Autonomous and Critical Embedded Systems

Strongly Coupled Systems

This research topic focuses on embedded systems such as control systems in engines or plants. These systems are often considered critical and often have to adhere to strict certification requirements. Consequently, these systems are rather closed (limited interaction with users and other systems, little or no evolution) and exhibit strong coupling (actions performed by the systems are typically orchestrated and inter-dependent). This topic concerns 2 professors (G. Memmi, L. Pautet) and 4 associate professors (E. Borde, F. Brandner, J. Leneutre, T. Robert). In addition, a research engineer (D. Blouin) is shared with the LabSoC laboratory (Sophia-Antipolis). The main focus of the research activities is on critical real-time systems, ranging from theoretical aspects of real-time task scheduling, over model-driven design, to the design of low-level hardware components improving time-predictability and determinism. A major challenge in real-time systems are modern multi-core computer platforms, which are problematic in terms of certification due to the multitude of interactions that concurrent programs may experience (e.g., due to contention on shared resources).

Real-Time Systems

The team has gained considerable reputation in studying and designing real-time task scheduling algorithms, and their implementation in the operating system (OS), that address the challenges associated with multi-core platforms. For instance, a recent contribution on scheduling for mixed-criticality systems, which was developed in collaboration with Renault in the context of the IRT SystemX (thesis Gratia, project ELA), was shown to outperform previous approaches in terms of processor utilisation as well as the number of task preemptions. Another strong contribution on scheduling mixed-critical dependant real-time tasks was proposed in the context of the ISC chair was also shown to outperform the state of the art (thesis Medina). The follow-up project CTI (thesis Oudot) is currently starting, again in the context of the IRT SystemX, and allowed to establish a new collaboration with A. Easwaran (NTU, Singapore). Another collaboration with Thales financed by the CORAC institute (project CORAIL) leveraged similar techniques in order to control the timing behaviour of software controlling the information flow (filtering, encryption, …) through a gateway between the internal AFDX network of an airplane to the open-world network. Other collaborations include teams from CEA (e.g., M. Jan), INRIA (e.g., A. Cohen), and LIGM (e.g., L. George). The outstanding quality of the team’s contributions to real-time task scheduling have been recognised by a Best Paper Award (thesis Vincent Legout).

Deterministic Platform

Complementing the work on task scheduling, the team additionally explores the use of deterministic and time-predictable computing platforms. The goal of this work is to improve the analysability of critical software in terms of its worst-case behaviour, while ensuring competitive performance in the average case. Predictability can be ensured in software using hypervisors on off-the-shelf hardware, as demonstrated in a collaboration with Thales Avionics (thesis Jean). The hypervisor intercepts accesses to shared resources (e.g., memory) and thus can manage these accesses to avoid contention and improve isolation. The quality of this work has been acknowledged through a Best Paper Award and resulted in a joint patent with Thales (patent). Another means to improve the predictability of a platform is through specialised hardware. For instance, joint work with M. Jan (CEA List) on the analysis of a time-predictable cache design for stack data in multi-tasking systems received an Outstanding Paper Award (thesis Naji). Ideas from this work have been further developed to improve the average-case performance of the cache, while preserving worst-case bounds. Current work (thesis Hebbache) aims at generalising these concepts to the memory hierarchy of the Patmos multi-core platform by using dynamic arbitration schemes that converge to predictable Time-Division Multiplexing (TDM) in the worst-case. The Patmos platform is developed jointly with partners at the national (ENSTA ParisTech, IRISA) and international (Vienna Univ. of Technology, and Technical Univ. of Denmark) level.

Critical Systems Design Process

The research cited above aims at providing a suitable computing platform (OS, runtime, hardware) for critical real-time systems. A third pillar of the team’s research activities are techniques and tools that help to design such systems via model-based design — exploiting, among others, the aforementioned computing platforms. The team strongly contributes to the state-of-the-art in model-based design at various steps of the design process (model refinement, test, code generation, …) and at various technical and formal levels (thesis Richa), but also the definition of modelling languages. Etienne Borde is actively contributing to the AADL language standardisation, which resulted in a long-lasting collaboration with the SEI laboratory (CMU, USA), a contract with the US DoD, and major industrial players in the avionics domain (Airbus, Boeing, …). Current work is focused around the RAMSES tool, which is a model transformation, analysis and code generation platform for AADL models.

RAMSES allows to automatically derive implementation models from high-level design models (thesis Cadoret) in order to validate low-level software implementations, to analyse the availability as well as the schedulability of mixed-criticality applications (thesis Medina), or, even, to explore the design space of implementations through model transformation (thesis Rahmoun). Parts of this work have been carried out with industrial partners such as Alstom in the context of the IRT SystemX as well as the chair « Ingénierie de Systèmes Complexes » with academic partners from École Polytechnique and ENSTA ParisTech. A follow-up project ISC recently started (thesis Hassine) aiming at managing uncertainty in model-based design exploration. The RAMSES tool has also been selected as a showcase project by Institute Mines-Télécom (IMT) and its continuous development is supported by a permanent research engineer (Dominique Blouin shared with the LabSoC laboratory) since 2016. The team’s contributions on model-driven engineering have been acknowledged by the scientific community, e.g., through a Best Paper Award.

Security and Safety

Apart from timing and availability mentioned previously, the team addresses also other non-functional properties such as safety and security in critical systems. These works model attacker behaviours to assess the threat they represent either for certification or design improvement purposes. It consist in establishing a model of the attacker’s action capabilities and their impact on system assets. Design improvement is related to balance the budget (skills, time, money, …) that both, the attacker and the system designer, are willing to invest to compromise/defend the system. In order to help security engineers in optimising their design choices, game-theory-based approaches have been proposed (thesis/postdoc Ismaïl). They rely on modelling the defense
of a system as a non-cooperative game. The goal is then to develop optimal defence strategies in constrained environments. Game-theory-based models have successfully been applied to the modelling of intelligent energy management systems.

This line of work initially started within the SEIDO laboratory (EDF) is now pursued within the chair CyberCNI. This chair is jointly operated by IMT Atlantique, Télécom ParisTech, Télécom SudParis and is supported by BNP PariBas, EDF, Orange, … In addition, national collaborations with Airbus, Cogisys, and others (e.g., project MSSTB) have been established. International collaborations with KEIST are, for instance, supported by the STIC-ASIE program (project DYNAMOS). The excellence of the team’s research has been recognised through a Best Paper Award and even received media coverage through a radio broadcast (« La méthode scientifique »).

Besides design improvement, metrics have been proposed to numerically assess the efficacy of security countermeasures with respect to system vulnerabilities. This work takes advantage of attack graphs with symbolic parameters (thesis Vanhulst). It allows multi-dimensional sensitivity analyses of attackers ability to compromise a system. This work is also funded by the chair CyberCNI as a complement to game theory works.

A recently created chair (C3S) is expected to bring the team’s activities regarding real-time systems, model-based design, as well as safety and security closer together. The chair aims at developing secure and reliable development platforms for communicating and autonomous cars and is supported by Renault, Valeo, Thales, and
others.

Energy Consumption of Computation

Another non-functional property is energy consumption, which is becoming highly relevant in almost all computing domains. Based on our expertise in system design, the team explores the use of software techniques to reduce the energy consumption of computations. This is a challenge particularly faced by mobile and battery powered devices, e.g., military gear (Safran) or the surveillance of infrastructure (SNCF). Leveraging existing hardware capabilities, such as voltage and/or frequency scaling, the energy consumption of energy-critical computations can be scaled down considerably at the expense of computing performance. The current work focuses on the development of expressive power models (postdoc Vaddina) of software running under varying power configurations. The team was able to show that the trade-off between energy reductions and execution time on embedded processors results in a convex curve (thesis De Vogeleer), i.e., an optimal power configuration exists for each application. This work was carried out jointly with P. Jouvelot (MINES ParisTech) and recently received a Best Paper Award.