High Assurance Cyber Military Systems (HACMS) Making sure you are in control of your vehicle
Kathleen Fisher, I2O Program Manager
May 20, 2013
5/20/13 Distribution Statement A - Approved for Public Release, Distribution Unlimited 1 Pervasive Vulnerability
SCADA Systems Medical Devices Vehicles
Computer Peripherals
Communication Devices
Distribution Statement A - Approved for Public Release, Distribution Unlimited 2 Many Remote Attack Vectors
Mechanic Short-range wireless Long-range wireless
Entertainment
Distribution Statement A - Approved for Public Release, Distribution Unlimited 3 Securing Cyber-Physical Systems: State of the Art
Control Systems Cyber Systems • Air gaps & obscurity • Anti-virus scanning, intrusion detection systems, patching infrastructure Forget the myth of the air gap – the control system that is completely isolated is history. • This approach cannot solve the problem. -- Stefan Woronka, 2011 Siemens Director of Industrial Security Services • Not convergent with the threat • Focused on known vulnerabilities; can miss • Trying to adopt cyber approaches, but zero-day exploits technology is not a good fit: • Can introduce newUNCLASSIFIED vulnerabilities and • Resource constraints, real-time deadlines privilegeAdditional escalationsecurity layers opportunities often create vulnerabilities…
• Extreme cost pressures October 2010 Vulnerability Watchlist
Vulnerability Title Fix Avail? Date Added • Patches may have to go through lengthy !"#$%&'()#(*&+,#-),**()&.)(/&0(-1,)2&3),-,4,*&!,4/*&3)"5"*(6(&784/*/9,#&:$*#()/;"*"-<& 0,& =>?@>?ABA& C(D&E/-&:FGH&H,D$*(&GG!&+,##(49,#&F(#"/*&,I&G()5"4(&:$*#()/;"*"-<& J(8& =>?K>?ABA&
verification & validation processes 3E3&L";/8(M6(#M"DNOL&P$#49,#&,QR;
V#-()#(-&7%W*,)()&=&L-,G-/94EXH!NOL&EXH!&G/#"9Y/9,#&S
+,aW$-()&.88,4"/-(8&T#(5"(1&H,#"-,)&LD,G/5(bc8WL&C(a,-(&+,D(&7%(4$9,#&:$*#()/;"*"-<& 0,& =>B`>?ABA&
TW(#GG!&L88*dM6(-M2(
.D,;(&.4),;/-&/#D&C(/D()&P,#-&3/)8"#6&C(a,-(&+,D(&7%(4$9,#&:$*#()/;"*"-<& 0,& =>BA>?ABA&
TW(#Te4(&VaW)(88&P"*(&H$*9W*(&S$Q()&T5()U,1&:$*#()/;"*"9(8& 0,& =>BA>?ABA& !"#$%&'()#(*&3.RCVG+&L*(Db4L&G-/42&S$Q()&T5()U,1&:$*#()/;"*"-<& 1/3 ofJ(8& the vulnerabilities=>Af>?ABA& :%Z,)28&F(;$66"#6&G()5"4(&G(4$)"-
DISTRIBUTION F - Further dissemination only as directed by DARPA Public Release Center or higher DoD authority 6 5/20/13 Distribution Statement A - Approved for Public Release, Distribution Unlimited UNCLASSIFIED 4 SAT Solvers and Infrastructure Development: Critical Enablers for High Assurance Systems
Results of the SAT competition/race winners on the SAT 2009 application benchmarks, 20mn timeout 1200 Interactive Theorem Provers Limmat 02 Zchaff 02 • seL4 microkernel Berkmin 561 02 Forklift 03 Siege 03 [9000 LoC:C, SOSP 09] 1000 Zchaff 04 SatELite 05 • compCert verifying C compiler Minisat 2.0 06 Picosat 07 Rsat 07 [6K LoC:ML, POPL 06] Minisat 2.1 08 800 Precosat 09 Glucose 09 Automatic Theorem Provers Clasp 09 Cryptominisat 10 Lingeling 10 • Verve OS Nucleus Minisat 2.2 10 [1.5K LoC:x86, PLDI 10] 600 • Baby Hypervisor
CPU Time (in seconds) [1K LoC:C, VSTTE 10] 400 Model Checkers Picking 80 problem point, best time has dropped • Microsoft device drivers 200 from 1000 (2002) to 40 [30K LoC:C, PLDI 01, CACM 11] seconds (2010). 0 • ADGS-2100 Window Manager 0 20 40 60 80 100 120 140 160 180 Courtesy: Daniel Le Berre Number of problems solved [16K Simulink blocks, CACM 10]
[A] significant part of the effort in existing projects was spent on the further development of verification tools, on formal models for low-level programming languages and paradigms, and on general proof libraries. The sharing of substantial parts of the verification tools between Verisoft and L4.verified demonstrates that there is a significant degree of re-usability... Future efforts will be able to build on these tools and reach far-ranging verification goals faster, better, and cheaper. Gerwin Klein, Formal OS Verification—An Overview.
5/20/13 Distribution Statement A - Approved for Public Release, Distribution Unlimited 5 Idea: Synthesize & Verify High-Assurance Systems
Safety Security Proof: Generated executable Policy Policy • implements functional specification, • satisfies safety and security policies, and Functional Hardware • satisfies resource constraints Specification Description when run • on hardware satisfying the hardware description and Resource Environment • in an environment satisfying the Constraints Description environmental description.
Verified Libraries Synthesizer
“If software always worked as specified or intended Code Diagnostic by its makers, only a small subset would be Information vulnerable to attack, and defenses would be much easier to implement.” Proof Felix Lindner, Recurity Labs, CACM, June 2006 High Assurance: Correctness, Safety, Security
5/20/13 Distribution Statement A - Approved for Public Release, Distribution Unlimited 6 High-Assurance Vehicle of the Future: Built from Synthesized Components Research Challenges
…
Party Party • Synthesis of attack-resilient GUI Voice Voice rd 3 control systems Sandbox • Synthesis of operating systems code Authentication Network • Specification languages: Protocol ...
Data Data function, environment, Stack Control Control File System Logging Logging Algorithms Algorithms hardware, resources ... Communication Protocols μKernel RTOS RTOS • Composition ... x86 ASIC ARM, etc • Proof engineering A US automaker’s cars have 1-2 • Scaling complete computers. • Attack/fault response • V&V of complete system
Key: Unassured modules • Managing time: New assured modules A US automaker’s cars have 30-100 real-time controllers. synchrony, asynchrony, Existing assured modules concurrency Hardware
Focus on vehicles, but techniques should apply to other domains.
Distribution Statement A - Approved for Public Release, Distribution Unlimited Images of specific products throughout this presentation are used for illustrative purposes only. Use of these images is not meant to imply inherent vulnerability of a product or company. HACMS Program Architecture
1. Military Vehicle Experts 2. Operating Systems 3. Control Systems 4. Research Integration 5. Red Team
NICTA Boeing Galois RC*/U. Minn DRAPER*/AIS/ Synthesize OS Pilot-able Unmanned Embedded DSL; Compositional U. Oxford Little Bird Helicopter components; Synthesize and verify verification; Traditional Verified sel4 kernel; control system code Integrated workbench penetration Verified RTOS testing; novel HRL*/GM SRI*/UIUC SRI* SRI* formal methods approach American Built Car EF-SMT solvers; Synthetic sensors; Lazy Composition;
Synthesize monitors Synthesis for Evidential Tool Bus &
and wrappers controllers of hybrid Kernel of Truth; systems Vehicle Integration
Princeton*/Yale/MIT CMU*/Drexel/ Build and verify in CoQ SpiralGen/UIUC vehicle-control OS; Map high-level
compCERT : concurrent; spec into low-level compositional C code; Extend Program Timeline: integration of verified Spiral for hybrid • Industry Day: Feb 21 components systems • BAA Release: Feb 23 • Proposals Due: April 10 Kestrel* UPenn*/UCLA • Notifications: May 9-11 Synthesize Synthesize protocols: • Kick-Off: Aug 8-10 refinement of high- attack-resilient • Three 18-month phases level spec to low-level control systems implementations Performers: • 8 Primes (*) • 22 Total Distribution Statement A - Approved for Public Release, Distribution Unlimited Air Team
• Platform (TA1): Unmanned Little Bird [Boeing] • Mimicked in open-source ArduCopter [Galois] • Challenge problems: stays in safety envelop, stays in mission envelop • Live flight demo of ULB planned for Phase 3 • OS (TA2) [NICTA] • Leverage verified MicroKernel seL4 and RTOS • Synthesize code & proofs for device drivers and file system; develop high-assurance CAN bus; provide verified synthesized glue code; develop automatic WCET analysis. • Control Systems (TA3) [Galois] • Synthesize flight control systems & proofs from embedded domain-specific languages (EDSL); verify integrity of control flow; verify simplex architecture extended to monitor security properties • Compositional Reasoning & Integration (TA4) [Rockwell Collins*/U. Minnesota] • Architecture-driven assume-guarantee reasoning to support compositional verification • Eclipse-based pluggable workbench to organize development and verification
Distribution Statement A - Approved for Public Release, Distribution Unlimited Ground Team
• Platform (TA1): American Built Car [HRL*] • Mimicked in open-source LandShark [Black-I Robotics] • Challenge problems: adaptive cruise control system; mission integrity • Live demo of American Built Car planned for Phase 3 • Operating Systems (TA2) • End-to-end correctness: control code to low-level OS code, checked in Coq. Adaptive proof scripts & EDSLs for scaling. Leverage CertiKOS verified hypervisor & CompCert verifying C compiler, extended with support for separate compilation and concurrency. [Princeton*/Yale/MIT] • Synthesize code & proofs for communication protocols (TCP/IP), including multiple variants, leveraging and extending SpecWare library of transformations. [Kestrel*] • Develop Exists-Forall SMT Solvers and apply to synthesizing monitors/wrappers that perform runtime verification. [SRI*] Distribution Statement A - Approved for Public Release, Distribution Unlimited Ground Team, continued
• Control Systems (TA3) • Develop self-aware non-linear control code that can detect and respond to attacks even in the presence of noise. Prove correctness of control algorithms and implementing code. [Penn/UCLA*] • Provably correct sensor fusion based on interval representations; Synthesize controllers that provably stay within safety envelops from high-level specifications written in HybridSAL-X; Synthesize controller-specific and global bus monitors to prevent unwanted bus traffic. [SRI*] • Synthesize code & proofs for control algorithms expressed in Hybrid Control Operator Language, including multiple variants, using transformation-based approach. [CMU*/Drexel/SpiralGen/UIUC] • Compositional Reasoning & Integration (TA4) [SRI*] • Synthesize weakest pre-condition for assume-guarantee reasoning • Evidential Tool Bus (ETB) to connect diverse formal methods tools and Kernel of Truth (KoT) to establish trustworthiness of verification tools • Leading LandShark and American Built Car integration
Distribution Statement A - Approved for Public Release, Distribution Unlimited What’s Next
• Upcoming events • Baseline assessments of platforms from Red Team [Months 2-6] • Challenge problem solidification & ground team organization [First 3 months] • 1st code drops to Red Team [Month 6] • 1st program vehicle assessments [Month 16-17] • Metrics: Goal is to evaluate suitability of formal methods tools • Usability of experimental vehicles [TA1] • Percentage of core systems verified [TA2, TA3, TA4] • Number & quality of detected vulnerabilities in assured systems [TA2, TA3, TA4, TA5] • Number of tools integrated into workbenches & workbench usability [TA4] • Usability of Voice of the Offense inputs [TA5]
Distribution Statement A - Approved for Public Release, Distribution Unlimited Technical Area 1 – Military Vehicle Experts and Open-Source Vehicles
13
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Rockwell Collins - Technical Area 1 Performer: Boeing
- Real-time Flight - Mediates communication with CUCS Control Computer (FCC) - Translates STANAG 4586 commands into vehicle specific actions - Manages safety critical systems - Manages non safety critical mission equipment packages
Utilizes common military buses Source: HACMS Rockwell Collins Proposal for comms: • Pilot-able Unmanned Little bird (ULB) MIL-STD-1553B, • Mission-tested ARINC-429, • Multi-level challenge problems: Ethernet, VME, range from low-level embedded real- RS-422, and time system to higher level vehicle RS-232 domain requirements
• Unclassified Platform Source: HACMS Rockwell Collins Proposal
• Live Flight Demo in Phase 3 Example: CUCS sends STANAG waypoint commands via • Transition Target: NCORE common the Data Link (TCDL); waypoint translated into vehicle open architecture which is the basis specific actions by VSM and passed to FCC where it is converted into appropriate control commands. for systems based on both AH-6 and 14 AH-64 (Apache) airframes Distribution Statement A - Approved for Public Release, Distribution Unlimited
Galois - Open Source Vehicle ArduCopter Unmanned Air Vehicle (UAV)
Goal: Develop an upgraded version of the ArduCopter UAV to serve as an open source platform
• Based on an 8-bit microcontroller: provides autopilot functionality in conjunction with inertial measurement and GPS communication sensors connected via local serial buses
• Command and control: performed via radio communication with additional mission data being exchanged using the Source: http://code.google.com/p/arducopter/wiki/ArduCopter_Quad MAVLink protocol
• MAVLink protocol: open source protocol for communicating between ground-based command and control software and unmanned air vehicles
• Upgrade hardware to ARM Cortex-M3 processor: provide sufficient power to run the NICTA RTOS, drivers, and the DSL- generated autopilot. Source: http://arm-cortex-m3.blogspot.com/ 15
Distribution Statement A - Approved for Public Release, Distribution Unlimited
HRL Laboratories - Technical Area 1 Performers: HRL and GM
Automotive Vehicle Platform Automotive Testbed (i.e., Integration Workbench)
• ECU identical to that in vehicle platform • Supports interaction between embedded controllers, sensors, and vehicle simulator • Supports application development for both vehicle platform and Source: HACMS HRL Proposal Source: HACMS HRL Proposal LandShark UGV • American Built Car equipped with sensors, actuators, and wireless (e.g. OnStar) and wired (e.g. CAN) networks • Unclassified Platform • Focus on increasing levels of Cruise Control Functionality Source: HACMS HRL Proposal (e.g., basic; adaptive; and stop and go adaptive) • Multiple embedded controllers for cruise control variants, engine control, and brake control • Live Field Testing in Phase 3 • Controllers for engine and brake control will represent the serial • Challenge problems for communication and signal interfaces with these modules 16 platform and testbed Distribution Statement A - Approved for Public Release, Distribution Unlimited
Black-I Robotics - Open Source Vehicle LandShark Unmanned Ground Vehicle (UGV)
Robust Mid-Sized UGV with open, modular • Base Chassis: 45” x 28” x 22”; architecture utilizing the JAUS protocol 513 lbs.; speed 10 mph; Linux OS
• Operator Control Unit: allows operator to talk directly to on-board video server
• IP Based Tunable Radio: offers a secure, wireless communication platform for broadband transmission
• Firing Turret Mechanism: encoded 2 axis turret and remote trigger activated paint ball gun
• Military Grade Pan Tilt Zoom: visible spectrum cameras; thermal imagers; 360º Pan rotation; 100x zoom
Source: http://www.blackirobotics.com/
• Cruise Control Capability: Medium Range Radar and Linux machine equipped with open-source software
17
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Technical Area 5 – Red Team
18
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Draper - Technical Area 5 Performers: Draper, Assured Information Security, and Oxford University
Approach: • Simulate attack without authorized access
• Active system analysis for potential vulnerabilities caused by poor or improper system configuration, known and unknown software flaws, or operational weaknesses
(AIS & Draper)& (AIS • Baseline and Final assessments Penetration Testing Penetration Limitation: Vehicles may quickly be hardened beyond the capability of traditional penetration testing techniques Source: HACMS Draper Proposal
Automatic Attack Generator: Extract formal specification from machine code (binaries) (Oxford & Draper)& (Oxford
Formal Methods Approach Methods Formal Source: HACMS Draper Proposal Source: HACMS Draper Proposal Source: HACMS Draper Proposal Extract and Analyze Z Extract and Analyze CSP Define and Test Security Specification: Develop a custom Specification: Automatically Properties: Models are checked translator from disassembly to Z translate the Z specification into CSP with extended version of FDR219
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Technical Area 4 – Research Integration
20
Distribution Statement A - Approved for Public Release, Distribution Unlimited
SRI International - Technical Area 4
Lazy Composition Evidential Tool Bus (ETB) • Form of assume- guarantee reasoning • Distributed service-oriented architecture • Synthesize the weakest Integration of High • Attaching a tool is a low level assumptions Assurance Components effort • Supports compositional • Tool is scriptable reasoning: eliminates guessing of necessary • Exploratory mode and environment evidential mode assumptions to ensure • Loose coupling between compositionality various tools
Vehicle Formal Methods Kernel of Truth (KoT) Integration Workbench • Establishes correctness of powerful, front-line verification tools • Certify formal claims relative • Lead integration team for the Landshark vehicle to a small trusted core while and the Cadillac SRX not constraining the power of cutting-edge verification • Develop an off-line monitor to help locate and tools classify errors in composite systems by analyzing • "Check the verification, but step-by-step execution data recorded from the verify the checker.“ system running up to the time of the problem 21
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Rockwell Collins - Technical Area 4 Performers: Rockwell Collins and U. of Minnesota
Compositional Verification Integrated Workbench
Source: HACMS Rockwell Collins Proposal • Assume Guarantee Reasoning Environment (AGREE): Eclipse-based; supports proof Source: HACMS Rockwell Collins Proposal engineering; supports formalization in the large • Compositional Reasoning: use of formal • Contract Logic: mediate judgments coming assume-guarantee contracts from different proof tools • Design-Time Assurance: contract can be • Component Interaction Analysis: each used in reasoning about how a component component of the system will be annotated with interacts with its environment a contract, expressed in Contract Logic, which contains assumptions and guarantees • Functional Composition (Left); Temporal Composition (Center); and Resource • Code Generation: perform code synthesis to Composition (Right) enabled by the AADL connect components based on system Architectural Model and the contracts architecture 22
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Technical Area 2 – Operating Systems
23
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Princeton University - Technical Area 2 Performers: Princeton, Yale, and MIT
Goal: Build a vehicle-control operating system and prove it correct
Approach: • Provide an end-to-end guarantee of correctness down to (but not including) the hardware layer
• Proofs done in Coq
• Leverage existing artifacts (i.e., CertiKOS, CompCert, and VeriML) and techniques (i.e., adaptive proof scripts)
• Use the virtualization capability provided by CertiKOS to separate trusted from untrusted components; when a component is proven correct, it can move to the trusted side
• Approach to automation is to use expressive but domain-specific languages
• Compositional Integration of Verified Components Source: HACMS Princeton Proposal
24
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Rockwell Collins - Technical Area 2 Performer: NICTA
OS Microkernel User-level OS Components on Top of Kernel • Extend and build on NICTA's seL4 microkernel • Automatically synthesize for processors with device drivers memory protection units Applica�ons • New synthesis techniques for file systems • Use NICTA’s verified real time OS (RTOS) components for processors File System • Automatically generate without a memory proofs for the generated protection unit Drivers code IP Stack • In absence of a memory • Analyze, formalize, and verify protection unit, RTOS the internal network protocol components need to make used on the CAN bus of the OS Microkernel assumptions on the user- system level code they manage
• Provide verified synthesized • Propose to discharge these ADL component glue code assumptions automatically Hardware with sound static analysis (i.e., Goanna tool) • WCET system analysis
25
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Kestrel Institute - Technical Area 2
Goal: Formally specify the network protocols in the Linux Kernel and derive a correct-by-construction implementation of these protocols
Approach: • Synthesize protocols as a composition of micro-protocols
• Utilize Specware's library of program transformations
• Expand the transformation library in order to automate the synthesis process
• High-level specifications are refined to low- level implementations, leaving a “trail of bread crumbs” to guide a verifier in checking the correctness and security of the implementation of the specification
• Leverage work from DARPA’s CRASH program to handle issues of time and resource constraints in synthesis
Source: http://skogberg.eu/ia/protstack.php 26
Distribution Statement A - Approved for Public Release, Distribution Unlimited
SRI International - Technical Area 2 Performers: SRI and UIUC
GOAL: Revolutionize program synthesis by extending SMT solvers to be Exists-Forall SMT (EF-SMT) solvers
Approach: • Develop an innovative new class of solvers, called EF-SMT solvers
• Develop specification methods and high-level automation for synthesis that exploits EF-SMT solvers
• Apply EF-SMT technology to the synthesis of effective formal monitors and wrappers that guarantee system properties by runtime verification (work done by UIUC)
• Apply methods to time management Source: HACMS SRI Proposal
27
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Technical Area 3 – Control Systems
28
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Carnegie Mellon University (CMU) - Technical Area 3 Performers: CMU, Drexel University, SpiralGen, and UIUC
Goal: Develop High Assurance SPIRAL, a scalable methodology to translate a high level specification of a high assurance controller into a highly resource-efficient, platform-adapted, verified control software implementation for a given platform Key Technology • Hybrid Control Operator Language (HCOL) that captures vehicle physics as well as a variety of constraints and goals • Synthesizer that support verified translation of HCOL programs into verifiable C code • Provide security through diversity: generate multiple implementation variants from the same specification
Key Challenges • Definition of the HCOL needs to be extensible and flexible
Source: HACMS CMU Proposal • Synthesis system needs to co-synthesize proofs with implementations Impact: Abolish hand-coding for the • Deployment of synthesized libraries into real supported class of control systems systems • Usability for experts and non-experts 29
Distribution Statement A - Approved for Public Release, Distribution Unlimited
University of Pennsylvania - Technical Area 3 Performers: U. of Penn and UCLA
Goal: Develop tools and techniques to ensure that a vehicle or systems of vehicles maintain a degree of control even when the system is under cyber attack
Proposed Work • Combine control-level techniques and code-level techniques • Introduce redundancy and self- awareness into the control loop • Extend work on detecting sensor and actuator attacks on linear models to non-linear models • Develop tools to disambiguate sensor or actuator noise from an actual attack
Source: HACMS U. Penn Proposal • Develop tools that theoretically Products determine what fraction of input • Toolkits for the development of hybrid controllers and can be compromised while secure state estimators maintaining the ability to detect an attack • Secure code generator for control tasks expressed in • Synthesize control systems that relevant languages are robust with respect to an • Secure AADL runtime for ROS middleware attacker manipulating control system parameters
30
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Rockwell Collins - Technical Area 3 Performers: Galois
Embedded Domain Run-time Assurance Architecture Specific Languages (EDSLs)
Source: HACMS Rockwell Collins Proposal
• Goal: Synthesize high-assurance control components Source: HACMS Rockwell Collins Proposal using EDSLs • EDSL: a DSL hosted within a general-purpose • Control-flow integrity (CFI): monitor programming language the execution integrity of platform software components • EDSLs describe different components of a full control system • Evolvable static formal verification: properties or components that are not • Integrated code generation and verification: statically verified can be monitored at verify component contracts at the EDSL source level and at the level of C code generated from EDSL runtime • Build complete Ardupilot software using collection of • Monitor security attacks on controllers EDSLs (i.e., maliciously modifying sensor inputs) • Challenges: controlling code efficiency; portability; • Simplex verification: formally verify the EDSL integration; and scaling up design of the monitor and backup controller, and its architecture 31
Distribution Statement A - Approved for Public Release, Distribution Unlimited
SRI International - Technical Area 3
Source: HACMS SRI Proposal
Synthetic Sensors Synthesis of controllers Constructions of bus guardians and monitors • Fuse all available • Hybrid systems information using interval • Defend against fuzzing attacks • Synthesize assume representations rather than • Detect DoS attacks on vehicle point estimates for sensor guarantee pair for verifying that the system stays networks values within a safety envelop • Construct a profile of normal • Incorporate the laws of • Leverage HybridSAL-X, behavior and then produce a physics in determining monitor that ensures traffic whether the system is stays within the normal profile under attack 32
Distribution Statement A - Approved for Public Release, Distribution Unlimited
Integration Teams
Rockwell Collins Team SRI Team Focus: Air Vehicles Focus: Ground Vehicles
Boeing ULB ArduCopter American Built Car LandShark
Source: HACMS Rockwell Collins Proposal Source: http://code.google.com/p/arducopter/ wiki/ArduCopter_Quad Source: HACMS HRL Proposal Source: http://www.blackirobotics.com/
Team Members: Team Members: • Boeing (TA1) • HRL/GM (TA1) • NICTA (TA2) • Princeton/Yale/MIT (TA2) • Kestrel (TA2) • SRI/UIUC (TA2) • Galois (TA3) • CMU/Drexel/SpiralGen/UIUC (TA3) • Rockwell Collins (TA4) • U. of Pennsylvania/UCLA (TA3) • SRI (TA3 and TA4) • U. of Minnesota (TA4)
• If other HACMS performers want to work on • If other HACMS performers want to work on these platforms, please let us know these platforms, please let us know 33
Distribution Statement A - Approved for Public Release, Distribution Unlimited