Distributed Control Lab A component-based application

Overview Architecture Experiments

Outline
Motivation The Distributed Control Lab (DCL) Architecture Foucault's Pendulum Details

Hardware / Software Architecture Control Algorithms Hardware Architecture Control Software

Hau den Lukas

Additional Experiments Malicious Code Problem / Solutions

Motivation
Online access to physical experiments over the Web Test-bed for interconnected middlewarecomponents and embedded systems Reach a predictable system behaviour in unstable environments Study techniques to prevent malicious code damaging physical equipment Foucault's Pendulum demonstrates usage of dynamic reconfiguration for online replacement of user control

Distributed Control Lab

2001 project start at Hasso-Plattner-Institute Practice of writing control algorithms for real-time control problems study of system predictability, availability and security in context of middleware-based dynamic control systems Extensible architecture for hosting physical control experiments Investigation of algorithms for user code observation and replacement of control components Experiment : physical installation and specific control software

The Distributed Control Lab

Distributed Control Lab (V2) Architecture

DISCOURSE Users
R

Ticket Service SOAP

R

Tickets

Users

Admin
Experiment Service Job Queue

DCL Frontend
R

Experiment Manager

Experiment Controller

User

SOAP

SOAP Frontend
R R

Result Manager

Experiment Controller

Job Results

DCL Messaging Protocols

http/html
Client Web-Browser

ASP.NET Page
IIS ASP.NET Web/Application Server

SOAP

DCLWeb Service
IIS ASP.NET Web/Application Server

.NET Remoting
Embedded Control Device
RT-Linux PC Brick OS ...

ODBC

DBMS

TCP/IP IrDA

DCL ExperimentController
.NET Remoting Service

.NET Remoting

DCL Experiment-/ Resultmanager

.NET Remoting Service

Problem : Malicous Code

Investigation of Solution for malicious code detection Source code analysis Experiment-specific languages / Language limitations .NET code access security Simulation before execution on physical experiment Analytic Redundancy
Online observation of user programs Replacement of user programs before reach of uncontrollable state Dynamic reconfiguration of component-based control application Monitoring of environmental settings and component states

Foucaults Pendulum
First installation 1848 by Leon Foucault in the Pantheon in Paris Demonstrates earth rotation Today many installation including one in UN-building in New York Problem : Pendulum must be kept swinging Solution : electro magnet under an iron ball Experiment: Find best control algorithm to keep the pendulum swinging

Using minimum energy Reaching the highest amplitude

SafetyController

UserController Configuration Manager

Pendulum Control detailed

Laser light barriers sampled into 4KByte FIFO-memorys with 23,4 kHz USB-Controller checks half-full-Flag 64 Byte blocks of data transferred via USB 1.1 Real-Time OS-Threads process incoming signals / produce out-going bit stream
Check HalfFull Flag Light Sensor 64 Byte Read

Event Duplication

Event Creation Binary Reader / Filter, Smooth ReadFile()

Binary Stream Generation Binary Writer WriteFile()

User Mode Kernel Mode

Operating System I/O

I/O request packet

USB HostController

FIFO-Memory 4 KBytes
Write Cypress EZ-USB Electro Magnet

Pendulum-API : Control Event

public class ControlEvent { public int nr; public int state;

// sensor or actuator identifier // actuator 1 ON - 0 OFF // light barrier // 1 light -> dark // 0 dark -> light // global time stamp

public long timestamp; }

Pendulum-API : Interface
public interface Pendulum { // Dequeue next event // Blocks if no event present until next event occurs public ControlEvent GetNext(); // Queue next event to put energy on / off public bool SendEvent(ControlEvent input); // Get global time stamp 1 micro seconds logical resolution public long GetTime(); }

Pendulum: Example Control Code

while(true) { // get next event ControlEvent ev = pendel.GetNext(); if(ev.state == 1) // pendulum enters light barrier { // switch magnet on pendel.SendEvent(new ControlEvent(ev.timestamp+1000,0,1)); // switch it off after 5 ms pendel.SendEvent(new ControlEvent(ev.timestamp+6000,0,0)); } }

Pendulum Control Process Generation

Configuration Code Control Code
Public Class UserControl { Public Static void Main(String[] args) {

send to DCL user control code

while(true) { // get next event ControlEvent ev = pendel.GetNext(); if(ev.state == 1) // pendulum enters light barrier { // switch magnet on pendel.SendEvent(new ControlEvent(ev.timestamp+1000,0,1)); // switch it off after 5/23 seconds pendel.SendEvent(new ControlEvent(ev.timestamp+6000,0,0)); } }

while(true) { // get next event ControlEvent ev = pendel.GetNext(); if(ev.state == 1) // pendulum enters light barrier { // switch magnet on pendel.SendEvent(new ControlEvent(ev.timestamp+1000,0,1)); // switch it off after 5/23 seconds pendel.SendEvent(new ControlEvent(ev.timestamp+6000,0,0)); } }

compile

} }

generate user control class

control

Pendulum : Increase of amplitude

1. 2. 3.

Get current oscillation time Toz ( time for a full oscillation ) Get current time the ball is covers the light barrier Ts ( indicates speed ) If ball enters light barrier :
1. 2.

Queue Enable Magnet Event at Tcurrent+Toz/4 Queue Disable Mag. Event at : Tcurrent + Toz/2 + Ts/2 Tmf
1.

Tmf duration of magnetic field shut down

4.

Repeat steps 1-4

Code Access Security-CAS in .NET

Supplements operating system security mechanisms Trust to assemblies vary depending of origin and publisher Based on evidences of assemblies

Application directory Strong name URL Signature

Permissions restrict access to system resources DCL: Configuration of usable class library classes

Code Access Permissions

Represent access to a protected resource or the ability to perform a protected operation
Environment Variables File Dialog File I/O Isolated Storage File Reflection Registry Security User Interface DNS Printing Event Log Socket Access Web Access Performance Counter Directory Services Message Queue Service Controller SQL Client

Evidence Based Security

Assembly evidence is matched against code groups to gain permission Code group consist of

Membership condition Set of code access permissions

Security policies contain code groups that map assemblies to permissions Policies in .Net : Enterprise, Machine, User, Application Domain Policy Evaluation: top-down

.NET Security in the Pendulum Experiment

Code group in machine policy applies only to usercode.exe assembly

Custom Permission Set assign to the code group Execution permission Access to driver component via .NET Remoting
Localhost, one specified socket, one URI

No permissions, except:

File I/O in the local directory Check required permissions before code execution .NET Attributes

Security exception if any restriction is violated

Pendulum Experiment Dynamic Properties

Code Access Security provides safe environment for execution of foreign code There are still dynamic properties at the experiment that can not be handled by CAS

Expiration of available execution time (fairness) Expiration of available energy Overheating of the coil the pendulum falls below a critical amplitude (energy) - so it could not be kept swinging Unexpected termination of user programs Exaggerated use of memory

Our Approach : Dynamic Reconfiguration as safe-guard mechanism

Mapping of profiles to application configurations based on environmental conditions and component states Selection of application configuration according to conditions provides best service for a given situation Definition of

observer : monitoring of environmental settings and component states profiles : mapping of environmental conditions to application configurations configurations of component-based applications

Online monitoring of environment and components Change of application configuration using dynamic reconfiguration if required (changed conditions)

Configuration Creator Tool

Pendulum Experiment Control Configurations

Configuration 1 : safety controller

Safety Controller
Configuration 2 : user program (cold standby)

Safety Controller

USB-Driver
User Program

USB

Event Queuing

Configuration 3 : user program (warm standby)

Safety Controller

Event Duplicator

User Program

Measurements:

Abnormal Termination of User Program

Higher Striker Hau den Lukas

Similar hardware to pendulum experiment

Parallel I/O / 38 kHz sample rate / 256 Byte buffer Smaller Buffers, Higher Sampling Frequency Short control delay COTS x86 PC
Intel Celeron 633 MHz, 128 MB RAM (max 64 MB usable) 10 Mbit/s LAN (NE 2000 PCI)

Use of Real Time OS

Combination of non-RT .Net and RT application CE-PC Windows Ce.Net 4.2

Higher Striker - Architecture DCL

.Net DCL Controller PC
Download COMPILED User Control Algorithms

User Code

Power

light barriers Switch

Plattform Builder/ Debug Host

OS Image Debugging

CE-PC

A/D Transformation FIFO-Memory Parallel Port I/O Optical Signal Gen.

Higher Striker Minimal Program

INITIALIZE; do { READ(); WRITE(buffer); GETSTATUS() if(EMPTY_FLAG_LS) Sleep(1); } while(!EOF(buffer))

Controlling the Experiment

Abstract from Direct Hardware Programming Provide Higher Level API to the experiment 2 possible control scenarios :

Calculation before runtime, analysis of result after experiment execution for next run Calculation of control signals during runtime hard deadlines

Investigation of various operating systems .Net Compact Framework and real time

Higher Striker - Event List - API

0;1; 10;0; 20;2; 25;0; 50;4; 80;0; 1111111111000000000 0222220000000000000 0000000000000000888 8888888888888888888 8888880000000000000

Definition before runtime Transformation into byte stream before runtime Simple checks possible (temperature of magnet) Generation of event list after runtime for analysis for next experiment runs Not flexible but simple to implement

Higher Striker Control API

int HDLInitialize ( ); int HDLInitialize ( unsigned char Writeahead, unsigned char Initial[]); int HDLStartClock( ); int HDLStopClock( ); int HDLPerform( unsigned char * Write, unsigned char * Read ); int HDLGetStatus(); int HDLGetError( int * LSError, int * MSError );

Higher Striker Watch Dog

not signaled for 5 reboots power off

power on

Init

70 sec

Active

signal

Stop

if not signaled for 5 sec reboot

Hardware Watchdog connected / signaled via serial communication interface of control PC In case of system hang-up control PC will be rebooted Atmel AVR 8-Bit Tiny 12 microcontroller

Higher Striker Simulation

Used Buffer (0-255 Byte)

Cylinder Speed Height

Video Animation

DCL - Grid Integration

Heterogeneous

X86,Itanium, PowerPC Windows 2000/XP, Linux, Mac OS X

Grid
Simulation

DRMAA Job Submission and Control for Clusters and Grids GLOBUS IDLE-Time

- Increased Throughput
Povray

Grid - Increased Response Time

Condor Sun Grid Engine, Condor

Fischertechnik Production Line

Control via Fischertechnik Intelligent Interface

Serial communication interface, 9600 Bits/sec 4+4 Digital Outputs, 8+8 Digital Inputs, 2 Analog Inputs Installation:
4 Intelligent Interfaces Pneumatic Actuators 1 robot arm ( 2 free degrees )

Controlling Fischertechnik using Beckhoff Industrial-PCs and the DCL

IIF

.NET Controller

ADS.NET

D C L

Visual Studio Plug-In

TwinCat PLC-Control

Mrklin Railway
Mrklin Digital Model Railway Control via serial interface 9600 Bit/sec S-88 Bus and controller Configurable train speed Feedback via rail sensors About 20 switches Controlled by x86 PC Currently running W2K

Running .NET on devices

Why ?

Rapid software development for embedded devices Object-oriented programming model, type safety Many available tools, know-how, many experts Code access security for remote lab experiments PC-based execution Communication to device for I/O Native execution of translated IL-Code Interpretation of stripped IL-Code on the device Running .NET on more powerful embedded devices to control small embedded devices

How ? Possibilities:

CLI2RCX- .NET runtime for Lego Mindstorm

C++ .Net
mnemonic CIL Assembly

GCC
.Net Assembly CIL Front End

C#

ildasm

RTL

Hitachi H8300 Hitachi Backend H8-300

Back End Backends

RCX binary (srec format)

VB .Net

target binaries

Our gcc (Gnu Compiler Collection) frontend supports the full ECMA-335 standard and can parse any conformant .NET assembly. Port for Renesas/Hitachi H8-300 microcontroller underway

Extremely small footprint (32 KB memory) Variable and method definitions, method calls, integer ops up and running

Mirco.NET - .NET Interpreter for Lego Mindstorm

Embeddded Device
Micro IL Assembly

Host
Micro IL Assembly

download

strip merge

Application Assembly

Dependencies Dependencies Dependency

Interpreter

Base Class Library

Runtime Operating System Hardware

Application assemblies merged and striped (meta data, portable executable header, references) Application merged to one micro assembly and transferred to device embedded device Interpreter reads micro executions according instructions using a separate runtime

CLI2RCX- .NET Current State

Version 1.0 release implements the following features of the .NET platform:

primitive datatypes: bool, byte, short, int classes, including instance attributes and properties. static and instance methods, including parameters, local variables, and constructors. arithmethic operations control flow operations: conditional and unconditional branch instructions.

CLI2RCX- .NET Current State

The following features are not yet supported (as are most features not mentioned in either list):

most value types (enums, structs, delegates, floats, doubles) strings single-dimensional zero-based arrays (partially complete) multi-dimensional or non-zero-based arrays Inheritance, polymorphism, and late binding interfaces exceptions static class attributes, class constructors, events boxing and unboxing arithmetic instructions that detect overflows any predefined class except for System.Object

Related Work
Verbund Virtuelles Labor project at University Reutlingen / Germany iLab project (WebLab) at MIT Virtual Lab at University of Hagen /Germany Tele-Laboratory at University of Pisa Tele-Lab / Simplex architecture Ein ferngesteuertes Labor im Internet www.remote-lab.de