Novel Control Flow Checking Implementations for Automotive Software

Safety-critical applications shall be implemented on highly dependable systems, and a part of their reliability is based on checking if the software is executed correctly. Various techniques are available for this purpose, like Control Flow Checking (CFC). Many CFC algorithms can be found in the literature, but their detection performances are assessed in theoretical scenarios, when implemented in Assembly language. The international standard on functional safety for automotive applications is ISO26262. It mandates to develop using high-level programming languages and the computation of the Diagnostic Coverage (DC). The DC measures the effectiveness of the chosen hardening method, in order to detect various Failure Modes (FMs). This paper discusses two alternative solutions, one software-only, and the other involving customized hardware, for these concerns: (i) address the FMs affecting the computation units described by Table 30 of part 11 of the ISO26262 (ii) guarantee the Freedom From Interference between the hardening method and the monitored entity

Enhanced Compiler Technology for Software-based Hardware Fault Detection

Software-Implemented Hardware Fault Tolerance (SIHFT) is a modern approach for tackling random hardware faults of dependable systems employing solely software solutions. This work extends an automatic compiler-based SIHFT hardening tool called ASPIS, enhancing it with novel protection mechanisms and overhead-reduction techniques, also providing an extensive analysis of its compliance with the non-trivial workload of the open-source Real-Time Operating System FreeRTOS. A thorough experimental fault-injection campaign on an STM32 board shows how the system achieves remarkably high tolerance to single-event upsets and a comparison between the SIHFT mechanisms implemented summarises the trade-off between the overhead introduced and the detection capabilities of the various solutions

Random Additive Control Flow Error Detection

Today, embedded systems are being used in many (safety-critical) applications. However, due to their decreasing feature size and supply voltage, such systems are more susceptible to external disturbances such as electromagnetic interference. These external disturbances are able to introduce bit-flips inside the microcontroller’s hardware. In turn, these bit-flips may also corrupt the software. A possible software corruption is a control flow error. This paper proposes a new software-implemented control flow error detection technique. The advantage of our technique, called Random Additive Control Flow Error Detection, is a high detection ratio with a low execution time overhead. Most control flow errors are detected, while having a lower execution time overhead than the considered existing techniques.status: publishe

A New Approach to Selectively Implement Control Flow Error Detection Techniques

Many software-implemented control flow error detection techniques have been proposed over the years. In an effort to reduce their overhead, recent research has focused on selective approaches. However, correctly applying these approaches can be difficult. This paper aims to address this concern and proposes a new approach. Our new approach is easier to implement and is applicable on any existing control flow error detection technique. To prove its validity, we apply our new approach to the Random Additive Control Flow Error Detection technique and perform fault injection experiments. The results show that the selective implementation has approximately the same error detection ratio with a decrease in execution time overhead.status: Published onlin

Advancing Control Flow Error Detection Techniques for Embedded Software using Automated Implementation and Fault Injection

This thesis focuses on the selection and implementation of software-implemented countermeasures designed to detect control flow errors in embedded systems. A control flow error is an erroneous jump throughout an executing program induced by external disturbances. These disturbances, such as electromagnetic interference, can introduce bit-flips in different components of a system's hardware. In turn, these introduced bit-flips affect the executing program by corrupting the execution order of instructions. This phenomenon is known as a control flow error and can cause the program to hang or to crash, possibly creating dangerous situations. An introduced bit-flip can also manifest itself as a data flow error, by corrupting data needed by the program. These are, however, out of scope for this research. By adding extra control variables and inserting update instructions that modify that control variable in the low-level code of the target program, software-implemented techniques are able to detect if a control flow error has occurred. Since multiple options are possible to create this type of protection, numerous techniques have been proposed in literature. With many options, and no guideline on how to select a technique, the following question arises: what is the best technique? To solve this question, solutions to the following problems had to be found: I) ease the implementation of the techniques in the low-level code of a target program; II) objectively characterize each technique; and III) develop a new and better technique. To solve the first problem, we developed a compiler extension. While it is possible to implement each of the selected techniques into the low-level code of a target program manually, this is arduous and error-prone. The compiler extension we developed solves these issues as it is capable of automatically implementing the discussed techniques in low-level code. By simply adding a few extra parameters when compiling the target program, a control flow error detection technique can be added. This eliminates both the need to know the low-level language of the embedded system and the need to know about the internal operations and added functionality of the technique. Using the compiler extension thus saves time and effort. Next, we defined three criteria to objectively characterize each technique: 1) error detection ratio, 2) execution time overhead and 3) code size overhead. The error detection ratio indicates which percentage of control flow errors a technique detects. To measure this, we use fault injection experiments. Because there were no fault injection tools and no deterministic control flow error injection processes available, we developed our own software-implemented tool and processes. This tool can execute three different deterministic injection processes and supports multiple targets, both physical hardware targets and simulated targets. The execution time overhead indicates how much longer the protected program needs, compared to the unprotected program, in an error-free run. We measured this using an on-board hardware timer of the target embedded system. Finally, the third criterion, code size overhead, indicates how much more memory the protected program needs, compared to the unprotected program. This criterion is determined by measuring how much memory the compiled program needs. Using the developed tools and selected criteria, a comparative study between eight established control flow error detection techniques is presented in this thesis. By implementing the techniques for the same case studies, executing them on the same hardware, subjecting them to the same fault injection campaign and measuring their overhead with the same tools, an objective comparison was made. The study revealed that the technique called Control Flow Checking by Software Signatures is the best established technique to use so far, as it achieves a high error detection ratio while imposing a low overhead. The study also revealed that there was room for improvement. Using the collected data, we derived five guidelines to build an optimal control flow error detection technique. To demonstrate their validity, we developed a detection technique that complies with all five guidelines, called Random Additive Control Flow Error Detection, and submitted it to the same fault injection campaign as used during the aforementioned comparative study. These experiments revealed that our technique outperforms the selected state-of-the-art techniques. Our technique achieves a higher error detection ratio and imposes a lower overhead then the state-of-the-art techniques. This thesis concludes by presenting the application of the different research outputs on industrial case studies, such as a small scale Industry 4.0 setup. These final experiments verify that the research can indeed be used in an industrial setting.status: publishe