TY - GEN
T1 - From control model to program
T2 - 29th USENIX Security Symposium
AU - Kim, Taegyu
AU - Kim, Chung Hwan
AU - Ozen, Altay
AU - Fei, Fan
AU - Tu, Zhan
AU - Zhang, Xiangyu
AU - Deng, Xinyan
AU - Tian, Dave
AU - Xu, Dongyan
N1 - Publisher Copyright:
© 2020 by The USENIX Association. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - With wide adoption of robotic aerial vehicles (RAVs), their accidents increasingly occur, calling for in-depth investigation of such accidents. Unfortunately, an inquiry to “why did my drone crash” often ends up with nowhere, if the root cause lies in the RAV's control program, due to the key challenges in evidence and methodology: (1) Current RAVs' flight log only records high-level vehicle control states and events, without recording control program execution; (2) The capability of “connecting the dots” - from controller anomaly to program variable corruption to program bug location - is lacking. To address these challenges, we develop MAYDAY, a cross-domain post-accident investigation framework by mapping control model to control program, enabling (1) in-flight logging of control program execution, and (2) traceback to the control-semantic bug that led to an accident, based on control- and program-level logs. We have applied MAYDAY to ArduPilot, a popular open-source RAV control program that runs on a wide range of commodity RAVs. Our investigation of 10 RAV accidents caused by real ArduPilot bugs demonstrates that MAYDAY is able to pinpoint the root causes of these accidents within the program with high accuracy and minimum runtime and storage overhead. We also found 4 recently patched bugs still vulnerable and alerted the ArduPilot team.
AB - With wide adoption of robotic aerial vehicles (RAVs), their accidents increasingly occur, calling for in-depth investigation of such accidents. Unfortunately, an inquiry to “why did my drone crash” often ends up with nowhere, if the root cause lies in the RAV's control program, due to the key challenges in evidence and methodology: (1) Current RAVs' flight log only records high-level vehicle control states and events, without recording control program execution; (2) The capability of “connecting the dots” - from controller anomaly to program variable corruption to program bug location - is lacking. To address these challenges, we develop MAYDAY, a cross-domain post-accident investigation framework by mapping control model to control program, enabling (1) in-flight logging of control program execution, and (2) traceback to the control-semantic bug that led to an accident, based on control- and program-level logs. We have applied MAYDAY to ArduPilot, a popular open-source RAV control program that runs on a wide range of commodity RAVs. Our investigation of 10 RAV accidents caused by real ArduPilot bugs demonstrates that MAYDAY is able to pinpoint the root causes of these accidents within the program with high accuracy and minimum runtime and storage overhead. We also found 4 recently patched bugs still vulnerable and alerted the ArduPilot team.
UR - http://www.scopus.com/inward/record.url?scp=85091896696&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85091896696&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85091896696
T3 - Proceedings of the 29th USENIX Security Symposium
SP - 913
EP - 930
BT - Proceedings of the 29th USENIX Security Symposium
PB - USENIX Association
Y2 - 12 August 2020 through 14 August 2020
ER -