Software fault-injection in a TTEthernet Cluster

Abstract

Time-Triggered Ethernet (TTE) is a Data-Link Layer, Quality of Service standard that provides an improvement to the standard Ethernet networks [1]. In particular, it defines algorithms for clock synchronization, clique detection, startup and restart of the underly-ing communication network. The standard provides the capability for a deterministic and congestion-free communication in an Ethernet network, which is undisturbed by the standard asynchronous Best-Effort Ethernet traffic. All this is provided by a synchroniza-tion mechanism which separates the synchronous communication from the asynchronous Ethernet dataflow. Therefore, TTE supports three different levels of time criticality, namely Time-Triggered (TT), Rate-Constrained (RC) and Best-Effort (BE) traffic. TTEthernet finds its purpose in the development of highly dependable communica-tion systems with various applications in fields, such as aerospace, automotive and many others. These systems impact the lives of humans and are therefore safety-critical. Various testing methods are used in practice in order to ensure the robustness and dependability of such a system. At present time, for certain configurations, the ongoing synchronization and the startup and restart mechanisms of the TTE standard are only tested theoretically by making use of existing models of TTEthernet and various model checking tools. The startup service has the role to create an initial synchronization when the devices of the network are powered-on. The aim of this diploma thesis is to analyze and test the startup and ongoing synchronization mechanisms of the TTE standard in hardware, using some configurations for which these mechanisms were never tested before. A TTEthernet network has a star topology and consists of sending and receiving devices (also called end-systems) and TTE-switches in-between, which have the task of relaying frames in the network. The startup mechanism will be tested on a system level, meaning that a TTE-network will comprise a faulty end-system which will inject faulty frames in the network in order to disturb the correct synchronization of the other network devices. A switch can also be manipulated to interact with the frames in a malicious way. However there will always be only one malicious device in the network, not two at the same time. The practical part of the thesis consists of executing software fault-injection experiments in a TTEthernet cluster consisting of four end-systems and one or two TTE-switches, depending on the test-case. The TTE network will be configured to tolerate the arbitrary failure of one device, either an end-system or a TTE-switch. One of the end-systems will be instrumented to send arbitrary frames to the TTE-switch. The frames are relayed by the TTE-switch to the receiving end-systems or are used for synchronization purposes. It is tested, if and how these faulty, malicious frames influence the correct startup and ongoing synchronization processes. The fault-injection experiments will increase in complexity. At first random Ethernet frames will be injected in the network, then TTE "Protocol Control Frames" (PCFs) will be randomly sent by the faulty end-system. It is expected that during the startup phase in the TTEthernet cluster, the devices will synchronize also in the presence of a faulty end-system that injects arbitrary Ethernet frames or protocol control frames into the network. This shall also be the case if a faulty TTE-switch is part of the network. The results of the experiments are thoroughly discussed after the realization of the practical part.