Autor*innen mit den meisten Dokumenten
Neueste Veröffentlichungen
- KonferenzbeitragWhy current memory management units are not suited for automotive ECUs(Automotive - Safety & Security 2012, 2012) Schneider, JörnA major trend in automotive industry is to enrich driver and passenger experience with an increasing amount of consumer electronics and car-2-x functionality. A close interaction between this added functionality and the classical automotive domains allows for innovations that are valuable to the end customer and cannot be outplayed easily by devices with a pure consumer electronic origin. Innovations of this class require a tight coupling, for instance by executing programs from both worlds on the same microprocessor. The latter introduces many challenges, especially regarding reliability, security and safety of such systems. A unified memory management fulfilling the requirements of the consumer electronics and automotive application could help to address these issues and is a challenge by itself. This paper shows that the prevailing implementation scheme for memory management units (MMUs) is not suited for the needs of such systems and points out a solution direction.
- KonferenzbeitragFreedom from interference for AUTOSAR-based ECUs: a partitioned AUTOSAR stack(Automotive - Safety & Security 2012, 2012) Haworth, David; Jordan, Tobias; Mattausch, Alexander; Much, AlexanderAUTOSAR1 is a standard for the development of software for embedded devices, primarily created for the automotive domain. It specifies a software architecture with more than 80 software modules that provide services to one or more software components. With the trend towards integrating safety-relevant systems into embedded devices, conformance with standards such as ISO 26262 [ISO11] or ISO/IEC 61508 [IEC10] becomes increasingly important. This article presents an approach to providing freedom from interference between software components by using the MPU2 available on many modern microcontrollers. Each software component gets its own dedicated memory area, a so-called memory partition. This concept is well known in other industries like the aerospace industry, where the IMA3 architecture is now well established. The memory partitioning mechanism is implemented by a microkernel, which integrates seamlessly into the architecture specified by AUTOSAR. The development has been performed as SEooC4 as described in ISO 26262, which is a new development approach. We describe the procedure for developing an SEooC.
- KonferenzbeitragStatic verification of non-functional software requirements in the ISO-26262(Automotive - Safety & Security 2012, 2012) Kästner, Daniel; Ferdinand, ChristianThe norm ISO-26262 aims at ascertaining the functional safety of Automotive Electric/Electronic Systems. It is not focused on purely functional system properties, but also demands to exclude nonfunctional safety hazards in case they are critical for a correct functioning of the system. Examples are violations of timing constraints in real-time software and software crashes due to runtime errors or stack overflows. The ISO-26262 ranks the static verification of program properties among the prominent goals of the software design and implementation phase. Static program analyzers are available that can prove the absence of certain non-functional programming errors, including those mentioned above. Static analyzers can be applied at different stages of the development process and can be used to complement or replace dynamic test methods. This article gives an overview of static program analysis techniques focusing on non-functional program properties, investigates the non-functional requirements of the ISO-26262 and discusses the role of static analyzers in the ISO-26262.
- KonferenzbeitragExtraktion von Interthread-Kommunikation in eingebetteten Systemen(Automotive - Safety & Security 2012, 2012) Wittiger, Martin; Keul, SteffenMit der zunehmenden Verbreitung von Multicore-Rechnern werden Multicore-Architekturen auch in eingebetteten Systemen mehr und mehr Einzug halten. Zusätzlich zu den Schwierigkeiten der Softwareentwicklung für Singlecore-Plattformen müssen Software-Ingenieure somit die Herausforderungen bewältigen, bestehende Systeme zuverlässig und fehlerfrei auf Multicores zu portieren und dabei dennoch das Parallelisierungspotential möglichst effektiv zu nutzen. Bislang existiert kaum Werkzeugunterstützung, um diese Portierung in der Praxis durchzuführen. Unsere Ar- beit verfolgt das Ziel, Algorithmen und Werkzeuge zu entwickeln, die existierende Steuersoftware im Automotive-Bereich semi-automatisiert auf Multicore-Plattformen portieren können. In diesem Beitrag wird eine statische Analysetechnik vorgestellt, mit der aus dem Quelltext eines eingebetteten Systems Kommunikationsgraphen extrahiert werden können. Diese können verwendet werden, um Modifikationsbedarf in bestehender Software zu identifizieren, und eignen sich als Grundlage für die spä- tere Partitionierung. Die vorgestellten Algorithmen wurden prototypisch in unserer Programmanalyse-Toolsuite Bauhaus implementiert und ihre prinzipielle Tauglichkeit wurde durch Anwendung auf bestehende industrielle Softwaresysteme bestätigt.
- KonferenzbeitragMEMICS - memory interval constraint solving of (concurrent) machine code(Automotive - Safety & Security 2012, 2012) Nowotka, Dirk; Traub, JohannesRuntime errors occurring sporadically in automotive control units are often hard to detect. A common reason for such errors are critical race conditions. The introduction of multicore hardware enables software to be run in parallel, and hence, drastically increases the vulnerability to such errors. Race conditions are difficult to discover by testing or monitoring, only. Hence, a static analysis of code is required to effectively reduce the occurrence of such errors. In this paper we introduce a new Bounded Model Checking tool, which in its core is an Interval Constraint Solver, operating on a machine code based model and is able to handle memory instructions directly. As control units are usually running on task-based operating systems like AUTOSAR or OSEK, our tool features a task model, which is able to handle sequential and concurrent task scheduling.
- KonferenzbeitragISO 26262 - Tool chain analysis reduces tool qualification costs(Automotive - Safety & Security 2012, 2012) Slotosch, Oscar; Wildmoser, Martin; Philipps, Jan; Jeschull, Reinhard; Zalman, RafaelSoftware tools in safety related projects are indispensable, but also introduce risks. A tool error may lead to the injection or non-detection of a fault in the product. For this reason the safety norm for road vehicles, ISO 26262, requires determination of a tool confidence level for each software tool. In this paper we present a model-based approach to represent a tool chain, its potential errors and the counter-measures for these. In this model tools are not only error sources, but can also act as error sinks for other tools by providing appropriate checks and restrictions. The tool work flow in a project can be rearranged or extended to make the integrated tool chain safer than its parts and to reduce tool qualification costs greatly. The tool chain model not only identifies the critical tools, but also exposes very specific qualification requirements for these. The paper illustrates and augments this approach with experiences and results from an application to a real industrial automotive tool chain consisting of 37 tools.
- KonferenzbeitragEvolution of functional safety & security in AUTOSAR(Automotive - Safety & Security 2012, 2012) Schmerler, StefanAUTOSAR (AUTomotive Open System Architecture) is an open, international standard for the software architecture of automotive ECUs, which is commonly developed in an international consortium of several OEMs, tier1s, and software tool providers. Today, numerous series vehicles with AUTOSAR technology inside are on the road. Within the AUTOSAR standard, several concepts and mechanisms to support safety & security were developed and included in the design of the AUTOSAR software architecture and in the corresponding functionality of the AUTOSAR basic software modules. Starting with its release 4.0 published in December 2009, AUTOSAR included enhancements with respect to safety-related applications in the automotive domain. The safety-related functionality of AUTOSAR and the functional safety standard ISO 26262 have been developed in parallel with mutual stimulation. In relation to the described activities, an overview of the available safety & security functionality is shown and a brief description of the following concepts and specified mechanisms is provided: Built-in self-test mechanisms for detecting hardware faults (testing and monitoring), Run-time mechanisms for detecting software execution faults, e.g. program flow monitoring, Run-time mechanisms for preventing interference between software elements, e.g. memory partitioning for software components and time partitioning for software applications, Run-time mechanisms for protecting communication, e.g. end-to-end (E2E) communication protection, Run-time mechanisms for error handling, Crypto service manager, Crypto abstraction library. Based on market needs, AUTOSAR plans to enhance the existing safety & security mechanisms and to support new methods and features in the future. An overview of the planned concepts and a brief description of the following extensions is provided: Integrated end to end protection, Hardware test manager for tests at runtime, Guide for the utilization of crypto services, In addition to the decribed concepts in the field of software architecture, AUTOSAR also plans to introduce several process and methodology improvements, which support the development processes with respect to safety & security aspects. The major ideas of the new conecpts are discussed and a brief description of the following improvements is provided: Tracability within the AUTOSAR specification documents, Safety related extensions for the AUTOSAR methodology and templates, Signal qualifier concept.
- KonferenzbeitragAutomotive safety and security from a supplier's perspective(Automotive - Safety & Security 2012, 2012) Klauda, MatthiasSichere (im Sinne von „safe“) Systeme im Automobil zu entwickeln und zu produzieren, ist seit Jahrzehnten etablierter Stand der Technik. In jüngster Vergangenheit wurde zur Umsetzung eines konsolidierten Ansatzes zur funktionalen Sicherheit in Straßenfahrzeugen eine neue Norm - die ISO 26262 - erarbeitet. Diese Norm trägt insbesondere den wachsenden Herausforderungen immer komplexerer Systeme und neuer Technologien Rechnung. Allerdings sind Teile der ISO26262 bewusst offen oder visionär formuliert, so dass für eine sinnvolle Um- setzung in vielen Fällen eine einheitliche Interpretation innerhalb der Automobilindustrie unabdingbar ist. Mit steigender Vernetzung der Fahrzeuge sowohl fahrzeugintern als auch mit der Umgebung (Car-2-X-Kommunikation) bietet das Automobil immer mehr An- griffspunkte für externe Attacken, so dass das Thema Automotive Security wachsende Bedeutung gewinnt. Einerseits gibt es sowohl bei den Entwicklungsprozessen als auch in der technischen Implementierung Synergien, andererseits aber auch konkurrierende Aspekte zwischen Safety und Security. Dies macht eine enge Zusammenarbeit zwischen diesen beiden Domänen notwendig, um mögliche Synergien zu heben sowie die konkurrierenden Aspekte beherrschen zu können. Zum anderen erscheint es sinnvoll, ein gemeinsames Branchenverständnis im Bereich der Security zu schaffen und hierdurch im Sinne der Sicherheit des Kunden erprobte Methoden und Konzepte branchenweit einheitlich zu etablieren.
- KonferenzbeitragISO 26262 - Quo vadis?(Automotive - Safety & Security 2012, 2012) Kriso, StefanDie ISO 26262 ist veröffentlicht und trägt damit einerseits zum Stand der Technik bei der Entwicklung sicherer elektrischer/elektronischer Systeme im Automobil bei. Andererseits sind einige Anforderungen der ISO 26262 visionär formuliert, so dass es nicht möglich ist, die Norm zu ihrem Veröffentlichungszeitpunkt umgesetzt zu haben, sondern es ist ein Einführungszeitraum notwendig. In dieser Zeit ist die Branche aufgefordert, praktikable und umsetzbare Interpretation der ISO 26262 zu finden, die der Intention der Norm möglichst nahe kommen sowie die Produktsicherheit nicht gefährden. Der Artikel nennt hierfür Beispiele und mögliche Lösungen.
- Editiertes Buch