Bill Graham

This week we announced the latest update to our VxWorks MILS Platform, (for Multiple Independent Levels of Security) which includes a new High Assurance Network Stack (HANS) and guest OS support for Wind River Linux. In a previous post I discussed the growing importance of security in embedded systems. However, in so-called high assurance environments used by military and government organizations, security is an absolute requirement.

Our VxWorks MILS product provides highly secure partitioning of a system into high, medium and low assurance virtual systems (or boards) that can be high, medium, or low assurance, as needed by the customer's application (hence the "multiple" and "independent levels" in Multiple Independent Levels of Security). VxWorks MILS has been developed in accordance with the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, version 1.03 (SKPP) and is officially listed by NIAP (National Information Assurance Partnership) as being in evaluation to EAL 6+/NSA High Robustness under the CCEVS. Until the advent of a software MILS architecture technology, supporting multiple levels of security was done with duplicated hardware - separate physical systems that provided the "partitioning" required. With the MILS software architecture, it is now possible to consolidate various systems with different security requirements onto one common hardware platform. The reductions in SWAP - size, weight and power advantages - are huge, as are the reductions in security evaluation costs. The following diagram shows a possible VxWorks MILS architecture:

 

Previous versions of VxWorks MILS already provided VxWorks Guest OS support, so the addition of adding Wind River Linux expands the available operating system choices.

The High Assurance Network Stack that is part of our latest VxWorks MILS update which provides secure network connectivity for the high assurance partitions via the existing network connection on the device. The High Assurance Network Stack lets applications of different security domains share a common physical network connection. This is done by handling the physical and low-level interface to the network within a high assurance partition and relaying data to medium and lower assurance target partitions, which contain the protocol network stacks. Secure and insecure Data from different domains can be discriminated and kept separate in the network data by using a discriminator, such as a IEEE 802.1Q VLAN tags as described in IEEE 802.1Q. The following diagram illustrates the HANS High Assurance Network Stack architecture in VxWorks MILS:

Clearly, more guest OS choices for VxWorks MILS provides a mechanism to reuse existing applications and leverage existing in-house development resources. Adding Wind River Linux allows a huge variety of custom and off-the-shelf applications to be run, at a medium and low assurance level environment. The addition of the High Assurance Networks Stack is critical not only for providing secure connectivity, but for enabling Cross Domain Solutions (CDS). CDS is a large topic on its own, but in a nutshell provides the ability to access or transfer information between two or more security domains (CNSSI 4009). A key to making CDS a reality is secure partitioning and network separation provided in by VxWorks MILS.

In the third and final part of my interview with Professor Glauco Caurin we discuss multicore and virtualization and why they are working with us on their research projects.

Q: Are your students learning about multi-core processors  and programming? What about multi-OS systems including virtualization, i.e.  systems that have more than one OS on a single processor?

We are not teaching our students yet about the programming of multicore processors. But we have experience in the past with multiprocessing systems programming using X-METH.

It is in my medium-to-long term plan to insert multicore programming into our courses. It also depends on the time we take to have enough students that are skilled with the "basics".

Q: Are you  starting to use or design with multicore processors in your projects? Do you  think multicore and multi-OS systems are an important part of the  curriculum?

Regarding virtualization, we did some initial tests (not in real time) using virtualization and different OS for Human Machine Interaction. I am really impressed with this possibilities,

 I am really interessted in the future applications of this promising technology.

Q: Prof. Caurin, why do you choose Wind River as a partner in your courses and projects? What are some of the characteristics you were looking for in our software?

As I described, we have been working with RTOS since the 90’s especially with systems that were proposed in academic context at ETH (Swiss Federal Institute of Technology) like XMETH, XOberon, JBed and so on. We have also developed our own open source version of a Linux patch for Real Time applications here in Brazil. But my concern with the students and the research projects were related to their continuity [of software, OS, tools]. How is it possible to convince a new student to use a specific IDE? And further how could we take advantage of the work done previously. 

Every problem detected was solved with a new RTOS version [in-house developed]. Not rarely, the new version had commands and characteristics that were incompatible with the previous versions. Additionally, each new PhD student wanted to test a different open source RTOS, or even worse, some were suggesting they could make a better OS. 

As a consequence we were always starting from zero with every new robot project. 

Good results were achieved using Wind River Products and Tools, so we decided to focus on this software, and since then all the classes, students and researchers are invited to use them as a standard. We increase the information exchange between the students and our productivity. The availability of manuals and documentation was a strong point in our decision. I believe now we are able to propose and conduct a larger number of research projects in parallel.

Q: Do you plan to continue to use Wind River Products for teaching and research? Are there any interesting future projects or ideas you can share? 

Yes we are strongly investing in training human resources that will work in the next 5 years at our Lab. We are very excited with the possibility of new partnerships with different Universities in the USA. For example, the new project that we are starting together with the Newman Laboratory for Biomechanics and Human Rehabilitation at MIT. They have a lot of experience combining robot assistance and video games to motivate and improve stroke patients rehabilitation process. 

- end of interview - 

As you can see, there are some impressive things going on in the engineering program at USP! I wish to thank Professor Caurin for taking the time for this interview and for taking full advantage of our Wind River University program. If you have some exciting teaching and research going on with Wind River products let me know. If you are interested in using Wind River products in the class room and lab, take a look at our Wind River University Program.

In part two of my interview with Professor Glauco Caurin, we talk about some the research projects that they working on and how they are using VxWorks and other Wind River products:

Q: Tell us about the research projects you have make use of Wind River Products. Can you give us more detail on the Kanguera, the five fingers robot hand? Which of our software are you using? Where is it used and why?

We are using VxWorks now for some years with different platforms. More then 8 years ago we started the first research projects with the hardware funded by FAPESP using VxWorks donated by Wind River as the RTOS. The projects were related to the development of robot grippers and hands. At that time we were using Tornado as IDE. Today our  goals in this area  are still the same: to create technologies for remotely operated maintenance in the deep sea supporting oil exploration. Most of the Brazilian oil reserves are more than a kilometer below the sea level. The recent accidents in the Gulf of Mexico [and the need for robotic assistance] reinforce the importance of our ideas. 

At dangerous and difficult places robots are very strategic technologies. Now we are developing the fourth generation of our robot hands. The new Kanguera robot hand (image below) will have a more robust mechanical system and also a higher number of sensors, including tactile capacity. Currently we are using Wind River Workbench as the IDE and VxWorks 6.7 [as the RTOS]. 

We are trying to establish a single platform for the development of the different robotic projects we have. We are very impressed with Workbench. A single platform that can be used from on-chip debugging level, passing through the BSP development, device drivers and reaching the application software.

We are also giving priority to the CAN communication protocol that will favor our communication with other Lab partners like Maxon Motors in Switzerland with their position controllers and servomotors.

 

Q: This project SENA, sounds very interesting. This is in conjunction with FIAT Brazil, what else can you tell us about it? How is Wind River software being used and where?

FIAT also uses the CAN bus protocol for communication of the Stilo model that was donated to our Lab. In this sense we are trying to use our knowledge to read the existing sensors in the car by combining their data with the additional information from the laser scanners and finally generating the desired actions with the actuators. For this project the students are working on the development of device drivers for the CAN protocol.

In this project we are considering the possibility of developing home made BSP for the computers that were donated by Beckhoff (also a project sponsor). Today this hardware does not run VxWorks.

At FIAT they are also using National Instruments LabView and CompactRIO for car electronic subsystems tests together with a platform called Veristand for HIL. All these components are running on VxWorks. We are working together trying to increase test frequency limits via direct access to VWorks. That is my contribuition to the project. The SENA Project is leaded by my colleague Prof. Marcelo Becker who is our mobile robotics specialist at the Mechatronic Lab.

 

Q: What can you tell us about the lower limb exoskeleton project? Again, how is Wind River software being used and where?

The lower limb exoskeleton project (pictured below) aims to develop a robotic device to promote assistance and/or rehabilitation for disabled people, focusing on patients who have suffered a stroke. Actually, the apparatus consists of an orthesis for the lower limbs - an external mechanism the patient can wear - whose mechanical joints can be moved by electrical motors. The control of the robotic system can be configured in such a way the patient can be assisted (no rehabilitation is performed in this case) or he/she is asked to execute a given movement with some constrains imposed by the robot, a typical task of a rehabilitation procedure. The robot aided rehabilitation framework also includes the use of computational games to motivate the user during the rehabilitation session.

The Wind River software is being used to access all signals generated by the exoskeleton sensors (encoders, gyros, force sensors, etc.) and to control the electrical motors to the desired positions, specified by a high level command which considers the walking stability and the patient intention. The hardware platform is a GE/Fanuc CV1 PowerPC, with analog and digital I/Os and quadrature encoder modules.

It is important to mention that lower limb exoskeleton Project is lead by my colleague  Prof. Adriano Siqueira who is our control specialist at the Mechatronic Lab.

 

...to be continued in Part 3

Wind River regularly contributes to education programs across the globe. One of these institutions is the University of São Paulo (USP) in Brazil. They are doing some amazing things with VxWorks and Wind River products play a big role in research and education in their engineering programs. In the next few posts I have transcribed an interview with Professor Glauco Caurin who teaches in robotics, mechatronics and mechanical engineering at USP's São Carlos Engineering School:

Q: Can you tell us about University of São Paulo and the São Carlos Engineering School?

The University of São Paulo (USP) is the largest institution dedicated to higher education and research in Brazil. It is responsible for approximately 25% of the Brazilian scientific research.

USP is composed of seven campuses, 40 learning and research units, five hospitals, five museums, five specialized institutes, besides multiple experimental laboratories and centers of scientific and cultural diffusion. It offers approximately 700 regular courses. There are 230 undergraduate courses and an average of 5,500 students graduate annually. There over 500 fields for possible graduate studies at USP (MAs and PhDs).

São Carlos is the Campus where I work. Here we have 4 Institutes:

•    São Carlos School of Engineering - EESC

•    Institute of Mathematics and Computer Sciences - ICMC

•    São Carlos Institute of Physics - IFSC

•    São Carlos Chemistry Institute - IQSC

The School of Engineering is the oldest of them. The EESC began its activity in 1953. We admit 450 students every year that are distributed in the 10 different Engineering fields and one Architecture course. On average, at EESC, one in 20 candidates is selected for admission.

Q: Can you tell us more about yourself? Where did you grow up, where did you attend University and how did you end up teaching at USP?

I grew up in São Carlos where I was born in 1966. From 1984 to 1988 I studied at EESC and received a diploma in Mechanical Engineering. In 1989 I moved to Europe because at that time there was a special program sponsored by the Brazilian Presidency fostering strategic fields like Robotics and Mechatronics. I worked for 5.5 years at the prestigious ETH Zurich, Switzerland concluding  a specialization in Mechatronics and a PhD in Robotics. At the ETH I got in contact with real time operating systems for the first time. 

Back to Brazil in 1995 I worked several years in the administration of different Universities in São Paulo City. The job was nice, well paid for Brazilian standards, but I was not extremely motivated. Therefore, in 2002, I decided to come back to the Laboratory and to do more research projects. I passed the selection process for USP (became a State Government Employee) and combined the previous experience with these new challenges. We started, in 2003, a new course in Mechatronics Engineering, which provided 50 additional places for students at EESC.

Q: Professor Caurin, you mentioned to me that you are trying to teach something new in Brazilian engineering curriculum and that is the development of new products. Can you tell us more about this initiative? Why do you think it’s an important part of an engineering program?

Since the 1960’s when the first automotive companies start to build cars in Brazil the engineering curricula in the country were focused on processes and their optimization, i.e. finding best compromises between low costs and high quality. In my opinion, our engineers have been very competitive so far, because currently there are 25 different companies building automotive vehicles in our country. Nevertheless, in my opinion, this is not enough to put Brazil in a leading position worldwide. We are still missing a more aggressive position of being able to develop and produce our own technological products. Products that are more related to our way of life, local necessities and also compatible wih the local prices. And this culture shift is exactly what we are trying to change in our education program at EESC – USP.

We are trying also to convince our students that they should consider the possibility to establish their own business as an alternative to the conventional way of looking for a job after graduation.

Q: USP is part of an academic program that Wind River offers to universities to provide software for students and faculty to use for education and research. First can you tell us about the courses that USP uses Wind River software for?

Yes, we are using Wind River products for research and education purposes in the Mechatronic Engineering program. In particular we have a course called "Development of Mechatronic Products" [which uses VxWorks and other Wind River products]. At this stage of the engineering program the students have already worked with professional tools for the development of mechanical subsystems and electric-electronical subsystems. Also in this program we concentrate on professional tools for the development of the software subsystems. It is important to mention that we further restrict our scope to products that use/require embedded software. This program is something new for Brazil. Outside the Universities, several companies insist on building systems from scratch and never use a RTOS, or commercial BSPs. Doing things this way, these companies will be never competitive globally. We have experienced a very bad example (case study) of this kind of approach in Brazil some years ago with the Brazilian Satellite Launcher program. Our intention is to create and offer a new generation of professionals.

Q:  Can you tell us some of the basic principles you teach in these courses? Why is it important for students to learn these using commercial products?

There are not big secrets in what we are teaching. I am using a text book for real time systems and presenting basic concepts like OS kernels, scheduling, task communication, hardware aspects, determinism, etc. Additionally, we give the students some introductory notions on version control and software engineering.

What is different in the course is that we try to implement as many practical projects as possible, making the concepts clear real for the students. We also use robotic applications to motivate them.

I our opinion, commercial products are very important, because they give reliability to the education process. If something goes wrong, the students knows the problem is likely in their own code [since it usually unlikely in proven commercial software]. There is nothing to complain about in the IDE [e.g. Wind River Workbench]. There are no excuses. There is significant amount of supporting material available on the web. Also the number of commercial products that use the RTOS motivates the students to learn something new. They see potential business and even jobs in the future.

Q: How is the government involved in the founding of research in engineering in Brazil. What types of projects does the government tend to fund?

This is a very complicated question to answer when we consider the size of our country and the big differences that we experience [in Brazil]. But I will try to answer it in two parts:

First of all USP is a State University, and the Sao Paulo State is the richest state in Brazil. The state assigns a fixed part of our taxes to a Foundation called FAPESP where researchers, entrepreneurs, and small companies can ask for funding for research projects. They say that this model was copied from the NSF (National Science Foundation) in USA.

Second there is still the possibility to be funded by our federal budget, from the Brazilian Science Foundation, CNPq. Here the competition is bigger, but it is still possible to succeed. In the case of the training courses we are attending in the USA in July, the budget came from CNPq.

...to be continued

A typical security discussion is usually about hackers getting into corporate IT systems or viruses on home desktops. Embedded systems have not always been the target for malicious attacks but times have changed. Embedded devices are more sophisticated and interconnected and in many cases connected to the Internet. This interconnection and Internet awareness has great benefits for expanding the ubiquity and usefulness of embedded devices in our lives. For example, a home environment monitoring system could monitor your house air quality with half a dozen wireless sensors that use a lower power local area network to your thermostat. Your thermostat could host a small web server on the Internet that lets you login and monitor and control your household temperature and humidity. Sounds great, right? It won't be that great if someone hacks into your system and turns the thermostat to 90 degrees and turns your house into a sauna! This is a trivial case but you can see how this could extend to a sheet metal press in a factory, elevators and escalators, or a chemical control valve in an oil refinery.

We can decide that all safety critical devices are never to be connected to the Internet and that only private wired networks be used (presumably with physical protection as well). This is not practical because there is so much to be gained from having these devices wireless and Internet-connected. The alternative is to attempt to make embedded devices as secure as we can. An important step in doing this is extensive intrusion testing of embedded devices through their network connection - the most likely place for external attacks. One such test suite is the Achilles Certification by Wurldtech that we recently achieved for VxWorks. In fact, VxWorks is the first RTOS to be Achilles certified - a test that throws all sorts of badly formed packets and disruptive network traffic patterns at our network stack. It's important to note that the VxWorks network stack includes a firewall which is critical to intrusion protection but not typically available with RTOS networking software. VxWorks is an extremely configurable RTOS which means our customers can include only the parts of the OS they need for their application. Importantly, it also allows customers to configure more secure versions of the RTOS by excluding debug and other non-critical components. Configuring the system to have just what is needed and to explicitly exclude non-secure components is a critical step before device production.

Why is it important for commercial RTOSs to be certified to standards like Achilles? Because, our customers want to know they are building their systems on reliable and secure platforms. In fact, Achilles certifications are typically done on a system level. By using a pre-certified RTOS like VxWorks means a much higher probability that you pass the test - greatly reducing debug, fix and test cycles. In the end, security and reducing risk, time and effort are main reasons commercial RTOS offer value in the embedded software marketplace.

Although adding OpenGL 3D support was an important part of the recent Tilcon 5.8 update, there's other things to talk about in the new release. It adds other new capabilities such as increased hardware, driver and target OS support, and image rotation capabilities.This is also the first release of the Tilcon Graphics Suite to include source code for customers wanting to tune the Tilcon GUI engine configuration and build.

Tilcon Graphics Suite 5.8 now includes the Wind River Media Library (a.k.a. WindML) which is a graphics and audio framework that provides a high degree of architectural and hardware independence for application code. WindML provides interfaces to (including Tilcon GUI engine) on VxWorks, X.Org, OpenGL (including accelerated 3D support from our partner Presagis) and 2D UGL APIs plus various input devices such as touch screens, pointers and keyboards. WindML provides a common interface for graphics display drivers and acts as the abstraction layer form application to hardware devices. The advantage of this for Tilcon customers is the wide range of available graphics drivers for VxWorks and X.org and the abstraction provided means Tilcon apps don't need modification when switching hardware. Future driver support is simplified due to the WindML abstraction layer and the common driver architecture.

This release reintroduces runtime support for Microsoft Windows CE and XP and continues our support for Wind River Linux and other Linux distributions. Tilcon 5.8 is available for Power Architecture, ARM and Intel Architecture (including Atom) devices. For this release we have introduced support for the following reference platforms:Texas Instruments OMAP 3530, Freescale i.MX 31 Lite and MPC5121e, Portwell Nano, and Intel Navy Pier

Image rotation capabilities are new for version 5.8 and spport 360-degree rotation for raster images using APIs or the Tilcon Interface Design Tool.

Here's another video showing a series of example UIs designed with Tilcon and running on the Tilcon GUI engine:

Today we announced our latest release of Wind River Tilcon Graphics Suite, version 5.8. This is an important release for us for many reasons. One is this addition of OpenGL version 2.1 3D graphics to the Tilcon Graphics Suite (specifically for VxWorks runtime platforms). The need for 3D graphics is growing in embedded devices because User Interfaces (UI) are becoming more and more sophisticated. For medical devices this may mean 3D images of internal organs, joints, etc. For industrial devices it might mean 3D data representation, maps, or orthographic displays. For aerospace and defense, Heads Up Displays (HUD), radar and other display types do or will leverage 3D graphics. For consumer devices 3D graphics are already used for mobile gaming. 

Three dimensional graphics are typically displayed in combination with 2D UIs since 3D libraries such as OpenGL do not have high level widgets for push buttons, dials, menus, etc. Combining 3D with the extensive and flexible 2D capabilities of the Tilcon Graphics Suite provides a perfect combination.

In the Tilcon Graphics Suite, the OpenGL objects are displayed with a frame and are controllable from the Tilcon application. This makes it easy to incorporate 3D graphics into an new or existing graphics project. We've recorded a nice demonstration of this on YouTube:

In the next post, I'll discuss some of the other enhancements we've done in the Tilcon Graphics Suite version 5.8 release.

Wind River's CTO, Tomas Evensen gave a keynote at the Multicore Expo in San Jose entitled "Surviving the Software Avalanche: Simplifying Multicore". There certainly has been much discussion of multicore by many people (myself included) over the years but we are getting to a point now that we are seeing multicore use cases coalescing in the marketplace. I think a lot of us learn better by example and when we see multicore used in a real customer use cases, we see the benefit and value much more.

Our customers are turning to multicore mainly because of economics. In some cases their performance requirements have multiplied in a few short years and in order to satisfy those requirements the computing power of their systems needs to increase significantly. But not for more cost per unit and not by consuming more power or producing more heat. One such example of this is our recently announced Network Acceleration Platform (NAP) which provides a ready-to-use network processing platform for multicore systems. The NAP greatly simplifies creating high performance networking components by encapsulating our key multicore technologies into a single bundle that is pre-integrated for particular hardware platforms. My colleague Mark Guinther goes into more detail about the industry challenges that NAP aims to address in this blog post.

Another common use case for multicore is consolidation of complicated multi-device systems into one. Combining multiple systems into a single hardware unit means less cost but also less complicated supply chain and easier support and maintenance. Multicore is not the only enabler for consolidation but it has removed previous barriers such as performance and power limitations. Our customers can now leverage our Hypervisor technology to run multiple operating systems on a single core or multicore devices to consolidate two or more systems onto a single board. The cost savings are potentially huge and these new hardware platforms are typically more powerful than previous generations and allow our customers to do much more than the previous systems allowed (i.e. consolidating several systems but also leveraging increased processing power to increase functionality).

A third driver for multicore adoption is safety and security. In highly secure systems, the secure and insecure parts of the system must be physically separate - usually by having multiple individual systems to achieve it. Modern secure systems are doing more with less by leveraging secure separation with virtualization, ie a secure Hypervisor. This ensures separation on a single system eliminating the need for multiple (and expensive) systems.

In safety critical systems it’s important to separate certified parts of the system from non-safety critical elements. For example, an industrial control system may need a safety critical control system that also provides a Linux-based user interface. The Linux and safety critical parts can both be run on the same system but separated via certified Hypervisor technology. Certainly when consolidating operating systems on a single board we want separation but in safety or security certified systems, we want guaranteed separation including data and cache. This is a specialized case of consolidation but the distinction is important since the systems of this type will require safety and security certification.

Why is understanding these use cases important? I think it puts things into perspective. Once the context of the problem is set, the block diagrams on the whiteboard make more sense. Moreover, it helps customers think about multicore from the point of view of their problems, technical and business. Is your product being outpaced by competing products? Does a new multicore hardware and software platform provide the kind of performance AND business advantage (cost, time to market, etc) that you need? It's no longer a case of multicore is a cool parallel programming demo, it’s multicore as a business solution.

Our customer, Groupe INTRA (Intervention Robotique sur Accident) in France has developed robotic vehicles for the remote analysis and clean up of radioactive sites. Groupe INTRA is chartered to respond to a nuclear accident within 24hrs for its member organizations. This is a very cool and interesting application of robotics and real-time control to protect operators from deadly radiation. First there is ERASE ( External Reconnaissance, Assistance and Surveillance Robot) designed for rough terrain to analyze and transmit details of the accident site back to operators. ERASE and can be controlled form up to 10km away from the site.

Then there is Engine Benne (EBENNE), a remotely controlled dump truck equipped with cameras, lights and a gamma ray detector.

And finally, ERELT T (Teleoperated Relay Robot) which literally relays control information, video and sound from the other robotic vehicles at the site back to operators. INTRA has an entire fleet of robotic vehicles for a complete cleanup of a nuclear accident site.

What does VxWorks have to do with these nuclear accident workhorses? Well, the control centre and robots run VxWorks on an Intel Pentium, 4 processor. All of the systems needed a reliable, real-time and deterministic operating system. In fact, the system required 100ms response time for control and three channels of high resolution video from the vehicles. We're proud of being chosen for such an important role in France's nuclear accident response program and the fact it has performed so well in the harsh and demanding environment where these vehicles exist. Here's a video of the ERASE vehicle in operation:

Our customer, Huawei, recently announced they have been chosen to deploy Australia's first LTE network. This is great news because Huawei's LTE base stations are built using VxWorks - the VxWorks Platform for Networking Equipment to be exact. It's also great news because we are starting to see the fruits of our customers' efforts come to reality and it stands as a validation of our investment in next generation networks. Moreover, this is the latest in a set of successes we've had with VxWorks in the networking space.

In particular the technology investments we've made such as mobile IP, multicore and packet processing offload acceleration. What is also encouraging is that Huawei is standardizing on our solutions across product lines sich as core network, GSM, optical and access products. In fact, we did a nice customer success story on this recently.

So, what role does Wind River play in the next generation of LTE devices? Our multicore and virtualization technology is allowing network manufacturers to leverage the new horsepower available from 4,8, 16 and even 32 core processors. Our advanced networking technology (ANT) provides support for offload acceleration such as packet forwarding, deep packet inspection and encryption. Our mobile IP support is providing off-the-shelf protocol support needed for LTE and WiMAX networks. Along with our tools and services, we are providing a powerful platform that networking infrastructure companies need to handle the huge data rates required for next generation networks.