Thorsten Piper

Instrumenting AUTOSAR for dependability assessment: A guidance framework

The AUTOSAR standard guides the development of component-based automotive software. As automotive software typically implements safety-critical functions, it needs to fulfill high dependability requirements, and the effort put into the quality assurance of these systems is correspondingly high. Testing, fault injection (FI), and other techniques are employed for the experimental dependability assessment of these increasingly software-intensive systems. Having flexible and automated support for instrumentation is key in making these assessment techniques efficient. However, providing a usable, customizable and performant instrumentation for AUTOSAR is non-trivial due to the varied abstractions and high complexity of these systems. This paper develops a dependability assessment guidance framework tailored towards AUTOSAR that helps identify the applicability and effectiveness of instrumentation techniques at (a) varied levels of software abstraction and granularity, (b) at varied software access levels - black-box, grey-box, white-box, and (c) the application of interface wrappers for conducting FI.

GRINDER: on reusability of fault injection tools

Fault Injection (FI) is an established testing technique to assess the fault-tolerance of computer systems. FI tests are usually highly automated for efficiency and to prevent human error from affecting result reliability. Most existing FI automation tools have been built for a specific application domain, i.e., A certain system under test (SUT) and fault types to test the SUT against, which significantly restricts their reusability. To improve reusability, generalist fault injection tools have been developed to decouple SUT-independent functionality from SUT-specific code. Unfortunately, existing generalist tools often embed subtle and implicit assumptions about the target system that affect their reusability. Furthermore, no assessments have been conducted how much effort the SUT-specific adaptation of generalist tools entails in comparison to reimplementation from scratch. In this paper, we present GRINDER, an open-source, highly-reusable FI tool, and report on its applicability in two very different systems (the Android OS in an emulated environment, and a real-time AUTOSAR system) under four different FI scenarios.

Mitigating Timing Error Propagation in Mixed-Criticality Automotive Systems

For mixed-criticality automotive systems, the functional safety standard ISO 26262 stipulates freedom from interference, i.e., Errors should not propagate from low to high criticality tasks. To prevent the propagation of timing errors, the automotive software standard AUTOSAR provides monitor-based timing protection, which detects and confines task timing errors. As current monitors are unaware of a criticality concept, the effective protection of a critical task requires to monitor all tasks that constitute a potential source of propagating errors, thereby causing overhead for worst-case execution time analysis, configuration and monitoring. Differing from the indirect protection of critical tasks facilitated by existing mechanisms, we propose a novel monitoring scheme that directly protects critical tasks from interference, by providing them with execution time guarantees. Overall, our approach provides efficient low-overhead interference protection, while also adding transient timing error ride-through capabilities.

Practical Use of Formal Verification for Safety Critical Cyber-Physical Systems: A Case Study

Cyber-Physical Systems (CPS) linking computing to physical systems are often used to monitor and controlsafety-critical processes, i.e. processes that bear the potential to cause significant damage or loss in the case of failures. While safety-critical systems have been extensively studied in both the discrete (computing) and analog (control) domains, the developed techniques apply to either one domain or the other. As cyber-physical systems span both domains, the focus on an individual domain leaves a gap on the systemlevel, where complex interactions between the domains can lead to failures that cannot be analyzed by considering only the physical orthe digital part of the integrated CPS. We discuss such a complex failure condition in a real-world brakecontrol system, and demonstrate its detection using a formalverification approach specifically targeting CPS.

On the Effective Use of Fault Injection for the Assessment of AUTOSAR Safety Mechanisms

The automotive safety standard ISO 26262 strongly recommends the use of fault injection (FI) for the assessment of safety mechanisms that typically span composite dependability and real-time operations. However, with the standard providing very limited guidance on the actual design, implementation and execution of FI experiments, most AUTOSAR FI approaches use standard fault models (e.g., bit flips and data type based corruptions), and focus on using simulation environments. Unfortunately, the representation of timing faults using standard fault models, and the representation of real-time properties in simulation environments are hard, rendering both inadequate forthe comprehensive assessment of AUTOSARs safety mechanisms. The actual development of ISO 26262 advocated FI is further hampered by the lack of representative software fault models and the lack of an openly accessible AUTOSAR FI framework. We address these gaps by (a) adapting the open source FI framework GRINDER to AUTOSAR and (b) showing how to effectively apply it for the assessment of AUTOSARs safety mechanisms.

Monitor petri nets for security monitoring

In our integrated model-based development process for security monitors, we use Live Sequence Charts (LSCs) as expressive, formal specification. Generating target specific monitors from these, requires a complex interpretation of their syntax and semantics. In this paper, we propose a Petri Net dialect as an intermediate language for monitor generation---named Monitor Petri Nets (MPNs). It is based on standard Petri Nets that are syntactically and semantically extended to suit the needs of monitoring. With our MPNs, we are able to represent use and misuse cases described by LSCs in a format that is easy to interpret. MPNs provide the basis for the generation of SW/HW security monitors or can alternatively be interpreted by a generic monitor.

Safety Verification Utilizing Model-based Development for Safety Critical Cyber-Physical Systems

The application of cyber-physical systems (CPSs) in safety-critical application domain requires rigorous verification of their functional correctness and safety-relevant properties. We propose a practical verification process which enables to conduct safety verification of safety critical CPSs. The verification process consists of (a) a system model construction method, which generates a system model by combining software described in C and plant model code reused from model-based development, (b) a model transformation method, which transforms the plant models including differential algebraic equations (DAE) to approximate models without DAE to reduce verification complexity induced by DAE solver execution, (c) a model simplification framework, which enables the simplification of bond-graph plant models using domain-knowledge-based replacement of complex model components for further verification overhead reductions, and (d) a formal verification based on symbolic execution. We implemented the proposed methods and framework, and successfully applied the proposed verification process for safety verification of automotive brake control systems. The results of the study demonstrate that the verification detects a complex failure condition in a real-world brake control system from the generated system model and that the automated model transformations of the CPS models yield significant verification complexity reductions without impairing the ability to detect unsafe behavior.

Practical Formal Verification for Model Based Development of Cyber-Physical Systems

The application of cyber-physical systems (CPSs) in safety-critical applications requires rigorous verification of their functional correctness and safety-relevant properties. We propose a practical verification framework which enables to fill the gaps between model-based development and the formal verification process seamlessly connecting them. The verification framework consists of (a) a model transformation method, which automatically transforms the plant models of CPSs including differential algebraic equations (DAE) to equivalent models without DAE to reduce verification complexity induced by DAE solver execution, and (b) a model simplification method, which automatically simplifies bond-graph models by replacing complex bond-graph components with simpler components for further verification overhead reductions. We successfully applied the proposed verification framework for safety verification of an automotive brake control system. The results of the study demonstrate that the automated model transformations of the CPS models yield significant verification complexity reductions without impairing the ability to detect unsafe behavior of the brake control system in a formal verification based on symbolic execution.

Model-Based generation of run-time monitors for AUTOSAR

Driven by technical innovation, embedded systems, especially in vehicles, are becoming increasingly interconnected and, consequently, have to be secured against failures and threats from the outside world. One approach to improve the fault tolerance and resilience of a system is run-time monitoring. AUTOSAR, the emerging standard for automotive software systems, specifies several run-time monitoring mechanisms at the watchdog and OS level that are neither intended, nor able to support complex run-time monitoring. This paper addresses the general challenges involved in the development and integration of a model-based generation process of complex run-time security and safety monitors. A previously published model-based development process for run-time monitors based on a special kind of Petri nets is enhanced and tailored to fit seamlessly into the AUTOSAR development process. In our evaluation, we show that efficient monitors for AUTOSAR can be directly modeled and generated from the corresponding AUTOSAR system model.