Roland Mader

Energy-Efficient Implementation of ECDH Key Exchange for Wireless Sensor Networks

Wireless Sensor Networks (WSNs) are playing a vital role in an ever-growing number of applications ranging from environmental surveillance over medical monitoring to home automation. Since WSNs are often deployed in unattended or even hostile environments, they can be subject to various malicious attacks, including the manipulation and capture of nodes. The establishment of a shared secret key between two or more individual nodes is one of the most important security services needed to guarantee the proper functioning of a sensor network. Despite some recent advances in this field, the efficient implementation of cryptographic key establishment for WSNs remains a challenge due to the resource constraints of small sensor nodes such as the MICAz mote. In this paper we present a lightweight implementation of the elliptic curve Diffie-Hellman (ECDH) key exchange for ZigBee-compliant sensor nodes equipped with an ATmega128 processor running the TinyOS operating system. Our implementation uses a 192-bit prime field specified by the NIST as underlying algebraic structure and requires only 5.20 ·106 clock cycles to compute a scalar multiplication if the base point is fixed and known a priori. A scalar multiplication using a random base point takes about 12.33 ·106 cycles. Our results show that a full ECDH key exchange between two MICAz motes consumes an energy of 57.33 mJ (including radio communication), which is significantly better than most previously reported ECDH implementations on comparable platforms.

Automatic and optimal allocation of safety integrity levels

Powertrain electrification of vehicles leads to a higher number of sensors, actuators and control functions resulting in increasing complexity. Due to the safety-criticality of the functionalities, safety standards must be considered during system development. The safety standard ISO 26262 defines discrete ASILs (Automotive Safety Integrity Levels) that must be identified and allocated to the components of the system under development. Once allocated, they determine the applicable requirements of ISO 26262 and the necessary safety measures to accordingly minimize residual risk. Fu rthermore, the allocated ASILs directly influence the development efforts and the costs per piece of the system components. Manual elaboration of an ASIL allocation that is economic and assures functional safety is complex and cumbersome. This work presents a method that allows the automatic allocation of ASILs to the system components. In our approach ASIL allocation is interpreted as an ILP (Integer Linear Programming) problem. This allows obtaining an ASIL allocation that is optimal with respect to an objective function that is subject to constraints. These constraints are derived from the results of PHA (Preliminary Hazard Analysis), FTA (Fault Tree Analysis) and preferences of the safety engineer. The approach is evaluated by the case study of hybrid electric vehicle development.

A Computer-Aided Approach to Preliminary Hazard Analysis for Automotive Embedded Systems

Powertrain electrification of automobiles leads to a higher number of sensors, actuators and control functions, which in turn increases the complexity of automotive embedded systems. The safety-criticality of the system requires the application of Preliminary Hazard Analysis early in the development process. This is a necessary first step for the development of an automotive embedded system that is acceptably safe. Goal of this activity is the identification and classification of hazards and the definition of top level safety requirements that are the basis for designing a safety-critical embedded system that is able to control or mitigate the identified hazards. A computeraided framework to support Preliminary Hazard Analysis for automotive embedded systems is presented in this work. The contribution consists of (1) an enhancement for Preliminary Hazard Analysis to the domain-specific language EAST-ADL, as well as (2) the identification of properties that indicate the correct application of Preliminary Hazard Analysis using the language. These properties and an analysis model reflecting the results of the Preliminary Hazard Analysis are used for the automated detection of an erroneously applied Preliminary Hazard Analysis (property checker) and the automated suggestion and application of corrective measures (model corrector). The applicability of the approach is evaluated by the case study of hybrid electric vehicle development.

Computer-aided PHA, FTA and FMEA for automotive embedded systems

The shift of the automotive industry towards powertrain electrification introduces new automotive sensors, actuators and functions that lead to an increasing complexity of automotive embedded systems. The safety-criticality of these systems demands the application of analysis techniques such as PHA (Preliminary Hazard Analysis), FTA (Fault Tree Analysis) and FMEA (Failure Modes and Effects Analysis) in the development process. The early application of PHA allows to identify and classify hazards and to define top-level safety requirements. Building on this, the application of FTA and FMEA supports the verification of a system architecture defining an embedded system together with connected sensors and controlled actuators. This work presents a modeling framework with automated analysis and synthesis capabilities that supports a safety engineering workflow using the domain-specific language EAST-ADL. The contribution of this work is (1) the definition of properties that indicate the correct application of the workflow using the language. The properties and a model integrating the work products of the workflow are used for the automated detection of errors (property checker) and the automated suggestion and application of corrective measures (model corrector). Furthermore, (2) fault trees and a FMEA table can be automatically synthesized from the same model. The applicability of this computer-aided and tightly integrated approach is evaluated using the case study of a hybrid electric vehicle development.

A Bridge from System to Software Development for Safety-Critical Automotive Embedded Systems

In this paper, we present a tool enhancement that allows an effective transition from the system level development phase to the software level development phase of a tool-supported safety engineering workflow aligned with the automotive functional safety standard ISO 26262. The tool enhancement has capabilities for model generation and code generation. Whereas the generation of Simulink models supports the development of application software, the configuration and generation of safety drivers supports the development of the basic software required for initialization, runtime fault detection and error handling. We describe the safety engineering workflow and its supporting tool chain including the tool enhancement. Moreover we demonstrate that the enhancement supports the transition from the system level development phase to the software level development phase using the case study of a hybrid electric vehicle development.

A development methodology for variant-rich automotive software architectures

ZusammenfassungHohe Marktdynamik führt zu immer schneller werdenden Produktentwicklungszyklen automotiver eingebetteter Systeme. Der multidisziplinäre Charakter in der Entwicklung derartiger sicherheitsgerichteter Systeme stellt hohe Anforderungen an eine effiziente und effektive Wiederverwendungsstrategie. Das V-Modell ist ein weitverbreiteter Entwicklungsprozess in dieser Branche. Es beinhaltet typischerweise modellgetriebene Entwicklung, Sicherheitstechnik und Verifikation (Komponententest, Integrationstest, Co-simulation etc.) Produktlinienorientierte Entwicklung verspricht schnelle und effiziente Produktentwicklung durch systematische Wiederverwendung und gestattet konsistente Ansteuerung aller Varianten. In dieser Arbeit wird das V-Modell durch eine Produktlinienumgebung für automotive eingebettete Systeme erweitert. Damit wird die konsistente Konfiguration der Systemarchitekturbeschreibung (EAST-ADL2), der modellgetriebenen Entwicklung (Matlab/Simulink), der Softwarekomponentenverteilung auf den Steuergeräten (AUTOSAR-basierend), der Simulink-basierenden Komponenten- und Integrationstests und der Co-simulationmodellvarianten sichergestellt. Durch die Verwendung der Architekturbeschreibungssprache EAST-ADL2 ist es möglich, auch sicherheitsrelevante Aspekte zu integrieren.SummaryEver accelerating product cycles together with multi-discipline engineering processes are typical for safety-critical automotive embedded systems development. This demands for both efficient and effective development and reuse strategies. A development process following the V-model incorporating model-driven prototyping and development, safety engineering, and verification (unit testing, integration testing, cosimulation, etc.) is commonly found. Product line engineering enables fast and efficient product configuration through systematic reuse. The V-model has been extended by an integrated product line engineering environment for automotive embedded systems. This ensures the consistent configuration across system architecture description (EAST-ADL2), model driven development (Matlab/Simulink), software component deployment on an ECU network (AUTOSAR-based), Simulink-based software unit testing, Simulink-based software integration testing, and co-simulation model variants. Using the automotive architecture description language EAST-ADL2 enables the integration of safety engineering aspects.

A CPLD-based safety concept for industrial applications

Industry demands cost-efficient approaches for the realization of uncomplex safety functions in industrial automation. Therefore new approaches need to be considered. For this purpose the implementation of safety functions in hardware using CPLDs is an option. This approach does, in contrast to microcontroller-based systems, not require the development of startup- and online tests for RAM and CPU. Therefore efforts for design, implementation and verification of these safety integrity measures can be saved as well as hardware resources for the execution of tests. Based on this idea, a CPLD-based safety concept has been elaborated that allows to realize safety functions by exclusively using CPLDs. The safety concept has been derived from normative safety requirements, functional safety requirements as well as other non-functional requirements. The safety concept comprises a CPLD-based redundant failsafe system architecture, safety integrity measures and a precise definition of the safe state and the unsafe state of possible target applications. An industrial power drive system is presented that has been enhanced with uncomplex safety functions to increase its safety integrity. These safety functions are able to avoid the application of power to an electric DC motor, if demanded. They were realized by a fail-safe system. This system adopts the CPLD-based safety concept.

Towards multi-modeling for domain description

Domain modeling is a key task in the development of a software product line. We identified two popular modeling paradigms: Feature-oriented domain modeling (FODM) and domain specific modeling (DSM). The appropriate choice of the modeling paradigm is a crucial decision for the development of an efficient and easy to use domain model. For complex and heterogeneous domain descriptions, for example embedded system descriptions, different representation techniques can be useful to describe the different parts of the system. We propose a method to combine both representation techniques to realize a domain specific multi modeling approach. This supports not only a more natural domain description, but can as well be seen as a support for knowledge transfer between different stakeholders.

Design and Implementation of Safety Functions on a Novel CPLD-Based Fail-Safe System Architecture

In the case of a fault fail-safe systems achieve and maintain a safe state for people, environment and property. These systems are usually realized using microcontroller-based architectures. With respect to cost per unit and development effort for fail-safe systems, industry has to consider new approaches. An option is to realize simple safety functions using architectures that include CPLDs. A novel hardware architecture for embedded fail-safe systems is the outcome of recent research efforts at SIEMENS. This architecture is homogeneously redundant and contains, in contrast to similar systems, exclusively two CPLDs instead of microcontrollers. This paper is presenting design and implementation of the very first fail-safe system based on this architecture. This system targets the market of industrial automation. The fail-safe system enhances a power converter with safety functions. To achieve the required safety integrity, adequate measures able to detect random and permanent faults, are implemented. The novel fail-safe system adheres to the draft of the second edition of the IEC 61508, which includes requirements for the realization of safety functions using CPLDs, the IEC 61800-5-2 and the EN ISO 13849.

Fault insertion testing of a novel CPLD-based fail-safe system

According to the standard IEC 61508 fault insertion testing is required for the verification of fail-safe systems. Usually these systems are realized with microcontrollers. Fail-safe systems based on a novel CPLD-based architecture require a different method to perform fault insertion testing than microcontroller-based systems. This paper describes a method to accomplish fault insertion testing of a system based on the novel CPLD-based architecture using the original system hardware. The goal is to verify the realized safety integrity measures of the system by inserting faults and observing the behavior of the system. The described method exploits the fact, that the system contains two channels, where both channels contain a CPLD. During a test one CPLD is configured using a modified programming file. This file is available after the compilation of a VHDL-description, which was modified using saboteurs or mutants. This allows injecting a fault into this CPLD. The other CPLD is configured as fault-free device. The entire system has to detect the injected fault using its safety integrity measures. Consequently it has to enter and/or maintain a safe state.