Virtuelle Absicherung von Steuergeräte-Software mit hardwareabhängigen Komponenten

Deicke, Markus

02 February 2018

Der stetig steigende Funktionsumfang im Automobil und die zunehmende Vernetzung von Steuergeräten erfordern neue Methoden zur Beherrschung der Komplexität in der Validierung und Verifikation. Die virtuelle Absicherung ermöglicht die Integration der Software in einem PC-System, unabhängig von der Ziel-Hardware, zur frühzeitigen Gewährleistung der Softwarequalität im Entwicklungsprozess. Ebenso kann die Wiederverwendbarkeit vorhandener Komponenten in zukünftigen Mikrocontrollern sichergestellt werden. Die Grundlage dafür liefert der AUTOSAR-Standard durch einheitliche Schnittstellenbeschreibungen, welche die Abstraktion von Hardware und Software ermöglichen. Allerdings enthält der Standard hardwareabhängige Software-Komponenten, die als Complex-Device-Drivers (CDDs) bezeichnet werden. Aufgrund ihrer Hardwareabhängigkeit sind CDDs nicht direkt in eine virtuelle Absicherungsplattform integrierbar, da die spezifischen Hardware-Module nicht verfügbar sind. Die Treiber sind dennoch Teil der Steuergeräte-Software und somit bei einem ganzheitlichen Absicherungsansatz mit zu betrachten. Diese Dissertation beschreibt sieben unterschiedliche Konzepte zur Berücksichtigung von CDDs in der virtuellen Absicherung. Aus der Evaluierung der Praxistauglichkeit aller Ansätze wird eine Auswahlmethodik für die optimale Lösung bei sämtlichen Anwendungsfällen von CDDs in der Steuergeräte-Software entwickelt. Daraus abgeleitet, eignen sich zwei der Konzepte für die häufigsten Anwendungsfälle, die im Weiteren detailliert beschrieben und realisiert werden. Das erste Konzept erlaubt die vollständige Simulation eines CDD. Dies ist notwendig, um die Integration der Funktions-Software selbst ohne den Treiber zu ermöglichen und alle Schnittstellen abzusichern, auch wenn der CDD noch nicht verfügbar ist. Durch eine vollständige Automatisierung ist die Erstellung der Simulation nur mit geringem Arbeitsaufwand verbunden. Das zweite Konzept ermöglicht die vollständige Integration eines CDD, wobei die Hardware-Schnittstellen über einen zusätzlichen Hardware-Abstraction-Layer an die verfügbare Hardware des Systems zur virtuellen Absicherung angebunden werden. So ist der Treiber in der Lage, reale Hardware-Komponenten anzusteuern und kann funktional abgesichert werden. Eine flexible Konfiguration der Abstraktionsschicht erlaubt den Einsatz für eine große Bandbreite von CDDs. Im Rahmen der Arbeit werden beide Konzepte anhand von industrierelevanten Projekten aus der Serienentwicklung erprobt und detailliert evaluiert. / The constantly increasing amount of functions in modern automobiles and the growing degree of cross-linking between electronic control units (ECU) require new methods to master the complexity in the validation and verification process. The virtual validation and verification enables the integration of the software on a PC system, which is independent from the target hardware, to guarantee the required software quality in the early development stages. Furthermore, the software reuse in future microcontrollers can be verified. All this is enabled by the AUTOSAR standard which provides consistent interface descriptions to allow the abstraction of hardware and software. However, the standard contains hardware-dependent components, called complex device drivers (CDD). Those CDDs cannot be directly integrated into a platform for virtual verification, because they require a specific hardware which is not generally available on such a platform. Regardless, CDDs are an essential part of the ECU software and therefore need to be considered in an holistic approach for validation and verification. This thesis describes seven different concepts to include CDDs in the virtual verification process. A method to always choose the optimal solution for all use cases of CDDs in ECU software is developed using an evaluation of the suitably for daily use of all concepts. As a result from this method, the two concepts suited for the most frequent use cases are detailed and developed as prototypes in this thesis. The first concept enables the full simulation of a CDD. This is necessary to allow the integration of the functional software itself without the driver. This way all interfaces can be tested even if the CDD is not available. The complete automation of the generation of the simulation makes the process very efficient. With the second concept a CDD can be entirely integrated into a platform for virtual verification, using an hardware abstraction layer to connect the hardware interfaces to the available hardware of the platform. This way, the driver is able to control real hardware components and can be tested completely. A flexible configuration of the abstraction layer allows the application of the concept for a wide variety of CDDs. In this thesis both concepts are tested and evaluated using genuine projects from series development.

info:eu-repo/classification/ddc/000

ddc:000

AUTOSAR; Simulation

Feasibility of GNU/Linux as the OS for a PC-based medical product / Feasibility of GNU/ Linux as the operating system for a personal computer -based medical product

Lustbader, Steven B. (Steven Benjamin), 1980-

January 2003

Thesis (M.Eng. and S.B.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, June 2003. / Includes bibliographical references (leaves 20-21). / This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections. / Linux has become a viable alternative to Windows in recent years. This investigation looks at the feasibility of porting the software for a PC-based medical device to Linux. Using an open-source operating system frees developers from the constraints imposed by relying on a single company for the development platform. Several porting methods are considered. The port method chosen allows development on the Windows version to continue while simultaneously testing on Linux, without creating separate versions of the software. Differences in the way the software interacts with the operating system and with the hardware have to be addressed. A Linux environment was created in which to run the software and determine how to reconcile these differences. No major hurdles to using Linux exist, so it appears to be a viable platform on which to conduct future development. / by Steven B. Lustbader. / M.Eng.and S.B.

R (Computer program language)

Linux device drivers (Computer programs)

A lightweight intrusion detection system for the cluster environment

Liu, Zhen.

January 2003

Thesis (M.S.)--Mississippi State University. Department of Computer Science and Engineering. / Title from title screen. Includes bibliographical references.

Improving Device Driver Reliability through Decoupled Dynamic Binary Analyses

Ruwase, Olatunji O.

01 May 2013

Device drivers are Operating Systems (OS) extensions that enable the use of I/O devices in computing systems. However, studies have identified drivers as an Achilles’ heel of system reliability, their high fault rate accounting for a significant portion of system failures. Consequently, significant effort has been directed towards improving system robustness by protecting system components (e.g., OS kernel, I/O devices, etc.) from the harmful effects of driver faults. In contrast to prior techniques which focused on preventing unsafe driver interactions (e.g., with the OS kernel), my thesis is that checking a driver’s execution for correctness violations results in the detection and mitigation of more faults. To validate this thesis, I present Guardrail, a flexible and powerful framework that enables instruction-grained dynamic analysis (e.g., data race detection) of unmodified kernel-mode driver binaries to safeguard I/O operations and devices from driver faults. Guardrail decouples the analysis tool from driver execution to improve performance, and runs it in user-space to simplify the deployment of new tools. Moreover, Guardrail leverages virtualization to be transparent to both the driver and device, and enable support for arbitrary driver/device combinations. To demonstrate Guardrail’s generality, I implemented three novel dynamic checking tools within the framework for detecting memory faults, data races and DMA faults in drivers. These tools found 25 serious bugs, including previously unknown bugs, in Linux storage and network drivers. Some of the bugs existed in several Linux (and driver) releases, suggesting their elusiveness to existing approaches. Guardrail easily detected these bugs using common driver workloads. Finally, I present an evaluation of using Guardrail to protect network and storage I/O operations from memory faults, data races and DMA faults in drivers. The results show that with hardware-assisted logging for decoupling the heavyweight analyses from driver execution, standard I/O workloads generally experienced negligible slowdown on their end-to-end performance. In conclusion, Guardrail’s high fidelity fault detection and efficient monitoring performance makes it a promising approach for improving the resilience of computing systems to the wide variety of driver faults.

Device Drivers

I/O

Operating Systems

Virtualization

Dynamic Analysis

Reliability

Computer Architecture

Computer Sciences

Linux device drivers /

Rubini, Alessandro.

January 1900

Includes index. / Also issued online.

Device profiling analysis in Device-Aware Network /

Tsai, Shang-Yuan.

January 2004

Thesis (M.S. in Systems Engineering)--Naval Postgraduate School, December 2004. / Thesis advisor(s): Singh Gurminder, John Gibson. Includes bibliographical references (p. 65-66). Also available online.

Determining the Integrity of Applications and Operating Systems using Remote and Local Attesters

January 2011

abstract: This research describes software based remote attestation schemes for obtaining the integrity of an executing user application and the Operating System (OS) text section of an untrusted client platform. A trusted external entity issues a challenge to the client platform. The challenge is executable code which the client must execute, and the code generates results which are sent to the external entity. These results provide the external entity an assurance as to whether the client application and the OS are in pristine condition. This work also presents a technique where it can be verified that the application which was attested, did not get replaced by a different application after completion of the attestation. The implementation of these three techniques was achieved entirely in software and is backward compatible with legacy machines on the Intel x86 architecture. This research also presents two approaches to incorporating software based "root of trust" using Virtual Machine Monitors (VMMs). The first approach determines the integrity of an executing Guest OS from the Host OS using Linux Kernel-based Virtual Machine (KVM) and qemu emulation software. The second approach implements a small VMM called MIvmm that can be utilized as a trusted codebase to build security applications such as those implemented in this research. MIvmm was conceptualized and implemented without using any existing codebase; its minimal size allows it to be trustworthy. Both the VMM approaches leverage processor support for virtualization in the Intel x86 architecture. / Dissertation/Thesis / Ph.D. Computer Science 2011

Computer Science

Integrity measurement

linux device drivers

Remote attestation

virtual machine monitors

Aquarius Uma plataforma para desenvolvimento de sistemas digitais dinamicamente reconfiguráveis

Leandro Seixas, Jordana

January 2007

Made available in DSpace on 2014-06-12T15:59:50Z (GMT). No. of bitstreams: 2 arquivo5650_1.pdf: 2595763 bytes, checksum: 42fc72bb1ec45c1ac0cfbbcdfa706d6d (MD5) license.txt: 1748 bytes, checksum: 8a4605be74aa9ea9d79846c1fba20a33 (MD5) Previous issue date: 2007 / Conselho Nacional de Desenvolvimento Científico e Tecnológico / Há um grande interesse por parte dos pesquisadores em relação às características de autoreconfiguração e auto-adaptação presentes em plataformas modernas de hardware baseadas em dispositivos lógicos dinamicamente reconfiguráveis FPGAs (Field Programmable Gate Arrays). Alguns destes dispositivos apresentam características ainda mais específicas, permitindo sua reconfiguração parcial e dinâmica, o que permite que, parte da lógica, possa ser modificada enquanto o restante do circuito permanece em operação. O objetivo desta dissertação é desenvolver uma Plataforma de Reconfiguração Dinâmica baseada em FPGAs, que permita a execução de aplicações utilizando os métodos de hardware virtual, permitindo modificações nas configurações parciais em hardware, processamento massivo de dados, etc. Esta plataforma é um estudo de caso em reconfiguração dinâmica para implementação real dos trabalhos de pesquisa em Escalonamento de Tarefas e Particionamento Temporal. Esta plataforma híbrida, denominada Aquarius, é composta pelas plataformas Altera e Xilinx, baseadas nos dispositivos FPGAs Stratix-II e Virtex-II, respectivamente. A plataforma Altera oferece todo o suporte para reconfiguração do dispositivo da Xilinx. Esta plataforma é controlada por um processador soft-core Nios da Altera, o qual possui o suporte de um SO uCLinux, além de device drivers especialmente desenvolvidos para reconfiguração do dispositivo da Xilinx. Um módulo de reconfiguração especial, o IP-SelectMAP, foi desenvolvido para programação do hardware dinâmica e parcialmente reconfigurável. Este módulo recebe informações da plataforma da Altera, através dos device drivers, os bitstreams, arquivos responsáveis pela programação do dispositivo da Xilinx. Todos os bitstreams de configuração são previamente escalonados de acordo com a aplicação do usuário. Desenvolver sistemas de reconfiguração dinâmica ainda é um desafio, porque sua implementação é complexa e por haver poucas plataformas de hardware e software para projetá-los. No entanto, metodologias de projeto como as aqui propostas, permitem que novas classes de hardware virtual possam ser, no futuro, mais facilmente utilizados, assim como, soluções reais, em processamento massivo de dados em plataforma Multi-FPGAs

Developing an Automated Explosives Detection Prototype Based on the AS&E 101ZZ System

Arvanitis, Panagiotis Jason

07 October 1997

This thesis describes the development of a multi-sensor, multi-energy x-ray prototype for automated explosives detection. The system is based on the American Science and Engineering model 101ZZ x-ray system. The 101ZZ unit received was an early model and lacked documentation of the many specialized electronic components. X-ray image quality was poor. The system was significantly modified and almost all AS&E system electronics bypassed: the x-ray source controller and conveyor belt motor were made computer controllable; the x-ray detectors were re-positioned to provide forward scatter detection capabilities; new hardware was developed to interface to the AS&E pre-amplifier boards, to collect image data from all three x-ray detectors, and to transfer the data to a personal computer. This hardware, the Differential Pair Interface Board (DPIB), is based on a Field Programmable Gate Array (FPGA) and can be dynamically re-configured to serve as a general purpose data collection device in a variety of applications. Software was also developed for the prototype system. A Windows NT device driver was written for the DPIB and a custom bus master DMA collection device. These drivers are portable and can be used as a basis for the development of other Windows NT drivers. A graphical user interface (GUI) was also developed. The GUI automates the data collection tasks and controls all the prototype system components. It interfaces with the image processing software for explosives detection and displays the results. Suspicious areas are color coded and presented to the operator for further examination. / Master of Science

airport security

re-configurable computing

Field programmable gate arrays

device drivers

Formalization Of Input And Output In Modern Operating Systems: The Hadley Model

Gerber, Matthew

01 January 2005

We present the Hadley model, a formal descriptive model of input and output for modern computer operating systems. Our model is intentionally inspired by the Open Systems Interconnection model of networking; I/O as a process is defined as a set of translations between a set of computer-sensible forms, or layers, of information. To illustrate an initial application domain, we discuss the utility of the Hadley model and a potential associated I/O system as a tool for digital forensic investigators. To illustrate practical uses of the Hadley model we present the Hadley Specification Language, an essentially functional language designed to allow the translations that comprise I/O to be written in a concise format allowing for relatively easy verifiability. To further illustrate the utility of the language we present a read/write Microsoft DOS FAT12 and read-only Linux ext2 file system specification written in the new format. We prove the correctness of the read-only side of these descriptions. We present test results from operation of our HSL-driven system both in user mode on stored disk images and as part of a Linux kernel module allowing file systems to be read. We conclude by discussing future directions for the research.

hadley system

operating systems

software verification

software reliability

device drivers

digital investigation

Computer Sciences

Engineering