Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

smartmeter demo (CHERIoT device bits) #20

Open
wants to merge 26 commits into
base: main
Choose a base branch
from
Open

smartmeter demo (CHERIoT device bits) #20

wants to merge 26 commits into from

Conversation

nwf
Copy link
Member

@nwf nwf commented Feb 12, 2025

No description provided.

@rmn30 rmn30 force-pushed the 202502-smartmeter branch 2 times, most recently from 285556b to 778c515 Compare February 18, 2025 16:47
@vmurali
Copy link
Collaborator

vmurali commented Feb 20, 2025
edited
Loading

Looks like I cannot push to this branch. Here's a slightly different design to highlight the security guarantees of CHERIoT against a system that has no compartmentalization:

  1. The grid controller

    1. Receives scheduled outages (array of <start time, duration>)
    2. Recieves request for corrective actions i.e. load shedding, load increase (array of <start time, duration, maximum load value, minimum load value>)

  2. The provider

    1. Receives hourly rate information for the next day (<date, array of 24 prices>); the old rates are used till a new rate is received for a day
    2. Sends accumulated consumption information hourly
    3. Optional: receives a directive to turn off the energy for various reasons (payment not made, hourly consumption information isa not received for a long time)

  3. The sensor: provides a passive interface for reading the following values

    1. Instantaneous total load consumption in the house
    2. Optional: Instantaneous energy stored in each battery in the house (array of <battery index, energy>)

  4. The house

    1. Updates/accumulates the hourly comsumption information based on energy consumption sensor data (reads sensor data frequently)
    2. Provides a passive interface to specify the load to be consumed for an array of load consumers (array of <consumer index, load> updated frequently)
    3. Optional: Provides a passive interface to specify the status of charge/discharge for an array of batteries (array of <battery index, CHARGE/DISCHARGE> updated frequently)

  5. The user

    1. Provides a passive interface to specify the policy (using a Javascript bytecode) to drive the load consumers (and optionally battery) based on grid request, provider rate (and optionally battery energy)
    2. Calls the house interface to specify load consumer values and battery charge/discharge status based on the current policy

The grid controller and provider each run a thread for receiving data in the form of MQTT messages, and the provider runs a thread for sending accumulated consumption information.
The provider has web interface to show the current accumulated (monthly) charges.
The sensor can optionally have a web interface to show the current load consumption and batteries' levels. The house runs a thread the updates the hourly consumption information.
The user provides a web interface to input the javascript program to specify policy.
The user runs a thread to update the loads to be consumed by various consumers and optionally the charge/discharge status for the batteries.
Optional: The grid and provider has a web interface to submit new rates, requests, outages etc.

The javascript VM has FFI functions to access

  1. the outage information, () -> (Start Time, Duration)
  2. grid load requests, () -> (Start Time, Duration, Max Load Value, Min Load Value)
  3. provider rate information for the current day, Hour -> Rate
  4. sensor load consumption, () -> Current load
  5. battery level, Battery Index -> Current Energy Stored
  6. set load consumptions, Consumer Index -> Load -> ()
  7. set battery charge/discharge, Battery Index -> CHARGE/DISCHARGE -> ()

On a system with no security features, a user can write a javascript program that abuses the set load consumptions or set battery charge/discharge functions to specify an arbitrary 32-bit index to update any value in the memory.
In particular, the hourly consumption information can be overwritten to 0 to make the provider think that the total energy consumption is 0 throughout.

With CHERIoT, each of the above components can be specified as a separate compartment and as a result, the user compartment that has the javascript VM cannot access/update arbitrary memory using the index value in the set load consumptions/set battery charge/discharge functions.

Note that the grid controller is optional for this security feature demonstration and can potentially be removed to simplify the design.

nwf and others added 14 commits February 24, 2025 15:55
@nwf @rmn30
First draft of smartmeter demo CHERIoT bits
f0644f9
@nwf @rmn30
Allow speeding up simulated time
a840693 
This should allow making the demo more interesting
@rmn30
Change xmake default paths to suit cheriot-demos repo.
d45408a 
Also change the name of CHERIOT_SDK env variable to CHERIOT_RTOS_SDK to avoid confusion with --sdk option to xmake.
@rmn30
Add smart_meter demo to CI.
1d6f45e 
Also set default board for smart_meter demo to sonata-1.1.
@nwf @rmn30
broker configuration via xmake
e057480
@nwf @rmn30
fix client IDs
1cf21ae 
We self-check for validity only if debugging is turned on, and how odd
that '-' isn't in the spec's permitted set (3.1.3.1, MQTT-3.1.3-5).
@nwf @rmn30
grid: report some data, not just a Tick
2a9e85a
@nwf @rmn30
Very, very initial web frontend goo
d60cfa9
@nwf @rmn30
WIP: monolithic image as well
c5748d0
@nwf @rmn30
Incremental progress on user frontend
d889fda
@nwf @rmn30
Monolithic build
2f6180c 
Works after CHERIoT-Platform/cheriot-rtos#461
@nwf @rmn30
sample_policy: use spaces, not tabs
3ea2f38
@nwf @rmn30
Add "revert to last submitted" button to editor
0258446
@nwf @rmn30
Further set the stage for badness
a7e3fc5 
On monolithic builds, move the sensor data and the userJS data snapshot
objects into (the one compartment's) globals.  This should make it
possible, in a monolithic build, for a cap held in the JS machine to be
abused to write to the sensor data.
@rmn30 rmn30 force-pushed the 202502-smartmeter branch from 55392af to a7e3fc5 Compare February 24, 2025 15:55
nwf and others added 3 commits February 24, 2025 17:55
@nwf
Further demolish monolith security
f7944ca 
Place sensitive and non-sensitive structures not just in the same .data
segment but as subobjects of the same struct.  This subverts
CHERIoT-LLVM's understanding of properly bounding address-taken globals
and permits subobject bounds violtion to model code running on a
pre-CHERI machine.
@rmn30
Add 'unique-id' xmake option for setting meter ID at compile time.
05e2669 
Defaults to 'random' which causes the device to generate a random ID on boot.
@rmn30
Update network stack to include fix for MQTT packet bounds.
fa09d89
@rmn30 rmn30 force-pushed the 202502-smartmeter branch from 106b4bd to fa09d89 Compare February 25, 2025 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nwf @vmurali @rmn30