EKF failsafe untriggered on high errors - Resulting in crash

[SudharssanMohan]

Issue details

Reporting the discovered instances in ArduCopter SITL execution , where the Extended Kalman Filter does not trigger fail safe landing, despite significant errors in Copter's mission resulting from compromised accelerometer (cases 1 to 10) and gyroscope values (cases 11-20). EKF undergoes multiple lane and core switches, drone crashes before completing assigned mission. This was originally reported as individual bug reports as each case had a different mission plan, different sensor values and different values injected to compromise the sensor. I am combining all of the reports into this single issue for the ease of the developers to respond to it. All files will be labeled from 1 to 20. Example error graphs from the cases below: Case 3:

Case 5:

Case 14:

Case 18:

Version

ArduCopter V4.5.0-dev

Platform

[X] Copter [X] Ardupilot SITL simulation

Logs

Accelerometer

Attached is the telemetry logs of the mission,BIN file for further log analysis and the mission used in this execution.

logs_1.zip logs_2.zip logs_3.zip logs_4.zip logs_5.zip logs_6.zip logs_7.zip logs_8.zip logs_9.zip logs_10.zip

Gyroscope

logs_11.zip logs_12.zip logs_13.zip logs_14.zip logs_15.zip logs_16.zip logs_17.zip logs_18.zip logs_19.zip logs_20.zip

Accelerometer

Mission plan used: mission_1.txt mission_2.txt mission_3.txt mission_4.txt mission_5.txt mission_6.txt mission_7.txt mission_8.txt mission_9.txt mission_10.txt

Gyroscope

mission_11.txt mission_12.txt mission_13.txt mission_14.txt mission_15.txt mission_16.txt mission_17.txt mission_18.txt mission_19.txt mission_20.txt

Context

As part of my research in contributing towards making Ardupilot more resilient to sensor injection attacks , I have modified AP to inject malicious yet realistic(can be generated in the real world) accelerometer and gyroscope values and run different missions. Some executions (such as the one described in this report , successfully crashes the drone without triggering the EKF3's failsafe emergency landing, which could lead to physically damaging the drone instead of minimizing the damage in a real attack scenario.

[IamPete1]

Could these be combined into a single summary issue? I don't think having 10 similar issues really brings any value, these are now taking up over half of the first page of issues meaning we might miss more urgent problems.

[SudharssanMohan]

@IamPete1 @rmackay9 Thank you for your patience and sorry about that (should I close my other issues ?), I have combined all my reports into this one single report. I am awaiting your response to see how this goes. As @rmackay9 previously commented in one of my initial report, it seems like EKF3 is unable to handle situations like the ones I reported resulting in direct crashes without any failsafe land to mitigate damages.

I am hoping to get some acknowledgement (maybe an explanation on this behavior down the line?) on this, as it is an active work in progress on my side it would help me further if I get some feedback.

[SudharssanMohan]

Hello @IamPete1 @rmackay9 . I just have a follow up question on this issue as I am actively working on it. The following is the EKF3 velocity innovations for N,E and D axis for case no.7. To my understanding, with high innovations and ample position and velocity errors, the fail safe should have triggered to minimize any damages to the drone. But no such thing happens and drone deviates way off path before it ultimately crashes.

This is just one case that I am pointing out as an example. But this question stands in all the above cases as to why EKF3 did not catch such significant errors in the system. Is it because EKF3 is not capable of detecting such errors when calibrated for normal flight as @rmackay9 previously pointed out?