO Module (get/set value+direction of GPIOs)
14
– Loop 1: command reading and path planning
– Loop 2: motor driving
– Loop 3: temperature reading & adjustment
15
Quest Kernel VCPU VCPU VCPU Qduino Library
G-code translation Temperature PID control
Loop 1
Extract steps from the block and pulse the steppers Read temperature and adjust fan/heater
Loop 2 Loop 3
buffer
Temperature PID output
MinnowBoard Core 1 Core 2
16
– Parallel and predictable loop execution – Real-time communication b/w loops – Predictable and efficient interrupt management – Real-time event delivery – Backward compatible with Arduino API – Simplifies multithreaded real-time programming
17
//Sketch 2: toggle pin 10 every 3s int val10 = 0; void setup() { pinMode(10, OUTPUT); } void loop() { val10 = !val10; //flip the output value digitalWrite(10, val10); delay(3000); //delay 3s } // Sketch 1: toggle GPIO pin 9 // every 2s int val9 = 0; void setup() { pinMode(9, OUTPUT); } void loop() { val9 = !val9; //flip the output value digitalWrite(9, val9);
delay(2000); //delay 2s
}
How do you merge the sketches and keep the correct delays?
18
int val9, val10 = 0; int next_flip9, next_flip10 = 0; void setup() { pinMode(9, OUTPUT); pinMode(10, OUTPUT); } void loop() { if (millis() >= next_flip9) { val9 = !val9; //flip the output value digitalWrite(9, val9); next_flip9 += 2000; } if (millis() >= next_flip10) { val10 = !val10; //flip the output value digitalWrite(10, val10); next_flip10 += 3000; } }
hand
19
int val9, val10 = 0; int C = 500, T = 1000; void setup() { pinMode(9, OUTPUT); pinMode(10, OUTPUT); } void loop(1, C, T) { val9 = !val9; // flip the output value digitalWrite(9, val9); delay(2000); } void loop(2, C, T) { val10 = !val10; // flip the output value digitalWrite(10, val10); delay(3000); }
20
Sketch
Kernel User ...
Quest Native App Quest Native App Galileo QDuino Libs loop1 loopN
... x86 SoC
Edison Minnowboard GPIO Driver SPI Driver I2C Driver
21
Function Signatures Category
Structure
Interrupt
Spinlock
Four-slot
Ring buffer
22
Scheduler
Main VCPU Main VCPU
Sketch Thread
I/O VCPU
User Interrupt Handler Interrupt Bottom Half
CPU Core(s) GPIO Expander Kernel User
Wakeup
attachInterruptVcpu interrupt return
GPIO Driver
Hardware Interrupt
23
10 20 30 40 50 60 100T 200T 300T 400T 500T
Counter (x104) Time (Periods)
(50,100),2 (50,100),4 (70,100),2 (70,100),4 (90,100),2 (90,100),4 Linux,2 Linux,4
counter during loop period
as potential interference, consuming remaining CPU capacity
timing guarantees w/ Linux
24
sensor
delay(100)
25
between two consecutive calls to the motor actuation code
and actuation task
loop
timeout
time interval, the faster the vehicle can drive
100 200 300 400 500 600 700 800 10 20 30 40 50 60 70 80 90 100
Time (milliseconds) Sample #
Clanton Single-loop Qduino Multi-loop Qduino Single-loop Clanton Interrupt
26
27
Real-time Sensing & Control Real-time Sensing & Control Real-time Job Scheduling Real-time Job Scheduling Linux Linux Memory Memory Monitor Monitor Core(s) Core(s) Core(s) Core(s) Core(s) Core(s) Web Server / Verification Web Server / Verification Comms Monitor Monitor Monitor Monitor Memory Memory Memory Memory I/O Devices e.g. Motors, Extruder, Temp Sensors I/O Devices e.g. Motors, Extruder, Temp Sensors I/O Devices e.g. Flash Storage I/O Devices e.g. Flash Storage I/O Devices e.g. NIC I/O Devices e.g. NIC Hardware Kernel VCPU(s) VCPU(s) VCPU(s) VCPU(s) User Untrusted Trusted Sandbox 1 Sandbox 2 Sandbox 3
DUAL CORE ATOM SILVERMONT QUARK MCU INTERNET
28
29
7805
GND
7404 1N4728 1K
GND
Z_STOP
+12V
Z_STOP Sensor 5V REG
1 2 3 4 5 6 7 14 13 12 11 10 9 8
GND CH0 CH1 CH2 CH3 CH4 CH5 CH6 CH7 NC SCL SDA REF VCC
ADS7828 I2C-ADC
THERM0 +5V +5V Y_ENABLE Z_ENABLE
RAMPS 1.4
4988 4988 4988 4988
A0 A1 A0 A0 A2
X_STEP X_DIR
A0 A7 A6 A0 A8
Y_STEP Y_DIR
A0 D46
Z_STEP
A0 D48
Z_DIR
A0 D38
X_ENABLE
A0 D26
E0_STEP
A0 D28
E0_DIR
A0 D24
E0_ENABLE
D3
X_STOP
D15
Y_STOP_max HEAT_IN
D9
FAN_IN
D10
X Y Z E0
s
Y_STOP_max
GND +12V +
D9D10 THERM0
A0 A13
X_STOP Switch T0 Thermistor
1 3 5 7 9 11 13 15 17 19 21 23 25 2 4 6 8 10 12 14 16 18 20 22 24 26
GND GND +5V +3.3V SCL SDA PWM0 FAN HEATER X_STEP SPI_MISO SPI_MOSI Z_ENABLE E0_STEP E0_DIR X_STOP Y_STOP_max Z_STOP E0_ENABLE Z_DIR Z_STEP Y_ENABLE Y_DIR Y_STEP X_ENABLE X_DIR
MINNOWBOARD MAX
2N3906 2N3904 1K
GND
4.7K
+5V GND +3.3V
4.7K FAN
HEATER FAN_IN (D9)
HEAT_IN (D10)
Circuit x2
30
– API support to map loops to cores – Load balancing via MARACAS [RTSS'16] framework – Pub/sub communications between Quest-V sandboxes
– Legacy Linux ROS nodes communicate w/ time- critical Quest services
31
– Use Intel SBCs/SoCs (Up board, Edison, MinnowMax, Celeron Braswell, Skylake U, Kaby/Apollo Lake NUCs) – Energy + CPU + GPU + latency-sensitive I/O requirements – RacerX autonomous rover – Smart drones
tracking
– Biokinematic / body sensor network (Edison/Curie)
32
– Mixed-criticality: Linux + Quest – Mixed-criticality scheduling (ECRTS'16) – TMR fault tolerance using replicated sandboxes
33
– Supports VCPU load balancing to share background cycles across cores
background cycles
VCPU foreground timing requirements
34
– Cycles weighted by queued memory requests
– # of requests to memory controller request queue
to cores
cache isolation
35
– Multiple cores (good for multi-tasking) – VT-x capabilities for security/isolation/fault tolerance – GPIOs for interfacing sensors + actuators – PWMs for motor & servo control – Serial interfaces for device communication – Shared caches + memory bus affects temporal isolation (not good for real-time!)
36
– Temporal isolation b/w cores
management?)
– Better GPU support
card, which is too power-hungry and heavy
– Low-wattage “PC” with GPIOs, serial buses, GPU ala Nvidia Jetson (but better!)
37
– Simplified VT-x support
– Tagged memory for confidentiality + integrity on secure information flows between sandboxes – H/W-assisted port-based I/O interposition
38
39
40
– Mixed criticalities: timeliness and safety
41
42
43
FreeRTOS, uC/OS-II etc Quest Linux, Windows, Mac OS X etc
44
– Distributed system on a chip – Time as a first-class resource
– Separate sandbox kernels for system components – Memory isolation using h/w-assisted memory virtualization – Also CPU, I/O, cache partitioning
45
– Wind River Hypervisor, XtratuM, PikeOS, Mentor Graphics Hypervisor – Xen, Oracle PDOMs, IBM LPARs – Muen, (Siemens) Jailhouse
46
– Each SS has a pair (C,T) s.t. a server is guaranteed C CPU cycles every period of T cycles when runnable
– Rate-Monotonic Scheduling theory applies
47
– Currently, priorities are (T) for corresponding Main VCPU – IO VCPU budget is limited to:
48
– t = start of latest execution – t >= previous eligibility time
49
τ1 Main Application Sporadic Server C=8 T=16
8 16 24 32 8 16 24 32 8 16 24 32
τ2 I/O Interrupt BH Sporadic Server C=4 T=16 Execution
I/O Event Initiated Interrupts Occur Missed Deadline 8,0 8,16 4,0 4,9 3,9 1,25 3,11 1,25 2,11 1,25 1,27
time
2,25 1,27 1,29 2,27 1,29 1,41
50
τ1 Main Application Sporadic Server C=8 T=16
8 16 24 32 8 16 24 32 8 16 24 32
τ2 I/O Interrupt BH PIBS U=0.25 Execution
I/O Event Initiated Interrupts Occur 8,0 8,16
time
8,32 4,0 4,9 4,13 4,25 No Missed Deadline
51
– Ci = Budget Capacity of Vi – Ti = Replenishment Period of Vi – Main VCPU, Vi – Uj = Utilization factor for I/O VCPU, Vj
∑
i=0 n−1 Ci
Ti + ∑
j=0 m−1
(2−Uj) ⋅Uj≤n⋅ (
n
√2−1)
52
– E' = E + (1-E/C) * ml – E/C * mo – Enhanced with hits + misses [Book Chapter, OSR'11, PACT'10]