Oct 19, 2011 ... 2005 Toyota Camry. Electronic Throttle Control System. Ed Gamble & Gerard ...
and System Problems .... Cruise Cntrl: C. Brake: B. 25 ...
Logic Model Checking of Unintended Acceleration Claims in the 2005 Toyota Camry Electronic Throttle Control System Ed Gamble & Gerard Holzmann Jet Propulsion Laboratory California Institute of Technology 19 October 2011
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
2
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
Toyota had the death of a CHP Officer to explain
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
3
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
Toyota had a growing number of unsubstantiated reports of ‘Sudden Unintended Acceleration’ Gamble & Holzmann @ FSW 2011, 19 Oct 2011
4
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
The US Department of Transportation promised to ‘get into the weeds’
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
5
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
Engine Control Systems share similarities with Spacecraft Control Systems Safety/Mission Critical
Fault Tolerant
Asynchronous
Resource Constrained
Hard Real-Time
Environmentally Challenged
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
6
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
The JPL ‘Laboratory for Reliable Software’ Knows How to Find Subtle Software and System Problems Core Technologies Static Analysis (software) Logic Model Checking (software and systems) Gamble & Holzmann @ FSW 2011, 19 Oct 2011
7
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Introduction
The US DOT, through NASA, (Michael Aguilar, NESC) established a team Software analysis included JPL and Ames
Developed IP protection protocols
Other NASA teams: …, radiation, human factors
Toyota provided domain experts (+ Japanese trans.)
Worked at Toyota HQ
Got the ’05 Camy L4 Software quickly!
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
8
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Throttle Control System And Software
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
9
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
System and Software
Throttle Control System Overview ECM
Various Sensors
... VTA1 VTA VPA1 VPA ...
subCPU Cntrlr
mainCPU Controller
Various Controllers
CAN Bus
motorIC
LOO HC HO LOC
Motor H-bridge
Throttle Motor Throttle Position
[Figure 6.4.1-1 - Abstracted] Gamble & Holzmann @ FSW 2011, 19 Oct 2011
10
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
System and Software
Throttle Control Motor Drive IC
H-Bridge
D
G
MotorIC
S
MO HC D
mainCPU CPU w/ Software
HIC, HIO, LIO, LIC, MO
D
G
HO
G S
S
M S
G
S
G D
LOO
D
LOC
Throttle Gamble & Holzmann @ FSW 2011, 19 Oct 2011
11
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
System and Software
Throttle Control Software Overview mainCPU Controller subCPU
VPA, VPA1 VTA, VTA1, CCS, STP
CPU w/ Software
GCCSI2 (Serial)
GCCSI2 Registers
Throttle Position
Others
D, ST1-
GCPR
GCPR Registers
GCPLS (Timer, PWM)
GCPLS Registers
Transmission, Vehicle Stability, etc
Pedal Position
GCPLI Registers
SPD
sensors
Others
Desired Throttle Position
/FAIL, ...
motorIC
HIO, ...
PWM Modes
PID Controller
+
Idle Offset
[Appendix A Figures - Merged] Gamble & Holzmann @ FSW 2011, 19 Oct 2011
12
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
System and Software
Throttle Control Software/ System Properties NEC V850 E1 (32 βH) embedded controller
Two rate classes Time: 500 Hz / 2 ms
ANSI C, GreenHills tools
Crank: 9000 rpm
1800 files, 300 kSLOC
‘Product Line’ code
OSEK OS (auto. std.)
strict inheritance, coding rules and process rqmts; in Japanese
20 tasks, 13 priorities, 1 shared resource Gamble & Holzmann @ FSW 2011, 19 Oct 2011
13
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
System and Software
Unintended Acceleration Properties and Implications Properties
Implications (Software)
Very Low Probability
Masquerade as correct
Unreproducible
Later in the processing
No persistent damage
Multi-factor boundary condition
No OBD II codes
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
14
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Static Analysis
Static Analysis
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
15
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Static Analysis
Why Static Analysis? Static Analysis can: Identify legitimate software errors Be performed relatively quickly and uniformly Be customized for the software coding style Provide a general sense* of the software quality
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
16
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Static Analysis
Static Analysis Tools A suite of Static Analysis tools were applied: CodeSonar: Augmented with ‘JPL Coding Standards’ Coverity: Augmented with ‘Power of Ten’ rules GCC: Strict compilation flags Uno: As provided
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
17
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Static Analysis
Static Analysis Results Can’t tell you about these...
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
18
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Static Analysis
Static Analysis Results The Static Analysis results are redacted in the public NASA report to the DOT. Possible reasons: A comparison between EETCS software and spacecraft FSW was considered inappropriate, An assessment of software risk, based on the statistics of static analysis results, was considered inappropriate given that a cause for SUA was not identified.
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
19
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
Logic Model Checking
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
20
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
What is Logic Model Checking?
Verify the correctness of a system using a model of the system’s behavior. Logic: Define system correctness using linear temporal logic (LTL) Model: Develop a model of the system behavior using PROMELA (Process Meta Language) Checking: Exhaustively search the model behavior for violations of the correctness claims Report behavior ‘trails’ Gamble & Holzmann @ FSW 2011, 19 Oct 2011
21
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
What is Logic Model Checking? Violations (all invalid executions)
System Behavior (all possible executions)
Erroneous Executions explore all executions; definitive conclusions; no probability Verifications w/ SPIN and SWARM technology Gamble & Holzmann @ FSW 2011, 19 Oct 2011
22
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
Why Logic Model Checking? Logic Model Checking (with SPIN verification) can: Explore all possible states of the model Provide definitive right or wrong conclusions Yield conclusions without regard to probability Express statements of correct behavior easily
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
23
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
Logic Model Analyses
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
24
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
System Context Brake: B
Environment: E
Gas Pedal: G
Cruise Cntrl: C
Engine ECU
Throttle Angle: A Gamble & Holzmann @ FSW 2011, 19 Oct 2011
25
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
Logic Models Implemented Logic Model Interrupt Enable / Disable Pairing Accel. Pedal Learning Sensor Input Motor Drive IC Port Reg. Input PWM Functionality Gamble & Holzmann @ FSW 2011, 19 Oct 2011
Type
Conclusion
Computation
Verified
Computation
Inconclusive
I/O Potential Issue Computation Verified I/O Verified Computation Potential Issue 26
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
PWM Driver mainCPU Controller
CPU w/ Software
2 msec IntHndlr (+ ~800 usec)
2 msec Task (+ ~200 usec)
2 msec Task (+ 0 usec)
Others
motorIC
HIC, HIO, LIO, LIC, MO
GCPLS (PWM)
GCPLS Registers
PWM
data
PID Controller
+
The PWM drives the motor, through the MotorIC, open or closed based on a desired throttle angle
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
27
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
PWM Correctness
1.PWM output signals never eventually lead to an Hbridge short. 2.PWM output signals never eventually always drive the throttle wide open unless demanded.
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
28
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
PWM Claim Implementations
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
29
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Logic Modeling
PWM Results 1.Failed -> Under suitable conditions the H-bridge circuit can be driven to an electrical short. • PWM mode is ‘PWMPLS’; duty cycle is less than but near 88%; 800 μs task is delayed by ~250 μs; the PWM mode transitions to PWMMNS. 2.Verified -> It is provably impossible for inputs to drive the throttle plate always wide open (unless demanded)
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
30
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
NHTSA Findings and Observations Extensive software testing and analysis was performed on TMC 2005 Camry L4 source code using static analysis, logic model testing, recursion testing, and worse F-10 case execution timing. With the tools utilized during the course of this study, software defects that unilaterally cause a UA were not found.
O-6
O-7
While not resulting in a design vulnerability, the MY 2005 Camry source code required unique code inspection tools, and manual inspections due to: a) The TMC software development process uses a proprietary developed coding standard. b) Industry standard static analysis tools provide automated code inspections based upon industry standard code implementations.
There are no methods for capturing pre-event software state and performance following a UA event either on the vehicle or as a diagnostic tool.
Gamble & Holzmann @ FSW 2011, 19 Oct 2011
31
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
Summary Part of the US DOT investigation of Toyota SUA involved analysis of the throttle control software JPL LaRS applied several techniques, including static analysis and logic model checking, to the software A handful of logic models were built Some weaknesses were identified; however, no cause for SUA was found The full NASA report includes numerous other analyses Gamble & Holzmann @ FSW 2011, 19 Oct 2011
32
Copyright 2011 California Institute of Technology Government Sponsorship Acknowledged
