Showing papers by "Paulo Tabuada published in 2013"

Periodic event-triggered control for nonlinear systems

Abstract: Event-triggered control (ETC) is a control strategy that is especially suited for applications where communication resources are scarce. By updating and communicating sensor and actuator data only when needed for stability or performance purposes, ETC is capable of reducing the amount of communications, while still retaining a satisfactory closed-loop performance. In this paper, an ETC strategy is proposed by striking a balance between conventional periodic sampled-data control and ETC, leading to so-called periodic event-triggered control (PETC). In PETC, the event-triggering condition is verified periodically and at every sampling time it is decided whether or not to compute and to transmit new measurements and new control signals. The periodic character of the triggering conditions leads to various implementation benefits, including a minimum inter-event time of (at least) the sampling interval of the event-triggering condition. The PETC strategies developed in this paper apply to both static state-feedback and dynamical output-based controllers, as well as to both centralized and decentralized (periodic) event-triggering conditions. To analyze the stability and the L2-gain properties of the resulting PETC systems, three different approaches will be presented based on 1) impulsive systems, 2) piecewise linear systems, and 3) perturbed linear systems. Moreover, the advantages and disadvantages of each of the three approaches will be discussed and the developed theory will be illustrated using a numerical example.

Non-invasive spoofing attacks for anti-lock braking systems

Abstract: This work exposes a largely unexplored vector of physical-layer attacks with demonstrated consequences in automobiles. By modifying the physical environment around analog sensors such as Antilock Braking Systems (ABS), we exploit weaknesses in wheel speed sensors so that a malicious attacker can inject arbitrary measurements to the ABS computer which in turn can cause life-threatening situations. In this paper, we describe the development of a prototype ABS spoofer to enable such attacks and the potential consequences of remaining vulnerable to these attacks. The class of sensors sensitive to these attacks depends on the physics of the sensors themselves. ABS relies on magnetic---based wheel speed sensors which are exposed to an external attacker from underneath the body of a vehicle. By placing a thin electromagnetic actuator near the ABS wheel speed sensors, we demonstrate one way in which an attacker can inject magnetic fields to both cancel the true measured signal and inject a malicious signal, thus spoofing the measured wheel speeds. The mounted attack is of a non-invasive nature, requiring no tampering with ABS hardware and making it harder for failure and/or intrusion detection mechanisms to detect the existence of such an attack. This development explores two types of attacks: a disruptive, naive attack aimed to corrupt the measured wheel speed by overwhelming the original signal and a more advanced spoofing attack, designed to inject a counter-signal such that the braking system mistakenly reports a specific velocity. We evaluate the proposed ABS spoofer module using industrial ABS sensors and wheel speed decoders, concluding by outlining the implementation and lifetime considerations of an ABS spoofer with real hardware.

Specification-guided controller synthesis for linear systems and safe linear-time temporal logic

Abstract: In this paper we present and analyze a novel algorithm to synthesize controllers enforcing linear temporal logic specifications on discrete-time linear systems. The central step within this approach is the computation of the maximal controlled invariant set contained in a possibly non-convex safe set. Although it is known how to compute approximations of maximal controlled invariant sets, its exact computation remains an open problem. We provide an algorithm which computes a controlled invariant set that is guaranteed to be an under-approximation of the maximal controlled invariant set. Moreover, we guarantee that our approximation is at least as good as any invariant set whose distance to the boundary of the safe set is lower bounded. The proposed algorithm is founded on the notion of sets adapted to the dynamics and binary decision diagrams. Contrary to most controller synthesis schemes enforcing temporal logic specifications, we do not compute a discrete abstraction of the continuous dynamics. Instead, we abstract only the part of the continuous dynamics that is relevant for the computation of the maximal controlled invariant set. For this reason we call our approach specification guided. We describe the theoretical foundations and technical underpinnings of a preliminary implementation and report on several experiments including the synthesis of an automatic cruise controller. Our preliminary implementation handles up to five continuous dimensions and specifications containing up to 160 predicates defined as polytopes in about 30 minutes with less than 1 GB memory.

Event-Triggered State Observers for Sparse Sensor Noise/Attacks

Abstract: This paper describes two algorithms for state reconstruction from sensor measurements that are corrupted with sparse, but otherwise arbitrary, "noise". These results are motivated by the need to secure cyber-physical systems against a malicious adversary that can arbitrarily corrupt sensor measurements. The first algorithm reconstructs the state from a batch of sensor measurements while the second algorithm is able to incorporate new measurements as they become available, in the spirit of a Luenberger observer. A distinguishing point of these algorithms is the use of event-triggered techniques to improve the computational performance of the proposed algorithms.

A Notion of Robustness for Cyber-Physical Systems

Abstract: Robustness as a system property describes the degree to which a system is able to function correctly in the presence of disturbances, i.e., unforeseen or erroneous inputs. In this paper, we introduce a notion of robustness termed input-output dynamical stability for cyber-physical systems (CPS) which merges existing notions of robustness for continuous systems and discrete systems. The notion captures two intuitive aims of robustness: bounded disturbances have bounded effects and the consequences of a sporadic disturbance disappear over time. We present a design methodology for robust CPS which is based on an abstraction and refinement process. We suggest several novel notions of simulation relations to ensure the soundness of the approach. In addition, we show how such simulation relations can be constructed compositionally. The different concepts and results are illustrated throughout the paper with examples.

Minimax control for cyber-physical systems under network packet scheduling attacks

Abstract: The control of physical systems is increasingly being done by resorting to networks to transmit information from sensors to controllers and from controllers to actuators. Unfortunately, this reliance on networks also brings new security vulnerabilities for control systems. We study the extent to which an adversary can attack a physical system by tampering with the temporal characteristics of the network, leading to time-varying delays and more importantly by changing the order in which packets are delivered. We show that such attack can destabilize a system if the controller was not designed to be robust with respect to an adversarial scheduling of messages. Although one can always store delayed messages in a buffer so as to present them to the control algorithm in the order they were sent and with a constant delay, such design is overly conservative. Instead, we design a controller that makes the best possible use of the received packets in a minimax sense. The proposed design has the same worst case performance as a controller based on a buffer but has better performance whenever there is no attack or the attacker does not play the optimal attack strategy.

A theory of robust omega-regular software synthesis

Abstract: A key property for systems subject to uncertainty in their operating environment is robustness: ensuring that unmodeled but bounded disturbances have only a proportionally bounded effect upon the behaviors of the system. Inspired by ideas from robust control and dissipative systems theory, we present a formal definition of robustness as well as algorithmic tools for the design of optimally robust controllers for ω-regular properties on discrete transition systems. Formally, we define metric automata—automata equipped with a metric on states—and strategies on metric automata which guarantee robustness for ω-regular properties. We present fixed-point algorithms to construct optimally robust strategies in polynomial time. In contrast to strategies computed by classical graph theoretic approaches, the strategies computed by our algorithm ensure that the behaviors of the controlled system gracefully degrade under the action of disturbances; the degree of degradation is parameterized by the magnitude of the disturbance. We show an application of our theory to the design of controllers that tolerate infinitely many transient errors provided they occur infrequently enough.

A symbolic approach to the design of robust cyber-physical systems

Abstract: Robustness plays a major role in the analysis and design of engineering systems. Although robustness is reasonably well understood in control theory, the fundamental tenets of robustness in Cyber-Physical Systems (CPSs) remain to be discovered. In this paper we present a design methodology, based on symbolic models, for robust CPSs. We combine existing notions of robustness, based on input-output stability for physical systems, with a recently developed analogue for cyber systems. Our main result states that robustness for CPS can be achieved through a decomposition of concerns: the combination of robustness of the physical system with respect to continuous disturbances and the robustness of the cyber system with respect to discrete disturbances results in a robust CPS.

Towards synthesis of platform-aware attack-resilient control systems: extended abstract

Abstract: 1School of Engineering and Applied Science 2 Robotics Institute 3Department of Electrical Engineering University of Pennsylvania Carnegie Mellon University University of California, Los Angeles Philadelphia, PA 19104 Pittsburgh, PA 15213 Los Angeles, CA 90095 {pajic, nicbezzo, weimerj}@seas.upenn.edu nmichael@cmu.edu tabuada@ee.ucla.edu {rahulm, pappasg}@seas.upenn.edu {sokolsky, alur, sweirich, lee}@cis.upenn.edu

Towards a compositional analysis of multi-machine power systems transient stability

Abstract: With this paper we initiate a compositional analysis of multi-machine power systems consisting of the interconnection of generators, loads, and transmission lines. We provide sufficient conditions for transient stability that do not rely on the overall model of the multi-machine power system which can be very complex. Instead, we provide simple conditions that each machine should independently satisfy. These conditions depend only on the machine parameters, the desired equilibrium currents, and the value of one of the loads (typically the largest) in the power system. Our compositional approach offers several advantages over existing alternatives: there is no need for a detailed model of the power system, transmission lines can be lossless or lossy, and we provide a natural Lyapunov function for the power system.

Demo abstract: Synthesis of platform-aware attack-resilient vehicular systems

Abstract: Over the past decade, the design process in the automotive industry has gone through a period of significant changes Modern vehicles present a complex interaction of a large number of embedded Electronic Control Units (ECUs), interacting with each other over different types of networks Furthermore, there is a current shift in vehicle architectures, from isolated control systems to more open automotive architectures with new services such as vehicle-tovehicle communication, and remote diagnostics and code updates However, this increasing set of functionalities, network interoperability, and complexity of the system design may introduce security vulnerabilities that are easily exploitable Typically, modern vehicular control systems are not built with security in mind As shown in [1], attackers can easily disrupt the operation of a car to either disable the vehicle or hijack it, giving the attacker a large control capability over the system This problem is even more emphasized with the rise of vehicle autonomy; hence, criticality analysis for automotive components must be completely re-done To address these issues, we have introduced a design framework for development of high-confidence vehicular control systems that can be used in adversarial environments The framework employs control system design techniques (control-level defenses) that guarantee that the vehicle will maintain control, possibly at a reduced efficiency, under a variety of externally-originating attacks on sensors, actuators, and communication and computation resources In the system development phase, we provide code-level defenses that prevent injection of malicious code into the operation of the controller itself Using a formal representation of execution and code generation semantics, we remove the uncertainty from the code generation process and provide secure code synthesis for the derived controllers

Compositional Transient Stability Analysis of Multi-Machine Power Networks

Abstract: During the normal operation of a power system all the voltages and currents are sinusoids with a frequency of 60 Hz in America and parts of Asia, or of 50Hz in the rest of the world. Forcing all the currents and voltages to be sinusoids with the right frequency is one of the most important problems in power systems. This problem is known as the transient stability problem in the power systems literature. The classical models used to study transient stability are based on several implicit assumptions that are violated when transients occur. One such assumption is the use of phasors to study transients. While phasors require sinusoidal waveforms to be well defined, there is no guarantee that waveforms will remain sinusoidal during transients. In this paper, we use energy-based models derived from first principles that are not subject to hard-to-justify classical assumptions. In addition to eliminate assumptions that are known not to hold during transient stages, we derive intuitive conditions ensuring the transient stability of power systems with lossy transmission lines. Furthermore, the conditions for transient stability are compositional in the sense that one infers transient stability of a large power system by checking simple conditions for individual generators.