Andrea Höller

A Virtual Fault Injection Framework for Reliability-Aware Software Development

Ever more dependable embedded systems are built with commercial off-the-shelf hardware components that are not intended for highly reliable applications. Consequently, software-based fault tolerance techniques have to maintain a safe operation despite underlying hardware faults. In order to efficiently develop fault tolerant software, fault injection is needed in early development stages. However, common fault injection approaches require manufactured products or detailed hardware models. Thus, these techniques are typically not applicable if software and hardware providers are separate vendors. Additionally, the rise of third-party OTS software components limits the means to inject faults. In this paper, we present a virtual fault injection framework that simulates safety-standard aligned fault models and supports OTS software components as well as widely-used embedded processors such as ARM cores. Additionally, we show how to integrate the framework into various software development stages. Finally, we illustrate the practicability of the approach by exemplifying the integration of the framework in the development of an industrial safety-critical system.

A Combined Safety-Hazards and Security-Threat Analysis Method for Automotive Systems

Safety and Security appear to be two contradicting overall system features. Traditionally, these two features have been treated separately, but due to increasing awareness of mutual impacts, cross domain knowledge becomes more important. Due to the increasing interlacing of automotive systems with networks (such as Car2X), it is no longer acceptable to assume that safety-critical systems are immune to security risks and vice versa.

Automotive embedded software: Migration challenges to multi-core computing platforms

The introduction of multi-core computing platforms aims at providing more computing resources and additional interfaces to answer the needs of new automotive control strategies with respect to computing performances and connectivity (e.g. connected vehicle, hybrid powertrains). At the same time, the parallel execution and resulting resources and timing conflicts require a paradigm change for the embedded software. Consequently, efficient migration of legacy software on multi-core platform, while guaranteeing at least the same level of integrity and performance as for single cores, is a significant challenge. The contributions of this paper are (1) to provide a state-of-practice survey on multi-core CPUs and operating systems for the automotive domain, and (2) based on this survey to provide guidelines for the migration of legacy SW. Finally the related challenges and opportunities for the development of high-integrity control systems on multi-cores, as platform for dependable systems are discussed.

Hardware/Software Co-Design of Elliptic-Curve Cryptography for Resource-Constrained Applications

ECC is an asymmetric encryption providing a comparably high cryptographic strength in relation to the key sizes employed. This makes ECC attractive for resource-constrained systems. While pure hardware solutions usually offer a good performance and a low power consumption, they are inflexible and typically lead to a high area. Here, we show a flexible design approach using a 163-bit GF(2m) elliptic curve and an 8-bit processor. We propose improvements to state-of-the-art software algorithms and present innovative hardware/software codesign variants. The proposed implementation offers highly competitive performance in terms of performance and area.

QEMU-Based Fault Injection for a System-Level Analysis of Software Countermeasures Against Fault Attacks

Physical attacks, such as fault attacks, pose a decisive threat for the security of devices in the Internet of Things. An important class of countermeasures for fault attacks is fault tolerant software that is applicable for systems based on COTS hardware. In order to evaluate software countermeasures against fault attacks, fault injection is needed. However, established fault injection approaches require manufactured products or hardware details (e.g. netlists, RTL models), which are not available when using COTS hardware. In this paper, we present a QEMU-based fault injection platform that supports commercial COTS processors that are widely-used in the embedded domain. This framework allows a system-level analysis of software countermeasures by featuring the simulation of high-level hardware faults targeting, for example, memory cells, register cells, or the correct execution of instructions. The framework supports the generation of realistic fault attack scenarios. We illustrate the practicability of the approach by presenting two exemplary use cases.

FIES: A Fault Injection Framework for the Evaluation of Self-Tests for COTS-Based Safety-Critical Systems

Safety-critical systems have to satisfy ever-growing demands for high computing performance and cost-efficiency. This leads to a move to commercial off-the-shelf hardware components that are not hardened. Unfortunately, these components are becoming increasingly vulnerable to operational faults and the manufacturers do not guarantee a certain level of dependability. However, in order to maintain a high integrity, safety-critical systems have to ensure the correct functionality of hardware components during operation. Besides redundancy techniques, this is typically realized with build-in self-tests implemented at software level. Safety-standards, such as the IEC 61508 standard, prescribe certain fault models that should be used to assess the diagnostic coverage of self-tests with fault injection experiments. Typical fault injection frameworks use gate-level net lists or RTL models. However, these hardware models are not publicly available for most COTS processors. In this paper we present a Fault Injection framework for the Evaluation of software-based Self-tests (FIES) according to the safety standard IEC 61508. This virtual platform supports widely-used embedded COTS processors, such as ARM cores, and provides feedback about the diagnostic coverage of self-tests in early design stages. It supports the simulation of faults in the control and execution path of an ARM processor and features an extended fault model to simulate memory coupling faults. The applicability of the approach is shown by using it for the evaluation of a memory test.

Asset-Centric Security Risk Assessment of Software Components.

Risk management is a crucial process for the development of secure systems. Valuable objects (assets) must be identified and protected. In order to prioritize the protection mechanisms, the values of assets need to be quantified. More valuable or exposed assets require more powerful protection. There are many risk assessment approaches that aim to provide a metric to generate this quantification for different domains. In software systems, these assets are reflected in resources (e.g., a file with important information) or functional software components (e.g., performing a bank transfer). To protect the assets from different threats like unauthorized access, other software components (e.g., an authenticator) are used. These components are essential for the asset’s security properties and should therefore be considered for further investigation such as threat modeling. Evaluating assets only at system level may hide threats that originate from vulnerabilities in software components while doing an extensive threat analysis for all the system’s components without prioritization is not feasible all the time. In this work, we propose a metric that quantifies software components by the assets they are able to access. Based on a component model of the software architecture, it is possible to identify trust domains and add filter components that split these domains. We show how the integration of the methodology into the development process of a distributed manufacturing system helped us to identify critical sections (i.e., components whose vulnerabilities may enable threats against important assets), to reduce attack surface, to find isolation domains and to implement security measures at the right places.

Constraint-Based Verification of Compositions in Safety-Critical Component-Based Systems

Component-based Software Engineering (CBSE) is currently a key paradigm used for building safety-critical systems. Because these systems have to undergo a rigorous development and qualification process, one of the main challenges of introducing CBSE in this area is to ensure the integrity of the overall system after building it from reusable components. Many (formal) approaches for verification of compositions have been proposed, and they generally focus on behavioural integrity of components and their data semantics. An important aspect of this verification is a trade-off between scalability and completeness.

Evaluation of diverse compiling for software-fault detection

Although software fault prevention techniques improve continually, faults remain in every complex software system. Thus safety-critical embedded systems need mechanisms to tolerate software faults. Typically, these systems use static redundancy to detect hardware faults during operation. However, the reliability of a redundant system not only depends on the reliability of each version, but also on the dissimilarity between them. Thus, researchers have investigated ways to automatically add cost-efficient diversity to software to increase the efficiency of redundancy strategies. One of these automated software diversification methods is diverse compiling, which exploits the diversity introduced by different compilers and different optimization flags. Today, diverse compiling is used to improve the hardware fault tolerance and to avoid common defects from compilers. However, in this paper we show that diverse compiling also enhances the software fault tolerance by increasing the chance of finding defects in the source code of the executed software during runtime. More precisely, the memory is organized differently, when using different compilers and compiler flags. This enhances the chance of detecting memory-related software bugs, such as missing memory initialization, during runtime. Here we experimentally quantify the efficiency of diverse compiling for software fault tolerance and we show that diverse compiling can help to detect up to about 70% of memory-related software bugs.

Service Deterioration Analysis (SDA): An Early Development Phase Dependability Analysis Method

Dependability is a super ordinate concept regrouping different system attributes such as reliability, safety, security, or availability and a key selling point of modern embedded systems. Dependable systems rely on mature quality management and development methods such as requirements / systems engineering and system analyses. In the automotive domain analysis methods for safety and security attributes at early development phases are well known and partially mandatory by domain standards. Nevertheless, approaches for analysis of serviceability attributes (the combination of reliability and maintainability) at early development phases are not yet available. Aim of the paper is to present a novel analysis method to quantify the impact of individual system parts on the overall system serviceability at early development phases. This approach bases on the concepts of state-of-the-art methods for safety and security analysis and extends their scope of application to serviceability feature quantification, thus enables consistent identification of system dependability target attributes. This, in turn, is a pre-requisite for ensuring a certain level of system dependability from start of development. In the second part of the document the application of the novel approach is demonstrated on an automotive training example of a battery management system.