Sensor Data Transplantation for Redundant Hardware Switchover in Micro Autonomous Vehicles

As our reliance on micro autonomous vehicles increases, security vulnerabilities and software defects threaten the successful completion of tasks and missions. Recent work has developed end-to-end toolchains that provide trusted and resilient operation in the face of defects and attacks. These toolchains enable automatically repairing (and patching) the control software in the event of a failure. Existing techniques force the subject control software to terminate and the vehicle to be motionless, making the restart or post-repair deployment more complex and slow. The challenge remains to ensure that vehicle control software can recover from attacks and defects quickly and safely, even while the target vehicle remains in motion. This paper presents a technique for faster, simpler, and seamless hardware switchover that operates while the vehicle is in motion. The key contribution is the ability to restart the control software post-repair while the vehicle is in motion by transplanting sensor data between onboard control computers to bypass a costly portion of initialization. Although existing checkpoint and restore methods allow software to recover execution at a known-functional state, they are not lightweight enough to support recovery during mission execution. Instead, our approach transplants known-good sensor data from a trusted, isolated execution environment in the onboard computing hardware. Our evaluation successfully reproduces prior simulation results in hardware. Further, sensor transplantation allows for successful initialization while in motion, reduces time-to-ready by 40%, and is robust to variances in sensor readings.