Investigation on AUTOSAR-Compliant Solutions for Many-Core Architectures

As of today, AUTOSAR is the de facto standard in the automotive industry, providing a common software architec- ture and development process for automotive applications. While this standard is originally written for singlecore operated Elec- tronic Control Units (ECU), new guidelines and recommendations have been added recently to provide support for multicore archi- tectures. This update came as a response to the steady increase of the number and complexity of the software functions embedded in modern vehicles, which call for the computing power of multicore execution environments. In this paper, we enumerate and analyze the design options and the challenges of porting AUTOSAR-based automotive applications onto multicore platforms. In particular, we investigate those options when considering the emerging many- core architectures that provide a more scalable environment than the traditional multicore systems. Such platforms are suitable to enable massive parallel execution, and their design is more suitable for partitioning and isolating the software components.Euromicro Conference on Digital System Design (DSD 2015), Funchal, Portugal

Introducing Multi-Core at Automotive Engine Systems

International audienceWith the introduction of the new Euro 6, and Euro 7 emission standards for passenger cars, the combustion process of Engine Management Systems (EMS) needs to be controlled with an increased precision.In addition, new vehicle architectures are introduced (increased integration of functions inside an Engine Management System), as well as new SW architectures concepts like AUTOSAR or the support of ISO26262

Minimizing stack and communication memory usage in real-time embedded applications

In the development of real-time embedded applications, especially those on systems-on-chip, an efficient use of RAM memory is as important as the effective scheduling of the computation resources. The protection of communication and state variables accessed by concurrent tasks must provide real-time schedulability guarantees while using the least amount of memory. Several schemes, including preemption thresholds, have been developed to improve schedulability and save stack space by selectively disabling preemption. However, the design synthesis problem is still open. In this article, we target the assignment of the scheduling parameters to minimize memory usage for systems of practical interest, including designs compliant with automotive standards. We propose algorithms either proven optimal or shown to improve on randomized optimization methods like simulated annealing.</jats:p

Leveraging virtualization technologies for resource partitioning in mixed criticality systems

Multi- and many-core processors are becoming increasingly popular in embedded systems. Many of these processors now feature hardware virtualization capabilities, such as the ARM Cortex A15, and x86 processors with Intel VT-x or AMD-V support. Hardware virtualization offers opportunities to partition physical resources, including processor cores, memory and I/O devices amongst guest virtual machines. Mixed criticality systems and services can then co-exist on the same platform in separate virtual machines. However, traditional virtual machine systems are too expensive because of the costs of trapping into hypervisors to multiplex and manage machine physical resources on behalf of separate guests. For example, hypervisors are needed to schedule separate VMs on physical processor cores. Additionally, traditional hypervisors have memory footprints that are often too large for many embedded computing systems. This dissertation presents the design of the Quest-V separation kernel, which partitions services of different criticality levels across separate virtual machines, or sandboxes. Each sandbox encapsulates a subset of machine physical resources that it manages without requiring intervention of a hypervisor. In Quest-V, a hypervisor is not needed for normal operation, except to bootstrap the system and establish communication channels between sandboxes. This approach not only reduces the memory footprint of the most privileged protection domain, it removes it from the control path during normal system operation, thereby heightening security

Model Based Automotive System Design: A Power Window Controller Case Study

Modern day vehicles come equipped with a large number of sensors, actuators and ECU’s with sophisticated control algorithms, which requires engineering activities from various disciplines. An automotive system is developed in various stages with multiple stakeholders involved at each stage. Each stakeholder provides a distinct view point on system representation, which makes it challenging to bridge the gaps in developing a holistic understanding of the system functionality. The safety critical nature of automotive systems induces timing and dependability concerns that must be addressed at all stages. Furthermore, the relatively long development life-cycle of automotive systems makes it imperative to have a clear strategy for long term evolution. To deal with these challenges, model based techniques are applied in the industry for automotive systems development. System engineers use a suitable architecture description language (ADL) to represent the system architecture at several levels of abstraction. A number of system architecture description and software architecture standards have been developed in the automotive industry to streamline the development process. However, most of these standards are elaborate and need a fair amount of understanding before they can be applied. In this work, we explore the application of existing system architecture description and software architecture standards. Our main contribution is a Power Window Controller (PWC) system demonstrator that illustrates the methodology described by EAST-ADL and AUTOSAR. Through this case study, we intend to highlight the key aspects and gaps in the application of EAST-ADL & AUTOSAR. Starting from features and requirements, we have analyzed the impact of architectural decisions at each stage of automotive system development. We also performed Design verification, timing analysis & dependability analysis to ensure correctness of the system. Lastly, considerations regarding variability have been discussed to support evolution

Securing Safety Critical Automotive Systems

In recent years, several attacks were successfully demonstrated against automotive safety systems. The advancement towards driver assistance, autonomous driving, and rich connectivity make it impossible for automakers to ignore security. However, automotive systems face several unique challenges that make security adoption a rather slow and painful process. Challenges with safety and security co-engineering, the inertia of legacy software, real-time processing, and memory constraints, along with resistance to costly security countermeasures, are all factors that must be considered when proposing security solutions for automotive systems. In this work, we aim to address those challenges by answering the next questions. What is the right safety security co-engineering approach that would be suitable for automotive safety systems? Does AUTOSAR, the most popular automotive software platform, contain security gaps and how can they be addressed? Can an embedded HSM be leveraged as a security monitor to stop common attacks and maintain system safety? When an attack is detected, what is the proper response that harmonizes the security reaction with the safety constraints? And finally, can trust be established in a safety-critical system without violating its strict startup timing requirements? We start with a qualitative analysis of the safety and security co-engineering problem to derive the safety-driven approach to security. We then apply the approach to the AUTOSAR classic platform to uncover security gaps. Using a real automotive hardware environment, we construct security attacks against AUTOSAR and evaluate countermeasures. We then propose an HSM based security monitoring system and apply it against the popular CAN masquerading attack. Finally, we turn to the trust establishment problem in constrained devices and offer an accelerated secure boot method to improve the availability time by several factors. Overall, the security techniques and countermeasures presented in this work improve the security resilience of safety-critical automotive systems to enable future technologies that require strong security foundations. Our methods and proposed solutions can be adopted by other types of Cyber-Physical Systems that are concerned with securing safety.Ph.D.College of Engineering & Computer ScienceUniversity of Michigan-Dearbornhttps://deepblue.lib.umich.edu/bitstream/2027.42/152321/1/Ahmad Nasser Final Thesis (1).pdfDescription of Ahmad Nasser Final Thesis (1).pdf : Dissertatio

From Safety Analysis to Experimental Validation by Fault Injection—Case of Automotive Embedded Systems

En raison de la complexité croissante des systèmes automobiles embarqués, la sûreté de fonctionnement est devenue un enjeu majeur de l’industrie automobile. Cet intérêt croissant s’est traduit par la sortie en 2011 de la norme ISO 26262 sur la sécurité fonctionnelle. Les défis auxquelles sont confrontés les acteurs du domaine sont donc les suivants : d’une part, la conception de systèmes sûrs, et d’autre part, la conformité aux exigences de la norme ISO 26262. Notre approche se base sur l’application systématique de l’injection de fautes pour la vérification et la validation des exigences de sécurité, tout au long du cycle de développement, des phases de conception jusqu’à l’implémentation. L’injection de fautes nous permet en particulier de vérifier que les mécanismes de tolérance aux fautes sont efficaces et que les exigences non-fonctionnelles sont respectées. L’injection de faute est une technique de vérification très ancienne. Cependant, son rôle lors de la phase de conception et ses complémentarités avec la validation expérimentale, méritent d’être étudiés. Notre approche s’appuie sur l’application du modèle FARM (Fautes, Activations, Relevés et Mesures) tout au long du processus de développement. Les analyses de sûreté sont le point de départ de notre approche, avec l'identification des mécanismes de tolérance aux fautes et des exigences non-fonctionnelles, et se terminent par la validation de ces mécanismes par les expériences classiques d'injection de fautes. Enfin, nous montrons que notre approche peut être intégrée dans le processus de développement des systèmes embarqués automobiles décrits dans la norme ISO 26262. Les contributions de la thèse sont illustrées sur l’étude de cas d’un système d’éclairage avant d’une automobile. ABSTRACT : Due to the rising complexity of automotive Electric/Electronic embedded systems, Functional Safety becomes a main issue in the automotive industry. This issue has been formalized by the introduction of the ISO 26262 standard for functional safety in 2011. The challenges are, on the one hand to design safe systems based on a systematic verification and validation approach, and on the other hand, the fulfilment of the requirements of the ISO 26262 standard. Following ISO 26262 recommendations, our approach, based on fault injection, aims at verifying fault tolerance mechanisms and non-functional requirements at all steps of the development cycle, from early design phases down to implementation. Fault injection is a verification technique that has been investigated for a long time. However, the role of fault injection during design phase and its complementarities with the experimental validation of the target have not been explored. In this work, we investigate a fault injection continuum, from system design validation to experiments on implemented targets. The proposed approach considers the safety analyses as a starting point, with the identification of safety mechanisms and safety requirements, and goes down to the validation of the implementation of safety mechanisms through fault injection experiments. The whole approach is based on a key fault injection framework, called FARM (Fault, Activation, Readouts and Measures). We show that this approach can be integrated in the development process of the automotive embedded systems described in the ISO 26262 standard. Our approach is illustrated on an automotive case study: a Front-Light system