Junkil Park

Sensor attack detection in the presence of transient faults

This paper addresses the problem of detection and identification of sensor attacks in the presence of transient faults. We consider a system with multiple sensors measuring the same physical variable, where some sensors might be under attack and provide malicious values. We consider a setup, in which each sensor provides the controller with an interval of possible values for the true value. While approaches exist for detecting malicious sensor attacks, they are conservative in that they treat attacks and faults in the same way, thus neglecting the fact that sensors may provide faulty measurements at times due to temporary disturbances (e.g., a tunnel for GPS). To address this problem, we propose a transient fault model for each sensor and an algorithm designed to detect and identify attacks in the presence of transient faults. The fault model consists of three aspects: the size of the sensors interval (1) and an upper bound on the number of errors (2) allowed in a given window size (3). Given such a model for each sensor, the algorithm uses pairwise inconsistencies between sensors to detect and identify attacks. In addition to the algorithm, we provide a framework for selecting a fault model for each sensor based on training data. Finally, we validate the algorithms performance on real measurement data obtained from an unmanned ground vehicle.

Demo Abstract: ROSLab --- A Modular Programming Environment for Robotic Applications

We propose a simplified high-level programming language based on blocks and links dragged on a workspace which generates the skeleton code for robotic applications involving different types of robots. In order to develop such a high-level programming language that still can guarantee flexibility in term of implementation, our approach takes advantage of the robot operating system (ROS). ROS is a open source meta-operating system that provides a message passing structure between different processes (or nodes) across a network (inter-process communication). In our framework, we consider a hierarchical approach in which at the base there is ROS that allows inter-process communication between nodes in a robot and on the top we create a high-level language that interacts with ROS and thus with the real robot. The high-level language can be viewed as an extra layer added to simplify lower level code generation.

Automatic verification of linear controller software

We consider the problem of verification of software implementations of linear time-invariant controllers. Commonly, different implementations use different representations of the controllers state, for example due to optimizations in a third-party code generator. To accommodate this variation, we exploit input-output controller specification captured by the controllers transfer function and show how to automatically verify correctness of C code controller implementations using a Frama-C/Why3/Z3 toolchain. Scalability of the approach is evaluated using randomly generated controller specifications of realistic size.

Scalable Verification of Linear Controller Software

We consider the problem of verifying software implementations of linear time-invariant controllers against mathematical specifications. Given a controller specification, multiple correct implementations may exist, each of which uses a different representation of controller state e.g., due to optimizations in a third-party code generator. To accommodate this variation, we first extract a controllers mathematical model from the implementation via symbolic execution, and then check input-output equivalence between the extracted model and the specification by similarity checking. We show how to automatically verify the correctness of C code controller implementation using the combination of techniques such as symbolic execution, satisfiability solving and convex optimization. Through evaluation using randomly generated controller specifications of realistic size, we demonstrate that the scalability of this approach has significantly improved compared to our own earlier work based on the invariant checking method.

Process Algebraic Specification of Software Defined Networks

In this paper, we first present a formal specification for a part of Software Defined Networks(SDN) using a process algebra called Algebra of Communicating Shard Resources(ACSR). To provide a correct and efficient solution for forwarding packets on the Software Defined Networks, ACSR can express processes running concurrently and communicating switches and a controller. Forwarding packets can be modeled as prioritized synchronization of events in ACSR. During specifying formally, we could find the Subtle Ambiguity in the SDN specification. The central contribution of this paper is to describe how to apply a formal specification method to a part of informal SDN specification. It is important to specify SDN and verify the properties of the SDN using formal specification before implementing the systems. Furthermore, we prove the correctness of ACSR specification to show deadlockfreeness using VERSA.

A process algebraic approach to the schedulability analysis and workload abstraction of hierarchical real-time systems

Abstract Real-time embedded systems have increased in complexity. As microprocessors become more powerful, the software complexity of real-time embedded systems has increased steadily. The requirements for increased functionality and adaptability make the development of real-time embedded software complex and error-prone. Component-based design has been widely accepted as a compositional approach to facilitate the design of complex systems. It provides a means for decomposing a complex system into simpler subsystems and composing the subsystems in a hierarchical manner. A system composed of real-time subsystems with hierarchy is called a hierarchical real-time system . This paper describes a process algebraic approach to schedulability analysis of hierarchical real-time systems. To facilitate modeling and analyzing hierarchical real-time systems, we conservatively extend an existing process algebraic theory based on ACSR-VP (Algebra of Communicating Shared Resources with Value-Passing) for the schedulability of real-time systems. We explain a method to model a resource model in ACSR-VP which may be partitioned for a subsystem. We also introduce schedulability relation to define the schedulability of hierarchical real-time systems and show that satisfaction checking of the relation is reducible to deadlock checking in ACSR-VP and can be done automatically by the tool support of VERSA (Verification, Execution and Rewrite System for ACSR). With the schedulability relation, we present algorithms for abstracting real-time system workloads.

Adaptive Transient Fault Model for Sensor Attack Detection

This paper considers the problem of sensor attack detection for multiple operating mode systems, building upon an existing attack detection method that uses a transient fault model with fixed parameters. For a multiple operating mode system, the existing method would have to use the most conservative model parameters to preserve the soundness in attack detection, thus not being effective in attack detection for some operating modes. To address this problem, we propose an adaptive transient fault model to use the appropriate parameter values in accordance with the change of the operating mode of the system. The benefit of our proposed system is demonstrated using real measurement data obtained from an unmanned ground vehicle.

A Safety Argument Strategy for PCA Closed-Loop Systems: A Preliminary Proposal

The emerging network-enabled medical devices impose new challenges for the safety assurance of medical cyber-physical systems (MCPS). In this paper, we present a case study of building a high-level safety argument for a patient-controlled analgesia (PCA) closed-loop system, with the purpose of exploring potential methodologies for assuring the safety of MCPS.

Automatic Verification of Finite Precision Implementations of Linear Controllers

We consider the problem of verifying finite precision implementation of linear time-invariant controllers against mathematical specifications. A specification may have multiple correct implementations which are different from each other in controller state representation, but equivalent from a perspective of input-output behavior (e.g., due to optimization in a code generator). The implementations may use finite precision computations (e.g. floating-point arithmetic) which cause quantization (i.e., roundoff) errors. To address these challenges, we first extract a controller’s mathematical model from the implementation via symbolic execution and floating-point error analysis, and then check approximate input-output equivalence between the extracted model and the specification by similarity checking. We show how to automatically verify the correctness of floating-point controller implementation in C language using the combination of techniques such as symbolic execution and convex optimization problem solving. We demonstrate the scalability of our approach through evaluation with randomly generated controller specifications of realistic size.

Security of Cyber-Physical Systems in the Presence of Transient Sensor Faults

This article is concerned with the security of modern Cyber-Physical Systems in the presence of transient sensor faults. We consider a system with multiple sensors measuring the same physical variable, where each sensor provides an interval with all possible values of the true state. We note that some sensors might output faulty readings and others may be controlled by a malicious attacker. Differing from previous works, in this article, we aim to distinguish between faults and attacks and develop an attack detection algorithm for the latter only. To do this, we note that there are two kinds of faults—transient and permanent; the former are benign and short-lived, whereas the latter may have dangerous consequences on system performance. We argue that sensors have an underlying transient fault model that quantifies the amount of time in which transient faults can occur. In addition, we provide a framework for developing such a model if it is not provided by manufacturers. Attacks can manifest as either transient or permanent faults depending on the attacker’s goal. We provide different techniques for handling each kind. For the former, we analyze the worst-case performance of sensor fusion over time given each sensor’s transient fault model and develop a filtered fusion interval that is guaranteed to contain the true value and is bounded in size. To deal with attacks that do not comply with sensors’ transient fault models, we propose a sound attack detection algorithm based on pairwise inconsistencies between sensor measurements. Finally, we provide a real-data case study on an unmanned ground vehicle to evaluate the various aspects of this article.