fault tolerance - applied physics...
TRANSCRIPT
United 737/800
Hacked
“PASS OXYGEN ON anyone?”
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 2
Virology 101
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 3
“Although particular virus attacks may be guarded
against,
no general defense within one domain of
reference is possible;
viruses are a natural consequence of a stored-
program computation.”
Virology 101 Douglas McIlroy – Bell Laboratories 1989
Multi-Domain
Architecture
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 4
Multi-Domain Architecture
Fault Tolerant –
Hardware and Software
Component Failure Analysis
Virus Prevention at Multiple Levels
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 5
What is Multi-Domain
Architecture
Divides a system into two parts (Domains):
1.Computation (DID)
2.Housekeeping (PAD)
Its an architecture
Can use any old COTS parts and it still
works.
All of the existing software still works.
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 6
Graphical
Illustration
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 7
Von Neumann Architecture
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 8
Control
UnitAccumulator
Arithmetic Logic
Unit
CPU
Input Output
Mem-1 Mem-2 Mem-3 Mem-4 Mem-5 Mem-6
System
CPU
System
Scheduling (Job & Thread)
Data & Instruction
Address Space
Control Signals (interupts)
Single Domain
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 9
Multi-Domain
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 10
CPU
System
Controller
PAD Controller
Control Signals
Scheduling
Address Space
DID
Data & Instruction
PAD Virtualizer
Address Space
(Scheduler Relay)
Virtualizer
Comparison
Single Domain Multiple Domain
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 11
User Layer
Kernel Layer
CPU
Physical Layer
Kernel
Layer
MDA Switch
Scheduler, Virtual Memory,
Virtual File System
Memory
Meta
Controller
Inter Process
Communication
Device Driver,
Dispatcher
Applications
User Layer
Kernel Layer
Virtual File System
Inter Process
Communication
Scheduler, Virtual
Memory
Device Driver,
Dispatcher
(CPU, memory, I/O )
Physical Layer
Applications
I/O
Block Diagram
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 12
Mentor
Controller
KAC
CPU
Proc PC CPU Memory/Notes
Input
Output
Memory
Mem-1 Mem-2 Mem-3 Mem-4 Mem-5 Mem-6
Control
Unit
Arithmetic
UnitAccumulator
Run Time RBAC
CPU
Control
Unit
Arithmetic
UnitAccumulator
MDA Switch
Multi-Domain Architecture
Doesn’t do anything different
Does them differently
Does things single domain can’t do
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 13
FEATURES
• Hardware Fault Tolerant
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 15
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 15
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 15
How
WHEN WHERE
Attack Triangle
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 17
DID(HOW)
PAD(WHEN) PAD(WHERE)
Attack Triangle
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 18
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
• Fault isolation
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 19
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
• Fault isolation
• Reconfigurable HW and SW
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 19
FEATURES
• Hardware Fault Tolerant
• Software Fault Tolerant
• Virus Prevention
• Fault isolation
• Reconfigurable HW and SW
• Combinatorial Mathematics
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 19
Simultaneous Failures
Hardware Failure
Virus Problem
Graphical Example
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 20
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-2
Mem-1
Mem-0P-0
P-1
Display - 0
Display - 1
Mem-3
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 2
Graeco-Latin Square Graeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 21
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin Square Graeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 22
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process TIme
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin Square Graeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 23
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 24
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
P-1
P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 25
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 26
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
93P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 27
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
93P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 28
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
93P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 29
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
52P-0
155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265P-0
265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 30
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 31
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
52155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 32
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
52155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 33
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
52155P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 34
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
5215552P-1
52155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265265P-1
9393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 35
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
5252P-0
5215552P-1
5252155P-2
CPU-3CPU-2CPU-0
Process Time
265265P-0
265265265P-1
939393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 36
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
1555252P-0
5215552P-1
5252155P-2
CPU-3CPU-2CPU-0
Process Time
265265265P-0
265265265P-1
939393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
OutputMem-2
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 37
Graeco Latin Square Analysis
Meta
ControllerKAC
CPU-0 CPU-2
Proc PCCPU Memory/Notes
Input
Output
CPU-1 CPU-3
265
265
93Mem-3
Mem-2
Mem-1
Mem-0P-0
P-1
P-2
1555252P-0
5215552P-1
5252155P-2
CPU-3CPU-2CPU-0
Process Time
265265265P-0
265265265P-1
939393P-2
CPU-3CPU-2CPU-0
Hardware
Display - 0
Display - 1
Display - 2
Graeco-Latin SquareGraeco-Latin Square
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 38
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Reconfigurable System • Component level analysis
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 39
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Virus Protection • 35 year legacy
• Reconfigurable System • Component level analysis
• Virus Protection • Disjoint domains • Reconfigurable system
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 39
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Virus Protection • 35 year legacy
• Computational Speed • CPU does all the work
• Reconfigurable System • Component level analysis
• Virus Protection • Disjoint domains • Secure communications
• Computational Speed • Overhead on separate RISC
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 39
Single Domain Multi Domain
• Fixed System • Limited fault analysis
• Virus Protection • 35 year legacy
• Computational Speed • CPU does all the work
• Software • The Standard
• Reconfigurable System • Component level analysis
• Virus Protection • Disjoint domains • Reconfigurable system
• Computational Speed • Overhead on separate RISC
• Software
• No change / instruction sets • Updates protection
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 39
Multi-Domain
Architecture
Q&A
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 40
Flight Software Workshop 10/26/2015 ©Fault Tolerant Technology [email protected] 40