A Data Centric Approach for Modular Assurance The Fourth...
Transcript of A Data Centric Approach for Modular Assurance The Fourth...
![Page 1: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/1.jpg)
The Real-Time Middleware Experts
A Data Centric Approach for Modular Assurance
The Fourth Layered Assurance Workshop December 6th 2010
Gabriela F. Ciocarlie Heidi Schubert Rose Wahlin
![Page 2: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/2.jpg)
Mixed Criticality Systems
Any system that has multiple assurance requirements – Safety, at different assurance levels – Security, at different assurance levels
Example: Unmanned Air Vehicle – Flight control is safety critical – Payload management is mission critical
Ideally a system is built from components each with their own assurance requirements
© 2010 Real-Time Innovations, Inc. 2
![Page 3: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/3.jpg)
The Challenge
Design a modular plug-and-play architecture to reduce cost and reuse components
Components must interact – The behavior of one component can affect another – It can be advantageous to have components at different
criticality levels exchange data – Once a component interacts with another, then the whole
system must be certified, not the individual components
© 2010 Real-Time Innovations, Inc. 3
![Page 4: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/4.jpg)
The Solution
Move from a component-interaction model to a data-centric model
The data-centric model defines the data types and attributes in the system
A component complies with the data model in terms of data it sends and receives
This decouples applications
© 2010 Real-Time Innovations, Inc. 4
![Page 5: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/5.jpg)
© 2010 Real-Time Innovations, Inc. 5
Agenda
Introduction
Data Centric Architecture Modularity Separation Kernels Anonymous Publish-Subscribe OMG Data Distribution Service
Feasibility Study
Conclusions
Future Work
![Page 6: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/6.jpg)
The Modular Approach
© 2010 Real-Time Innovations, Inc. 6
Monolithic Approach • Certify whole system • Connection oriented • Tightly coupled • Hard to evolve
Smart Data Bus Standardized Data Services
QoS Controlled Communication
Modular approach • Certify components • Data oriented • Loosely coupled • Evolvable
![Page 7: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/7.jpg)
The Data Contract
First, all exchanged data in the system is defined
Next, data characteristics are defined – For example “airspeed” is flagged as flight critical
Then components define data delivery attributes – A flight critical component specifies data rate that flight critical
data must be delivered
This creates a “data contract”
© 2010 Real-Time Innovations, Inc. 7
![Page 8: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/8.jpg)
Data Centric Approach for Mixed-Criticality Systems
Data contract includes – Data type – Name – Quality of Service
Validation – Component validation – does it conform to the data model – System validation – is there a producer at correct assurance
level for each required data
© 2010 Real-Time Innovations, Inc. 8
![Page 9: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/9.jpg)
Realization of a Mixed-Criticality System
Separation kernels – Guarantees isolation of components – Controls data flow
Anonymous publish-subscribe – Used to implement the data model and distribute data
© 2010 Real-Time Innovations, Inc. 9
![Page 10: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/10.jpg)
Separation Kernels
Partial solution for mixed-criticality systems certification
Isolation and Control – Each guest operating system (OS) runs in its own partition – Each guest OS is isolated over both time and space – Information flows are tightly controlled – Components can be pre-certified and composed quickly into
new configurations
Challenge – Do not address interdependency between components or
interactions between components on separate computers
© 2010 Real-Time Innovations, Inc. 10
![Page 11: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/11.jpg)
Anonymous Publish-Subscribe
Effective communication architecture
Applications simply publish what they know and subscribe to what they need
Networking middleware provides the functionality for: – discovering publishers and subscribers – handling network traffic and errors – delivering the data
Challenge – Require effort to migrate from a point-to-point component
interaction model
© 2010 Real-Time Innovations, Inc. 11
![Page 12: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/12.jpg)
OMG Data Distribution Service (DDS)
Data-centric publish-subscribe middleware for real-time communication – Strong data typing – Quality-of-Service (QoS) parameters
• e.g., deadlines for message delivery, bandwidth control, reliability model control, failover and backup specification, data filtering etc.
DDS QoS parameters characterize: – the data contracts between participants – the properties of the overall data model – real-time communication and delivery requirements on a
per-data-stream basis
© 2010 Real-Time Innovations, Inc. 12
![Page 13: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/13.jpg)
© 2010 Real-Time Innovations, Inc. 13
Agenda
Introduction
Data Centric Architecture
Feasibility Study
Conclusions
Future Work
![Page 14: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/14.jpg)
Wind River VxWorks MILS and RTI Data Distribution Service
© 2010 Real-Time Innovations, Inc. 14
Hardware (Processor + Board)
VxWorks MILS Separation Kernel Wind River Hypervisor Technology
VxWorks Guest OS
Apps General Network
Stack
DDS shared lib
Linux Guest OS
Apps Linux
Network Stack
DDS shared lib
Linux Guest OS
Apps Linux
Network Stack
DDS shared lib
![Page 15: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/15.jpg)
Flight critical
DDS
MILS Kernel
Study Overview
Primary Mission Plan App
Secondary Mission Plan App
Logging
Ground control (laptop 1)
Remote monitor (laptop 2)
UAV Components
DDS Bus
DDS
DDS DDS
High criticality
Lower criticality
DDS provides location-independence!
DDS-Web Services bridge
Alarm Viewer
© 2010 Real-Time Innovations, Inc.
![Page 16: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/16.jpg)
MILS Kernel
Scenario 1: Failover of Lower Criticality
Primary Mission Plan
Secondary Mission Plan
Flight critical Logging
DDS Bus
High criticality
Lower criticality
DDS-Web Services bridge
Alarm Viewer
© 2010 Real-Time Innovations, Inc.
![Page 17: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/17.jpg)
MILS Kernel
Scenario 2: Lower Criticality Floods the Network
Primary Mission Plan
Secondary Mission Plan
Flight critical Logging
DDS-Web Services bridge
Floods network
Filters excess data
DDS Bus
High criticality
Lower criticality
Alarm Viewer
© 2010 Real-Time Innovations, Inc.
![Page 18: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/18.jpg)
Conclusions
Mixed-criticality systems certification still has a long way to go
We can leverage: – Isolation and control capabilities through separation kernels – Modularity through a data-centric architecture
It is possible to build mixed criticality systems that provide: – Modularity – Evolvability – Fault tolerance
© 2010 Real-Time Innovations, Inc. 18
![Page 19: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/19.jpg)
Future Work
Identify and analyze the characteristics of the DDS data models that lead to an efficient certification process
Formally demonstrate the applicability of our approach to mixed-criticality systems
© 2010 Real-Time Innovations, Inc. 19
![Page 20: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/20.jpg)
Acknowledgments
Wind River – provided their MILS platform as well as for valuable feedback
United States Air Force - contract FA8650-10-M-3025 – The content of this work is the responsibility of the authors and
should not be taken to represent the views or practices of the U.S. Government or its agencies.
© 2010 Real-Time Innovations, Inc. 20
![Page 21: A Data Centric Approach for Modular Assurance The Fourth ...fm.csl.sri.com/LAW/2010/law2010-slides-Ciocarlie.pdf · OMG Data Distribution Service (DDS) Data-centric publish-subscribe](https://reader033.fdocuments.us/reader033/viewer/2022050400/5f7d90dec7a79530d6197101/html5/thumbnails/21.jpg)
Thank You
© 2010 Real-Time Innovations, Inc. 21