Abstract: An autonomous vehicle system includes one or more output devices, one or more input sources, and a controller. In some embodiments, a verified inference engine is used by the controller to generate outputs for the output devices from inputs received from the input sources. The inference engine may be verified to be mathematically correct with an automated theorem proving tool. The automated theorem proving tool may verify that the inference engine meets the design requirements of standards such as DO-178C Level A and/or EAL-7. The controller is configured to validate the inputs received from the input sources, store the validated inputs in a fact base, generate outputs from the validated inputs, validate the one or more outputs, and provide the one or more validated outputs to the output devices.

Abstract: A system for controlling the flight of aircraft includes an aircraft operated by a human pilot, one or more optionally piloted aircraft controlled by a processor, and a communication link between the aircraft. The optionally piloted aircraft receives data indicative of the position and flight path of the piloted aircraft, and is automatically controlled to maintain a predetermined range of separation distances from the piloted aircraft. Control of the optionally piloted aircraft may include machine reasoning computing functions based on a classification of data received by the communication link, data indicative of the current positions and three-dimensional flight paths of the aircraft, stored data from previously calculated positions and three-dimensional flight paths of the aircraft, and stored data from previously executed flight plans associated with the optionally piloted aircraft.

Abstract: Testing a system against fuzzing attacks includes negating all regular expressions used in the corresponding language, and applying those negated regular expressions to a system interface. Only expressions definitively outside the scope of protocol specification implicate vulnerabilities to fuzzing attacks. The system detects fuzzing attacks by continuously monitoring packets of data and only passing through packets that conform to regular expressions of the language.

Abstract: An autonomous vehicle system includes one or more output devices, one or more input sources, and a controller. In some embodiments, a verified inference engine is used by the controller to generate outputs for the output devices from inputs received from the input sources. The inference engine may be verified to be mathematically correct with an automated theorem proving tool. The automated theorem proving tool may verify that the inference engine meets the design requirements of standards such as DO-178C Level A and/or EAL-7. The controller is configured to validate the inputs received from the input sources, store the validated inputs in a fact base, generate outputs from the validated inputs, validate the one or more outputs, and provide the one or more validated outputs to the output devices.

Abstract: Cross-Domain guard with authentication and authorization function used to protect data transferred between two separate and secure networks. The guard utilizes an existing audit port to provide the capability augment or replace data-forwarding decisions, which were previously being based solely on whether the data is in a well-formed packet. The authentication and authorization may be resident in a partition, a side car processor or a separate network.

Abstract: The present invention is directed to routing information between networks of differing security level. Communication to/from each network is handled by a dedicated Offload Engine (OE). Each OE interfaces to a Guard Engine through a Guard Data Mover (GDM) and includes an interface for connecting to an external network. A first OE receives a data packet from a first network intended to be transmitted to a second network. The Guard Engine analyzes the data packet. The Guard Engine includes an ACL (Access Control List) which are rules data packets must meet before being passed onto a destination network. If allowed, the Guard Engine delivers the data packet to the second network via a second OE utilizing a GDM associated with the first OE and a GDM associated with the second OE. The architecture of the present invention reduces the time and effort needed to attain high-assurance certification.

Abstract: The present invention is a methodology for developing high-assurance microcode. The method may comprise one or more of the following steps: (a) receiving a plurality of requirements detailing intended behavior of microcode (b) creating a model of microcode behavior; (c) generating microcode based on the model; (d) generating test cases based on the model; (e) simulating the behavior of the microcode; (f) translating the model into a verification tool-specific format; and (g) formally verifying the model using a verification tool.

Abstract: The present invention is directed to a system for providing a trusted environment for untrusted computing systems. The system may include a HAC subsystem managing shared resources and a trusted bus switch for controlling a COTS processor to access the shared resources. The shared resources such as memory and several I/O resources reside on the trusted side of the trusted bus switch. Alternatively, the system may include a SCM as an add-on module to an untrusted host environment. Only authenticated applications including COTS OS execute on the SCM while untrusted applications execute on the untrusted host environment. The SCM may control secure resource access from the untrusted host through a plug-in module interface. All secure resources may be maintained on the trusted side of the plug-in module interface.

Abstract: The present invention is directed to a system for providing a trusted environment for untrusted computing systems. The system may include a HAC subsystem managing shared resources and a trusted bus switch for controlling a COTS processor to access the shared resources. The shared resources such as memory and several I/O resources reside on the trusted side of the trusted bus switch. Alternatively, the system may include a SCM as an add-on module to an untrusted host environment. Only authenticated applications including COTS OS execute on the SCM while untrusted applications execute on the untrusted host environment. The SCM may control secure resource access from the untrusted host through a plug-in module interface. All secure resources may be maintained on the trusted side of the plug-in module interface.

Abstract: The present invention is a method for providing a high-assurance guard in a partitioned processing system, the partitioned processing system including a first input/output partition, a guard function partition and a second input/output partition, the method including the steps of: receiving a data packet from the first input/output partition of the partitioned processing system via a first I/O interface; determining if the data packet is well-formed as defined by an interface control document; and forwarding the data packet to the second input/output partition of the partitioned processing system and to a second I/O interface only when the data packet is well-formed.

Abstract: An invention is provided for a synchronous transfer of control. An asynchronous interrupt exception is received, and in response, the value of a reference counter is determined. The value of the reference counter is based on the execution of synchronized code. Generally, the reference counter is initialized to a predetermined number, and altered based on the execution of synchronized code. When the asynchronous interrupt exception is received, the method is asynchronously interrupted when the value of the reference counter is equal to the predetermined number.

Abstract: A method and apparatus including an overview component depicting a plurality of virtual machines on a display of a computerized system. Parameter details of at least one virtual machine are concurrently displayed with the overview component. The method steps include receiving the compiled source code for two applications, creating two relocatable virtual machines to run the compiled source codes, determining the parameters for the multiple virtual machine environment, locating the two relocatable virtual machines and generating a target executable file for the environment.

Abstract: A component model for use in a time sensitive embedded application. The system includes an event-generating software component that can generate an event notification in response to an event. It also includes a listener software component that can receive an event notification. Further, it includes an event transmission object that can facilitate transmission of an event notification from an event-generating software component to a listener software component. The event transmission object passes a primitive data type parameter that conveys data describing an event generated by said event-generating software component to a listener software component.

Abstract: An invention is provided for asynchronous transfer of control. An asynchronous interrupt exception is received, and in response, the value of a reference counter is determined. The value of the reference counter is based on the execution of synchronized code. Generally, the reference counter is initialized to a predetermined number, and altered based on the execution of synchronized code. When the asynchronous interrupt exception is received, the method is asynchronously interrupted when the value of the reference counter is equal to the predetermined number.

Abstract: An apparatus and method of running multiple concurrent virtual machines is disclosed. A memory component, a timer component, a multiple virtual machine control component, and a processor component can be included. The timer component can include a virtual machine activation period timer and a plurality of virtual machine dedicated timers. The processor component can process instructions of a virtual machine indicated to be the active virtual machine. The processor component can suspend processing instructions of a virtual machine when the virtual machine activation period timer causes the timer component to indicate a virtual machine switch. A memory protection component and process can also be included.

Abstract: An invention is provided for managing memory that includes a heap memory and scoped memory. The scoped memory is managed separately from the heap memory, and includes defining a scope tree structure having a root node and a plurality of child nodes. The child nodes are capable of having respective child nodes, however each child node has only one parent node. Each child node corresponds to a scoped memory space that forms a logical memory pool corresponding to a particular scoped memory. During memory management, a thread is allowed to enter a particular child node only through the parent node of the particular child node. In this manner, a thread executing in a particular scooped memory space allocates memory from the scoped memory corresponding to the particular scoped memory space.

Abstract: An apparatus for associating a hardware event with a software component event. The system includes a hardware interrupt signal input. It also includes a first-in-first-out data structure coupled with the hardware interrupt signal input. Further included is a dispatch thread component coupled with the first-in-first-out data structure. The dispatch thread component can output a software event.

Abstract: A component model for use in a time sensitive embedded application. The system includes an event-generating software component that can generate an event notification in response to an event. It also includes a listener software component that can receive an event notification. Further, it includes an event transmission object that can facilitate transmission of an event notification from an event-generating software component to a listener software component. The event transmission object passes a primitive data type parameter that conveys data describing an event generated by said event-generating software component to a listener software component.

Abstract: An interrupt management system for a multiple virtual machine environment is disclosed. In a system concurrently running a plurality of independent virtual machines, each virtual machine has associated therewith a plurality of anticipated interrupt signal types. A plurality of interrupt signals can be received in such a system. The interrupt signal having the highest priority is determined and that interrupt can be serviced.

Abstract: An improved system for concurrently running multiple virtual machines on a single processor. Each virtual machine being activated only during an assigned time slice or partition so as to isolate each of the concurrently running virtual machines from each other. The system having a power management mode and/or a partition reassignment mode. The power management feature placing the processor into a reduced power mode when a particular virtual machine has nothing to do during its assigned partition. In one embodiment, when an application has not been loaded into a given virtual machine, the processor is placed into a reduced power mode during the partition assigned to the given virtual machine. In one embodiment, the virtual machine is a JAVA Virtual Machine.