Do 178c Esc San Jose 2010
-
Upload
david-beberman -
Category
Documents
-
view
118 -
download
4
description
Transcript of Do 178c Esc San Jose 2010
aicas technology brief
DO-178C and DO-278ANew Safety Standards for
Avionics Software
Dr. James J. Hunt CEO, aicas incorporated
ESC San Jose 2010
2DO-178C and DO-278A
SC-205/WG-71Lead by RTCA and EUROCAEUpdate software standards for aviation
DO-178B/ED-12B: flight software regulationsDO-248B/ED-94B: flight software addendumDO-278/ED-109: ground support software
Open to all interested partiesOrganized in seven subgroups
3DO-178C and DO-278A
SC-205 / WG-71 SubgroupsSG-1: Document IntegrationSG-2: Issues and RationaleSG-3: Tool QualificationSG-4: Model Bases Design and VerificationSG-5: Object-Oriented TechnologySG-6: Formal MethodsSG-7: Safety and CNS Related Considerations(communication, navigation, surveillance)
4DO-178C and DO-278A
SG-3: Tool QualificationProvides guidance for tools used to develop and verify avionic software such as
UML code generatorModel checkerFormal analysis toolTest automation toolEmulator
Covers full tool life cycle
5DO-178C and DO-278A
Tool Qualification CategoriesDO-178B/ED-12B ToolCategory & Definition
DO-178C / ED-12C ToolQualification Criteria & Definition
Development tools: tools whose output is part of airborne software and thus can introduce errors.
Criteria 1: tool whose output is part of the resulting software and could insert errors.
Verification tools: Tools that cannot introduce errors, but may fail to detect them.
Criteria 2: A tool that automates the verification process and thus could fail to detect an error, and whose output is used to justify the elimination or reduction of● verification process not automated by tool or● development process which could impact the resulting software.Criteria 3: A tool that, within the scope of its intended use, could fail to detect an error.
6DO-178C and DO-278A
Tool Qualification Levels
SoftwareLevel
Criteria
1 2 3
A TQL-1 TQL-4 TQL-5
B TQL-2 TQL-4 TQL-5
C TQL-3 TQL-5 TQL-5
D TQL-4 TQL-5 TQL-5
7DO-178C and DO-278A
Equivalence
DO-178B/ED-12B Tool Qualification
Type
DO-178B/ED-12B Tool Software Level
DO-178C/ED-12CTool Qualification Level
Development A 1
Development B 2
Development C 3
Development D 4
Verification All 4 or 5
8DO-178C and DO-278A
Tool Reuse
9DO-178C and DO-278A
SG-4: Model Based DevelopmentDescribes how models can be used
RequirementsSystemHigh levelLow level
Architectural descriptionRelated processes such as model transformation and code generationStill a work in progress
10DO-178C and DO-278A
SG-5: Object-Oriented Technology
Provide a supplement to DO-178C for OOTSupplement Organization
Chapter 1: non normative backgroundChapters 2–11: additions to related to coreChapter 12: safety issues beyond core
Goes beyond pure object-oriented language features (advanced language features)Both new objectives and clarification of existing objective for OOT
11DO-178C and DO-278A
Basic Concepts
Classes and ObjectMethod DispatchHierarchic EncapsulationPolymorphismFunction Passing and ClosuresTypes and Safety
12DO-178C and DO-278A
Classes and ObjectsBasis of object-oriented technologyCombination of data (fields or attributes) and subprograms (methods or operations)Can be used for both design (e.g., UML) and implementation (e.g., Java or C++)Basis for inheritance and user defined types
13DO-178C and DO-278A
Method DispatchStatic dispatchDynamic dispatch
Single dispatchMultidispatch
ImplementationsIndexed lookupTable search
14DO-178C and DO-278A
Hierarchic Encapsulationlimiting access to object dataUsing class hierarchy to model problemBased on combination of inheritance, overloading, polymorphism, and type checking
15DO-178C and DO-278A
Polymorphism
Universal polymorphismInclusion polymorphism:inheritance, subtyping, and subclassingParametric polymorphism:generics and templates
Ad hoc polymorphismOverloadingCoercion:some forms of type casting
16DO-178C and DO-278A
Function Passing and ClosuresOriginally from functional programmingClosures needed for method passing
A dynamic method can not be used without a reference to its classA methods class is its closure
Being adopted by the OO community as an alternate to passing special classes
17DO-178C and DO-278A
Types and SafetySubclass, subtype equivalence
Liskov's substitution principleArrays and collections
Method and class specification:design by contact
Preconditions: acceptable input valuesPostconditions: return values, including exceptions and errors, and side effectsInvariants
18DO-178C and DO-278A
Liskov and RequirementsA subclass must fulfill the requirements of all its superclasses.Each method in the subclass that is also declared in a superclass should have
preconditions that are the same or weaker than the method in the superclass,postconditions that are the same or stronger than the method in the superclass, andInvariants that are not weaker.
19DO-178C and DO-278A
Key Features
Inheritance and redefinitionParametric PolymorphismType conversionOverloadingExceptions and exception handlingVirtualization TechniquesDynamic memory management
20DO-178C and DO-278A
Inheritance and Redefinition
Interface vs. ImplementationSingle vs. MultipleVulnerabilities
Nondeterministic dispatch timeSemantic dissonanceImplementation dissonance
ObjectivesEnsure local type consistencyInclude full class model in design
21DO-178C and DO-278A
Local Type Safety
Subclasses are SubtypesSubclasses fulfill requirements of superclassesThink Liskov Substitution PrincipleUse delegation instead of inheritance for reuse
LocalWhere substitution can occurDeclared type vs. Actual type
Alternative: Exhaustive Testing
22DO-178C and DO-278A
Parametric PolymorphismEnables reuse without subtypingVulnerabilities
Substitution mismatchUnverified code
ObjectivesEnsure semantic consistencyEnsure all code is covered
23DO-178C and DO-278A
Type ConversionView change vs. Representation changeVulnerabilities
Data lossData corruption or exception
ObjectivesEnsure that type conversions are safe
24DO-178C and DO-278A
OverloadingCan aid in program understandingVulnerabilities
unintended behavior when combined with automatic type conversionNaming dissonance
GuidanceAddress in coding standards
25DO-178C and DO-278A
Exceptions and Exception Handling
Helps with program clarity by separating exceptional behavior from normal behaviorVulnerabilityfailure resulting from uncaught or improperly handled exceptionObjectiveensure that all exceptions that can be thrown are caught and properly handled,i.e., test coverage includes exceptional as well as normal control paths
26DO-178C and DO-278A
Virtualization Techniques
Vulnerabilityinterpreted code is not adequately validated because it was treated as data, not codeObjectiveCertify system in layers
Certify interpreter where its input is treated as dataCertify interpreted program as code where interpreter is treated as execution platform
Applies to any data that is interpreted
27DO-178C and DO-278A
Dynamic Memory Vulnerabilities1.Ambiguous references2.Fragmentation starvation3.Deallocation starvation4.Premature deallocation5.Indeterministic allocation or deallocation6.Lost update or stale reference7.Heap memory exhaustion
28DO-178C and DO-278A
Dynamic Memory Safety Objectives
1.Timely Deallocation2.Fragmentation Avoidance3.Unique Allocation4.Reference Consistency5.Deterministic Execution6.Atomic Move7.Sufficient Memory
29DO-178C and DO-278A
Memory Management Techniques
Technique
Objectives
Unambiguous Reference
Fragment.Avoidance
TimelyDeallocation
Reference Consistency
Determinisitc Deallocation
Atomic Move
Sufficient Memory
Object Pooling AC AC AC AC MMI N/A AC
Stack Allocation AC MMI MMI AC MMI N/A AC
Scope Allocation MMI MMI MMI AC MMI N/A AC
Manual Heap Allocation
AC ? AC AC MMI N/A AC
Garbage Collection MMI MMI MMI MMI MMI MMI ACAC = application code, MMI = memory management infrastructure, N/A = not applicable, and ? = difficult to ensure by either AC or MMI.
30DO-178C and DO-278A
Certifying a Garbage CollectorNot possible for all collector
Must be deterministic; no unbound stepsMust assume maximum memory useMust consider allocation rate
Three types of realtime collectorsPaced GCSlack GCWork-based GC
31DO-178C and DO-278A
Classical Garbage Collection GC can interrupt execution for long periods of time:
Problemlong, unpredictable pauses during execution
32DO-178C and DO-278A
RTSJ with Classic Garbage Collection
No heap threads can interrupt garbage collector:
The application must be split into a realtime and a nonrealtime part.
33DO-178C and DO-278A
Realtime Garbage CollectionPaced garbage collector
Run GC at a high priorityRuns at given interval, for given amount of timeProgrammer must provide both maximum memory use and maximum allocation rate
Slack garbage collectorRun GC at lower priority than realtime tasksRuns when processor cycles are availableProgrammer must provide both maximum memory use and
maximum allocation rate
34DO-178C and DO-278A
Realtime Garbage CollectionWork based garbage collector
No GC threadGC borrows application threadNeed only determine maximum memory useNo read barriers neededLow latency
35DO-178C and DO-278A
Work-Based Garbage CollectorAll Java Threads are realtime threads
GC work is performed at allocation timeGC work must be sufficient to recycle enough memory before free memory is exhaustedExecution time of all allocations must be bound
36DO-178C and DO-278A
OO Languages for AviationAda
OO extensionsMultiple inheritanceHeap, stack, and static allocation
C++C with objectsPointer arithmeticHeap and static
Realtime JavaJava plus RTSJRealtime GCStatic compilation
Safety Critical JavaMinimal subsetImmortal and Scoped MemoryNo interpreter or JIT
37DO-178C and DO-278A
AdaComplex object model
Multiple implementation inheritanceStatic and dynamic dispatch specified per call
Memory ManagementNo pointer arithmeticUnsafe deallocation
Good threading modelGood tooling, but not for OOT
38DO-178C and DO-278A
C++Some what simpler object model
Multiple inheritanceStatic and dynamic dispatch by definition
Memory ManagementPointer arithmeticUnsafe deallocation
No threading modelPreprocessor makes tools fragile
39DO-178C and DO-278A
Realtime Java TechnologyAdvantages
Strong typingType refinementReference safety(garbage collection)Standard libraryAnalyzabilityFormal Specification Language
IssuesPerformanceFootprintSchedulingPriority inversionClocks & timersHardware accessGC delays
40DO-178C and DO-278A
Certification Issues
Class initializationDynamic dispatchGarbage collectionUnchecked exceptionsDynamic class loadingJust in time compilationReflectionAsynchronous transfer of control
41DO-178C and DO-278A
Comparison of Languages
Development Time o o ✔ ✔ ✔Library Capabilities o o ✔ ✔ ✔
Dependability o ✔ ✔ ✔ o o ✔ ✔ ✔ o o ✔ ✔ ✔
Platform Independence o o o ✔ ✔Code Size ✔ o o o
Hard Realtime Response ✔ o ✔ ✔ ✔ o o ✔
ExtendabilityReusability
Safety
C C++ Ada .net /
C#
Java
Realtim
e Java
42DO-178C and DO-278A
Advantage of Java over C and C++
Clean syntax and semantics w/o preprocessor➔ wide ranging and better tool support
Better support for separating of subtyping and reuse via limited inheritance and interfacesNo explicit pointer manipulationPointer safe deallocationSingle dispatch styleStrong, extendible type systemWith RTSJ, well defined tasking model
43DO-178C and DO-278A
SG-6: Formal Methods
analysis of software (and hardware) using rigorous mathematical methods such as calculi, logic, automata, or graph theoryAlternate means of verifying avionics software
Reduce but not eliminate testingIncrease safety
Provides guidelines for using formal methods
44DO-178C and DO-278A
Strengths and Weaknesses of Testing
StrengthsWell understoodMostly language independentIncludes execution environment
WeaknessesHard to cover all execution pathsHard to cover all possible parallel pathsInternal states are not visible
45DO-178C and DO-278A
Why Formal Methods?Errors can not be tolerated in safety critical applications.Security is not possible without safety.System complexity is increasing dramatically.Increasingly critical decisions are being made automatically in software.Testing is not sound.
46DO-178C and DO-278A
Dynamic AnalysisTestingProfiling & Monitoring
Path TracingCall tracingTime tracingBounds tracing
SimulationInstrumentation
Race detectionAssertion checkingAliasing detectionMemory analysisInvariant inference
Coverage must be determined in all cases!
47DO-178C and DO-278A
Static Analysis (Formal)Type AnalysisControl Flow AnalysisData Flow AnalysisAbstract InterpretationSymbolic ExecutionModel CheckingDeductive verification
48DO-178C and DO-278A
Comparison of Analysis Techniques
Static analysisAbstract domain: slow but exhaustiveConservative:due to abstractionSound:due to conservatism
Dynamic analysisConcrete execution: fast but exemplary Precise:no approximationUnsound:does not generalize
Not all static analysis techniques are formal
49DO-178C and DO-278A
Type CheckingMost common formal methodAttributes used to ensure consistency
Ensure that a given variable or field is always used as intendedLimits what can be assigned to a given variable or field
Base type can be augmented with refinement typesChecking can be done modularly
50DO-178C and DO-278A
Examples of Type CheckingUnit consistency@unit("meters") int a = 4;@unit("feet") int b;b = a; /* Assignment Error */Null pointer detectionInvariance checkingTool examples
Most modern compilersJavaCop
51DO-178C and DO-278A
Data Flow AnalysisExtension of control flow analysisData values are propagated as wellFixed point algorithmNecessary extension for OO Languages
Method dispatch is data dependentMore precise than considering all possible subclasses at each call point
52DO-178C and DO-278A
Uses of Data Flow AnalysisWorst case execution time analysisMemory use (stack, heap, etc.)Coverage and reachabilityException checkingShared object detection (race conditions)Synchronization (deadlocks)
53DO-178C and DO-278A
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
54DO-178C and DO-278A
NullPointerException
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
55DO-178C and DO-278A
NullPointerException
ClassCastException
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
56DO-178C and DO-278A
NullPointerException
NullPointerException
ClassCastException
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
57DO-178C and DO-278A
NullPointerException
NullPointerException
ClassCastException
device != null
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
58DO-178C and DO-278A
NullPointerException
NullPointerException
ClassCastException
device != null
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
59DO-178C and DO-278A
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
NullPointerException ✔
NullPointerException
ClassCastException
device != null
Detecting Runtime Errors
60DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
61DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException values(MyDevice.sensor) contains only MySensor
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
62DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException values(MyDevice.sensor) contains only MySensor
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
63DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException ✔ values(MyDevice.sensor) contains only MySensor
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
64DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException ✔
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
65DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException ✔null ∉ values(MyDevice.sensor)
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
66DO-178C and DO-278A
NullPointerException ✔
NullPointerException
ClassCastException ✔null ∉ values(MyDevice.sensor)
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
67DO-178C and DO-278A
NullPointerException ✔
NullPointerException ✔
ClassCastException ✔null ∉ values(MyDevice.sensor)
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
68DO-178C and DO-278A
NullPointerException ✔
NullPointerException ✔
ClassCastException ✔
Detecting Runtime Errors
...if (device instanceof MyDevice){ MySensor s = (MySensor) device.sensor;
int value = s.reading();
...}...
69DO-178C and DO-278A
Abstract InterpretationA theory of sound approximation of the semantics of a programConcrete state and operations mapped to abstract state and operationsBased on monotonic functions over ordered sets, especially latticesCan be viewed as a partial execution of a program to gain semantic information without performing all calculations
70DO-178C and DO-278A
Uses of Abstract InterpretationLivelinessRace conditionsSimultaneous accessToolsAcademic
ASTRÉE (CNRS)Airac (SNU)
CommercialCodeHawk (KT)PAG (AbsInt)PolySpace
71DO-178C and DO-278A
Symbolic ExecutionAlso known as Symbolic SimulationConsiders all possible execution pathsMany possible executions of a system are considered simultaneouslyModels concrete semantics of all primitive operations (calculus)Set of values instead of concrete valueBase for other techniques
72DO-178C and DO-278A
Model Checking
A variant of abstract interpretationAbstraction is a finite state machineSome aspect of program is modeled as states and transitions in state machineBoth simulation and reachability analysis can be performed on state machineError states are used to detect faults
73DO-178C and DO-278A
Examples of Model CheckingModel consistency (e.g., UML models)Checking parallel executionSome runtime errors (entry into a state)Numerous toolsModel level
SPINPROSPERUppaal
Java code levelJava Pathfinder
74DO-178C and DO-278A
Deductive VerificationUses formal specification language
PreconditionsPostconditionsinvariants
Checks program code against specificationBased on theorem proving, Hoare Logic, and Liskov Substitution Principle
75DO-178C and DO-278A
Formal Specification LanguagesZ notation (Specification)B method (Refinement)Object Constraint Language (OCL)Java Modeling Language (JML)
76DO-178C and DO-278A
Examples of Deductive Verification
Proving that a given Java method respects its post conditions given it preconditionsShowing that invariants are respectedNumerous Tools for Java (JML)
ESC/Java2 (Simplify)JACK (B-Method, Simplify, PVS, Coq)KeY (Dynamic Logic) (OCL & JML)
77DO-178C and DO-278A
Which Methods to use?Depends on what is to be checked and when in the development processEach tools has its strength and weaknesses and point of applicationA combination of tools works bestChoice of programming language has an impact, e.g., Java is easier to analyze than C and C++.
78DO-178C and DO-278A
ConclusionSupports a stronger role for tools.May support the use of modeling tools.DO-178C will provide more consistent treatment of OO and other nonprocedural languages.Concrete guidance for dynamics memory management and interpretation.Encourages using formal methods to improve safety.Allows using formal methods to reduce testing.
79DO-178C and DO-278A
Contact Information
aicas GmbH
Haid-und-Neu-Straße 18
D-76139 Karlsruhe
+49 721 663 968 22
aicas incorporated
69 West Rock Ave.
New Haven, CT 06515 [email protected]
+1-203-676-9807 [email protected]