Nermin Kajtazovic

A Component-Based Dynamic Link Support for Safety-Critical Embedded Systems

Safety-critical embedded systems have to undergo rigorous development process in order to ensure that their function will not compromise humans or environment where they operate. Therefore, they rely on simple and proven-in-use design. However, with growing software complexity, maintenance becomes very important aspect in safety domain. Recent approaches for managing maintenance allow to perform changes on software at design-time, which implies that the whole system has to be rebuilt when the application software changes. In this paper, we describe more flexible solution for updating the application software. We apply the component-based paradigm to construct the application software, i.e. we define a model of a software function that can be dynamically linked with the entire operating system (OS). In order to avoid the usage of the OS-provided support for dynamic linking, we design software functions as position-independent and relocation-free binaries with well-defined interfaces. With the help of component-based paradigm we show how to simplify the link support and make it suitable for safety domain.

Building a safety architecture pattern system

Safety architecture patterns provide knowledge about large scale design decisions for safety-critical systems. They provide good ways to avoid, detect, and handle faults in software or hardware. In this paper we revise existing architectural safety patterns and organize them to build up a pattern system. We add Goal Structuring Notation diagrams to the patterns to provide a structured overview of their architectural decisions. Based on these diagrams we analyze and present relationships between the patterns. The diagrams can also be used to argue about a systemss safety, which we show with an example.

FIES: A Fault Injection Framework for the Evaluation of Self-Tests for COTS-Based Safety-Critical Systems

Safety-critical systems have to satisfy ever-growing demands for high computing performance and cost-efficiency. This leads to a move to commercial off-the-shelf hardware components that are not hardened. Unfortunately, these components are becoming increasingly vulnerable to operational faults and the manufacturers do not guarantee a certain level of dependability. However, in order to maintain a high integrity, safety-critical systems have to ensure the correct functionality of hardware components during operation. Besides redundancy techniques, this is typically realized with build-in self-tests implemented at software level. Safety-standards, such as the IEC 61508 standard, prescribe certain fault models that should be used to assess the diagnostic coverage of self-tests with fault injection experiments. Typical fault injection frameworks use gate-level net lists or RTL models. However, these hardware models are not publicly available for most COTS processors. In this paper we present a Fault Injection framework for the Evaluation of software-based Self-tests (FIES) according to the safety standard IEC 61508. This virtual platform supports widely-used embedded COTS processors, such as ARM cores, and provides feedback about the diagnostic coverage of self-tests in early design stages. It supports the simulation of faults in the control and execution path of an ARM processor and features an extended fault model to simulate memory coupling faults. The applicability of the approach is shown by using it for the evaluation of a memory test.

Asset-Centric Security Risk Assessment of Software Components.

Risk management is a crucial process for the development of secure systems. Valuable objects (assets) must be identified and protected. In order to prioritize the protection mechanisms, the values of assets need to be quantified. More valuable or exposed assets require more powerful protection. There are many risk assessment approaches that aim to provide a metric to generate this quantification for different domains. In software systems, these assets are reflected in resources (e.g., a file with important information) or functional software components (e.g., performing a bank transfer). To protect the assets from different threats like unauthorized access, other software components (e.g., an authenticator) are used. These components are essential for the asset’s security properties and should therefore be considered for further investigation such as threat modeling. Evaluating assets only at system level may hide threats that originate from vulnerabilities in software components while doing an extensive threat analysis for all the system’s components without prioritization is not feasible all the time. In this work, we propose a metric that quantifies software components by the assets they are able to access. Based on a component model of the software architecture, it is possible to identify trust domains and add filter components that split these domains. We show how the integration of the methodology into the development process of a distributed manufacturing system helped us to identify critical sections (i.e., components whose vulnerabilities may enable threats against important assets), to reduce attack surface, to find isolation domains and to implement security measures at the right places.

Constraint-Based Verification of Compositions in Safety-Critical Component-Based Systems

Component-based Software Engineering (CBSE) is currently a key paradigm used for building safety-critical systems. Because these systems have to undergo a rigorous development and qualification process, one of the main challenges of introducing CBSE in this area is to ensure the integrity of the overall system after building it from reusable components. Many (formal) approaches for verification of compositions have been proposed, and they generally focus on behavioural integrity of components and their data semantics. An important aspect of this verification is a trade-off between scalability and completeness.

Evaluation of diverse compiling for software-fault detection

Although software fault prevention techniques improve continually, faults remain in every complex software system. Thus safety-critical embedded systems need mechanisms to tolerate software faults. Typically, these systems use static redundancy to detect hardware faults during operation. However, the reliability of a redundant system not only depends on the reliability of each version, but also on the dissimilarity between them. Thus, researchers have investigated ways to automatically add cost-efficient diversity to software to increase the efficiency of redundancy strategies. One of these automated software diversification methods is diverse compiling, which exploits the diversity introduced by different compilers and different optimization flags. Today, diverse compiling is used to improve the hardware fault tolerance and to avoid common defects from compilers. However, in this paper we show that diverse compiling also enhances the software fault tolerance by increasing the chance of finding defects in the source code of the executed software during runtime. More precisely, the memory is organized differently, when using different compilers and compiler flags. This enhances the chance of detecting memory-related software bugs, such as missing memory initialization, during runtime. Here we experimentally quantify the efficiency of diverse compiling for software fault tolerance and we show that diverse compiling can help to detect up to about 70% of memory-related software bugs.

Efficient development and reuse of domain-specific languages for automation systems

Domain-Specific Languages DSLs help to decrease system development costs by providing developers with an effective way to construct systems for a specific domain. However, for DSL construction, a developer has to invest some upfront investment. If this investment is smaller than the benefit in terms of more effective development for domain-specific systems, then the construction of a DSL pays off. In order to decrease the initial effort to construct DSLs for a specific domain the automation domain, we present an efficient DSL architecture which allows structured reuse within the automation domain. With this DSL architecture, it is easier to build an initial automation DSL and when building multiple automation DSLs, significant parts of the DSL can be reused across different automation domains. We present the DSL architecture and discuss its benefits and drawbacks. Furthermore, we present and evaluate three automation DSL case studies which apply the described architecture.

Applying patterns to model-driven development of automation systems: an industrial case study

Model-driven approaches enable more efficient system development, but are yet rather uncommon for the automation domain due to limited practical examples and guidelines on how to apply them. We present an industrial case study using code generators attached to a Domain-Specific Language for model-driven automation system development. The case study applies the Pipes&Filters architectural pattern and the Template&Metamodel and Code Attributes code generation patterns. We present the results of the pattern application for the case study and discuss the general usage of the presented patterns for model-driven automation system development.

Pattern-based safety development methods: overview and comparison

Design patterns provide good solutions to re-occurring problems and several patterns and methods how to apply them have been documented for safety-critical systems. However, due to the large amount of safety-related patterns and methods, it is difficult to get an overview of their capabilities and shortcomings as there currently is no survey on safety patterns and their application methods available in literature. To give an overview of existing pattern-based safety development methods, this paper presents existing methods from literature and discusses and compares several aspects of these methods such as the patterns and tools they use, their integration into a safety development process, or their maturity.

Towards pattern-based reuse in safety-critical systems

Challenges such as time-to-market, reduced costs for change and maintenance have radically influenced development of todays safety-critical systems. Many domains have already adopted their systems engineering to support modular and component-based architectures. With the component-based design paradigm, the system engineering is utilized allowing to distribute development among different development teams, however, with the price that there is no full trust in independently developed parts, which makes their reuse challenging. Until now, many approaches that address reuse, on conceptual or detailed level, have been proposed. A very important aspect addressed here is to document the information flow between system parts in detail, i.e. from higher abstraction levels down to the implementation details, in order to put more trust into independently developed parts of the system. In this paper, we describe a compact pattern system with the aim to establish a link between high level concepts for reuse and detailed description of the behavior of system parts. The main goal is to document these details up to the higher levels of abstraction in more systematic way.