MISRA C, for Security's Sake!

A third of United States new cellular subscriptions in Q1 2016 were for cars. There are now more than 112 million vehicles connected around the world. The percentage of new cars shipped with Internet connectivity is expected to rise from 13% in 2015 to 75% in 2020, and 98% of all vehicles will likely be connected by 2025. Moreover, the news continuously report about "white hat" hackers intruding on car software. For these reasons, security concerns in automotive and other industries have skyrocketed. MISRA C, which is widely respected as a safety-related coding standard, is equally applicable as a security-related coding standard. In this presentation, we will show that security-critical and safety-critical software have the same requirements. We will then introduce the new documents MISRA C:2012 Amendment 1 (Additional security guidelines for MISRA C:2012) and MISRA C:2012 Addendum 2 (Coverage of MISRA C:2012 against ISO/IEC TS 17961:2013 "C Secure Coding Rules"). We will illustrate the relationship between MISRA C, CERT C and ISO/IEC TS 17961, with a particular focus on the objective of preventing security vulnerabilities (and of course safety hazards) as opposed to trying to eradicate them once they have been inserted in the code.Comment: 4 pages, 2 tables, presented at the "14th Workshop on Automotive Software & Systems", Milan, November 10, 201

Embedded Program Annotations for WCET Analysis

We present __builtin_ais_annot(), a user-friendly, versatile way to transfer annotations (also known as flow facts) written on the source code level to the machine code level. To do so, we couple two tools often used during the development of safety-critical hard real-time systems, the formally verified C compiler CompCert and the static WCET analyzer aiT. CompCert stores the AIS annotations given via __builtin_ais_annot() in a special section of the ELF binary, which can later be extracted automatically by aiT

Safe programming Languages for ABB Automation System 800xA

More than 90 % of all computers are embedded in different types of systems, for example mobile phones and industrial robots. Some of these systems are real-time systems; they have to produce their output within certain time constraints. They can also be safety critical; if something goes wrong, there is a risk that a great deal of damage is caused. Industrial Extended Automation System 800xA, developed by ABB, is a realtime control system intended for industrial use within a wide variety of applications where a certain focus on safety is required, for example power plants and oil platforms. The software is currently written in C and C++, languages that are not optimal from a safety point of view. In this master's thesis, it is investigated whether there are any plausible alternatives to using C/C++ for safety critical real-time systems. A number of requirements that programming languages used in this area have to fulfill are stated and it is evaluated if some candidate languages fulfill these requirements. The candidate languages, Java and Ada, are compared to C and C++. It is determined that the Java-to-C compiler LJRT (Lund Java-based Real Time) is a suitable alternative. The practical part of this thesis is concerned with the introduction of Java in 800xA. A module of the system is ported to Java and executed together with the original C/C++ solution. The functionality of the system is tested using a formal test suite and the performance and memory footprint of our solution is measured. The results show that it is possible to gradually introduce Java in 800xA using LJRT, which is the main contribution of this thesis

Multi-fragmental and Multi-phase Availability Models of the Safety-critical I&C Systems with Two-cascade Redundancy

Traditional availability, reliability, and safety models face the dimension problem due to a huge number of components in modern systems, motivating further research in this field. This paper focuses on multi-fragmental and multiphase models for availability and functional safety assessment of the information and control (I&C) systems with two-cascade redundancy considering design faults manifestation during operation. The methodology of the research is based on Markov and semi-Markov chains with the utilization of multi-phase modeling. Several multi-phase models are developed and investigated considering different conditions of operation and failures caused by version faults. The case study of the research is based on the analysis of safety-critical nuclear power plant I&C systems such as the reactor trip systems developed using the programmable platform RadICS

Safety-Critical Communication in Avionics

The aircraft of today use electrical fly-by-wire systems for manoeuvring. These safety-critical distributed systems are called flight control systems and put high requirements on the communication networks that interconnect the parts of the systems. Reliability, predictability, flexibility, low weight and cost are important factors that all need to be taken in to consideration when designing a safety-critical communication system. In this thesis certification issues, requirements in avionics, fault management, protocols and topologies for safety-critical communication systems in avionics are discussed and investigated. The protocols that are investigated in this thesis are: TTP/C, FlexRay and AFDX, as a reference protocol MIL-STD-1553 is used. As reference architecture analogue point-to-point is used. The protocols are described and evaluated regarding features such as services, maturity, supported physical layers and topologies.Pros and cons with each protocol are then illustrated by a theoretical implementation of a flight control system that uses each protocol for the highly critical communication between sensors, actuators and flight computers.The results show that from a theoretical point of view TTP/C could be used as a replacement for a point-to-point flight control system. However, there are a number of issues regarding the physical layer that needs to be examined. Finally a TTP/C cluster has been implemented and basic functionality tests have been conducted. The plan was to perform tests on delays, start-up time and reintegration time but the time to acquire the proper hardware for these tests exceeded the time for the thesis work. More advanced testing will be continued here at Saab beyond the time frame of this thesis

Phytoremediation opportunities with alimurgic species in metal-contaminated environments

Alimurgic species are edible wild plants growing spontaneously as invasive weeds in natural grassland and farmed fields. Growing interest in biodiversity conservation projects suggests deeper study of the multifunctional roles they can play in metal uptake for phytoremediation and their food safety when cultivated in polluted land. In this study, the responses of the tap-rooted perennial species Cichorium intybus L., Sonchus oleracerus L., Taraxacum officinaleWeb., Tragopogon porrifolius L. and Rumex acetosa L. were studied in artificially-highly Cd-Co-Cu-Pb-Zn-contaminated soil in a pot-scale trial, and those of T. officinale and R. acetosa in critical open environments (i.e., landfill, ditch sediments, and sides of highly-trafficked roads). Germination was not inhibited, and all species showed appreciable growth, despite considerable increases in tissue metal rates. Substantial growth impairments were observed in C. intybus, T. officinale and T. porrifolius; R. acetosa and S. oleracerus were only marginally affected. Zn was generally well translocated and reached a high leaf concentration, especially in T. officinale (~600 mg/kg dry weight, DW), a result which can be exploited for phytoremediation purposes. The elevated Cd translocation also suggested applications to phytoextraction, particularly with C. intybus, in which leaf Cd reached ~16 mg/kg DW. The generally high root retention of Pb and Cu may allow their phytostabilisation in the medium-term in no-tillage systems, together with significant reductions in metal leaching compared with bare soil. In open systems, critical soil Pb and Zn were associated with heavily trafficked roadsides, although this was only seldom reflected in shoot metal accumulation. It is concluded that a community of alimurgic species can serve to establish an efficient, long-lasting vegetation cover applied for phytoremediation and reduction of soil metal movements in degraded environments. However, their food use is not recommended, since leaf Cd and Pb may exceed EU safety thresholds

The MISRA C Coding Standard and its Role in the Development and Analysis of Safety- and Security-Critical Embedded Software

The MISRA project started in 1990 with the mission of providing world-leading best practice guidelines for the safe and secure application of both embedded control systems and standalone software. MISRA C is a coding standard defining a subset of the C language, initially targeted at the automotive sector, but now adopted across all industry sectors that develop C software in safety- and/or security-critical contexts. In this paper, we introduce MISRA C, its role in the development of critical software, especially in embedded systems, its relevance to industry safety standards, as well as the challenges of working with a general-purpose programming language standard that is written in natural language with a slow evolution over the last 40+ years. We also outline the role of static analysis in the automatic checking of compliance with respect to MISRA C, and the role of the MISRA C language subset in enabling a wider application of formal methods to industrial software written in C.Comment: 19 pages, 1 figure, 2 table

Increasing dependability in Safety Critical CPSs using Reflective Statecharts

Dependability is crucial in Safety Critical Cyber Physical Systems (CPS). In spite of the research carried out in recent years, implementation and certification of such systems remain costly and time consuming. In this paper, a framework for Statecharts based SW component development is presented. This framework called CRESC (C++ REflective StateCharts), in addition to assisting in transforming a Statechart model to code, uses reflection to make the model available at Run Time. Thus, the SW components can be monitored at Run Time in terms of model elements. Our framework helps the developer separate monitoring from functionality. Any monitoring strategy needed to increase dependability can be added independently from the functional part. The framework was implemented in C++ because this programming language, together with the Statechart formalism constitute widely used choices for the Safety Critical CPS domain