seminar_software_evaluation.ppt

software evaluation 软件安全评估 presented by: frank song (宋青红) e-mail: tel: software evaluation 软件安全评估 目前产品越来越智能化,多功能化.产品内使用单片机,使 用软件实现其功能的非常多. 甚至不少还使用软件进行安全保护的,例如变频电机堵转 保护,车库卷帘门遭遇障碍物保护,电磁炉的过热保护, 微波炉的门开关安全互锁等等.(并不是有软件的就要评 估,而是起安全保护的才要进行评估) 这时软件的可靠性对于产品的安全就非常重要了,对软件 的评估就是必须要进行了 software evaluation 软件安全评估 安全保护作用的软件的分类 iec 体系 iec/en60730-1 annex h class b 其软件控制的功能是防止被控制的设备出现不安全的动作, 类如热保护,洗衣机的门锁等 control functions intended to prevent unsafe operation of the controlled equipment. examples of controls which may include class b functions are: thermal cut-outs and door locks for laundry equipment. class c 其软件控制的功能是防止特殊危险的(被控制设备的爆炸), 类如自动点火控制器,密封式热水器 的等 control functions which are intended to prevent special hazards (e.g., explosion of the controlled equipment). examples of controls which may include class c functions are: automatic burner controls and thermal cutouts for closed water heater systems (unvented). ul体系 ul1998 class 1 等同与iec体系的class b class 2 等同与iec体系的class c software evaluation 软件安全评估 软件实现安全功能是必须依赖硬件的,就像一个人一样,大脑再能干, 如果 没有五官, 没有四肢,也就无法做出任何事 可以这么理解, 软件是人的神经系统, 而硬件就是人的身体. 而对于软件 出错可能会影响安全就理解成人的神经系统有问题人就会出问题一样 我们在这里评估软件的目的就是一旦出现神经系统方面的问题,保证他的 工作正常进行或至少会通知一下别人”喂, 我不行了,我不干了”,让 别人接过他的工作或是通知上级,整个活都停下,以免出现不可收拾的 后果. software evaluation 软件安全评估 i/o输入输出接口 数模或模数转换 中断输入 pwm调制 系统终止或暂停 时钟输入接口,主频 内部或外部定时器接口 程序指令地址,刚通电时 一定指向只读内存的第 一个位置如0000000h(看 单片机的内存的容量了) 只读内存 指令寄 存器 指令解 码器 时钟发 生器 时钟振荡器 引脚(晶振) software evaluation 软件安全评估 堆栈,保留中断或调用子程序前 的指令地址,这样在完成中断或 调用子程序后可顺利返回 中断 电路 数据 内存 内存 片选 中央计 算单元 定时 器 看门狗 software evaluation 软件安全评估 对于单片机,一旦通电,如 果系统正常,其pc内地址 就为000h,然后累加器读 取000h的内容,进行解码 并执行, 之后在没有跳转 语句的情况下转向001h, 依次类推,这就是程序运 行的基本情况 software evaluation 软件安全评估 微电脑系统的硬件构成 一、总线 交通系统/神经系统 二、数据、地址、指令 门牌号码/工作要求 三、输入输出端口 眼耳口手 四、累加器 大脑 五、堆栈 相当于便签条 六、内存 相当于记事本(临时/长期) 七、中断 领导发来紧急命令 八、时钟 工作计划 九、程序计数器 下一步工作目的地 software evaluation 软件安全评估 软件评估有一个原则就是一般不考虑两个故障同时发生.要注意一点 就是需要通过emc测试保证其系统可以不受外在电磁干扰而正常工作, 否则通过软件评估,也是安全不合格的,因为系统抗干扰能力不足,而 导致系统出现多个地方同时出错 一般来讲,软件评估的方法也就是模拟上面各种地方出错 后,判别系统是否能够识别出来,然后进行相应处理的手段 这样,若是某一个故障若是被两种手段识别出来,那么就认 为识别就不会出错了.例如电机堵转,电流过大,温升过高, 转速为零这三种现象里可以识别出两种,就可以认为识别 输入上不会出错了 软件系统出错的几种现象和可能性: 1. 软件逻辑设计和编程错误 同一变量对应不同的定义, 死循环, 除数为零, 用户可以修改程序 而不是输入数据,等等(这个一般在客户自检时纠正) 2. 软件系统中对应的硬件出错 单片机自身出错, 外围元件出错, 可以用下页的表格进行逐项检 查 software evaluation 软件安全评估 table h.11.12.7 (part for software of class b ) component 1)fault/erroracceptable measures 2) 3) 4)definitions see iec 607301-1 verdict (pass/fail/not applicable) 1. cpu 1.1 registersstuck atfunctional test, orh.2.16.5 periodic self-test using either:h.2.16.6 static memory test, orh.2.19.6 word protection with single bit redundancyh. 1.3 programme stuck atfunctional test, orh.2.16.5 counterperiodic self-test, orh.2.16.6 independent time-slot monitoring, orh. logical monitoring of the programme sequenceh. 2.interrupt handling no interrupt or too frequentfunctional test; orh.2.16.5 and executioninterrupttime-slot monitoringh. 3.clockwrong frequency(for quartzfrequency monitoring, or h. synchronized clock: harmonics/time slot monitoringh. subharmonics only) software evaluation 软件安全评估 component 1)fault/erroracceptable measures 2) 3) 4)definitions see iec 607301-1 verdict (pass/fail/not applicable) 4. memory 4.1invariableall single bitperiodic modified checksum; orh. memoryfaultsmultiple checksum, orh. word protection with single bit redundancyh. 4.2variabledc fault periodic static memory test, orh.2.19.6 memoryword protection with single bit redundancyh. 4.3 addressingstuck atword protection with single bit parityh. (relevant to variable including the address, or “microcomputers in safety techniques.“ verlag tuv bayern. tuv rheinland. (isbn 3-88585-315-9). h.2.18.8 input comparison a fault/error control technique by which inputs that are designed to be within specified tolerances are compared definition of software protection measures (continue) software evaluation 软件安全评估 h.2.18.9 internal error detecting or correcting a fault/error control technique in which special circuitry is incorporated to detect or correct errors logical monitoring of the programme sequence (see h.) multi-bit bus parity (see h.) h.2.18.10 programme sequence h. frequency monitoring a fault/error control technique in which the clock frequency is compared with an independent fixed frequency an example is comparison with the line supply frequency. h. logical monitoring of the programme sequence a fault/error control technique in which the logical execution of the programme sequence is monitored examples are the use of counting routines or selected data in the programme itself or by independent monitoring devices. h. time-slot and logical monitoring this is a combination of h. and h. h. time-slot monitoring of the programme sequence a fault/error control technique in which timing devices with an independent time base are periodically triggered in order to monitor the programme function and sequence an example is a watchdog timer. h.2.18.11 multiple parallel outputs a fault/error control technique in which independent outputs are provided for operational error detection or for independent comparators definition of software protection measures (continue) software evaluation 软件安全评估 h.2.18.12 output verification a fault/error control technique in which outputs are compared to independent inputs this technique may or may not relate an error to the output which is defective. h.2.18.13 plausibility check a fault/error control technique in which programme execution, inputs or outputs are checked for inadmissible programme sequence, timing or data examples are the introduction of an additional interrupt after completion of a certain number of cycles or checks for division by zero. h.2.18.14 protocol test a fault/error control technique in which data is transferred to and from computer components to detect errors in the internal communications protocol h.2.18.15 reciprocal comparison a fault/error control technique used in dual channel (homogeneous) structures in which a comparison is performed on data reciprocally exchanged between the two processing units reciprocal refers to an exchange of similar data. h.2.18.16 redundant data generation the availability of two or more independent means, such as code generators, to perform the same task h.2.18.17 redundant monitoring the availability of two or more independent means such as watchdog devices and comparators to perform the same task h.2.18.18 scheduled transmission a communication procedure in which information from a particular transmitter is allowed to be sent only at a predefined point in time and sequence, otherwise the receiver will treat it as a communication error single bit bus parity (see h.) definition of software protection measures (continue) software evaluation 软件安全评估 h.2.18.19 software diversity a fault/error control technique in which all or parts of the software are incorporated twice in the form of alternate software code for example, the alternate forms of software code may be produced by different programmers, different languages or different compiling schemes and may reside in different hardware channels or in different areas of memory within a single channel. h.2.18.20 stuck-at fault model a fault model representing an open circuit or a non-varying signal level these are usually referred to as “stuck open“, “stuck at 1“ or “stuck at 0“. h.2.18.21 tested monitoring the provision of independent means such as watchdog devices and comparators which are tested at start-up or periodically during operation h.2.18.22 testing pattern a fault/error control technique used for periodic testing of input units, output units and interfaces of the control. a test pattern is introduced to the unit and the results compared to expected values. mutually independent means for introducing the test pattern and evaluating the results are used. the test pattern is constructed so as not to influence the correct operation of the control time-slot and logical monitoring (see h.) time-slot monitoring of the programme sequence (see h.) transfer redundancy (see h.) definition of software protection measures (continue) software evaluation 软件安全评估 h.2.19.1 abraham test a specific form of a variable memory pattern test in which all stuck-at and coupling faults between memory cells are identified the number of operations required to perform the entire memory test is about 30 n, where n is the number of cells in the memory. the test can be made transparent for use during the operating cycle, by partitioning the memory and testing each partition in different time segments. abraham, j.a.; thatte, s.m.; “fault coverage of test programs for a microprocessor“, proceedings of the ieee test conference 1979, pp 18-22. h.2.19.2 galpat memory test a fault/error control technique in which a single cell in a field of uniformly written memory cells is inversely written, after which the remaining memory under test is inspected. after each read operation to one of the remaining cells in the field, the inversely written cell is also inspected and read. this process is repeated for all memory cells under test. a second test is then performed as above on the same memory range without inverse writing to the test cell the test can be made transparent for use during the operating cycle, by partitioning the memory and testing each partition in different time segments (see transparent galpat test). h. transparent galpat test a galpat memory test in which first a signature word is formed representing the content of the memory range to be tested and this word is saved. the cell to be tested is inversely written and the test is performed as above. however, the remaining cells are not inspected individually, but by formation of and comparison to a second signature word. a second test is then performed as above by inversely writing the previously inverted value to the test cell this technique recognizes all static bit errors as well as errors in interfaces between memory cells. checkerboard memory test (see h.) h.2.19.3 checksum h. modified checksum a fault/error control technique in which a single word representing the contents of all words in memory is generated and saved. during self test, a checksum is formed from the same algorithm and compared with the saved checksum this technique recognizes all the odd errors and some of the even errors. definition of software protection measures (continue) software evaluation 软件安全评估 h. multiple checksum a fault/error control technique in which a separate words representing the contents of the memory areas to be tested are generated and saved. during self test, a checksum is formed from the same algorithm and compared with the saved checksum for that area this technique recognizes all the odd errors and some of the even errors. h.2.19.4 cyclic redundancy check (crc) h. crc single word a fault/error control technique in which a single word is generated to represent the contents of memory. during self test the same algorithm is used to generate another signature word which is compared with the saved word this technique recognizes all one-bit, and a high percentage of multi-bit, errors. h. crc double word a fault/error control technique in which at least two words are generated to represent the contents of memory. during self test the same algorithm is used to generate the same number of signature words which are compared with the saved words this technique can recognize one-bit and multi-bit errors with a greater accuracy than in crc single word. marching memory test (see h.) modified checksum (see h.) multiple checksum (see h.) h.2.19.5 redundant memory with comparison a structure in which the safety-related contents of memory are stored twice in different format in separate areas so that they can be compared for error control h.2.19.6 static memory test a fault/error control technique which is intended to detect only static errors definition of software protection measures (continue) software evaluation 软件安全评估 h. checkerboard memory test a static memory test in which a checkerboard pattern of zeros and ones is written to the memory area under test and the cells are inspected in pairs. the address of the first cell in each pair is variable and the address of the second cell is derived from a bit inversion of the first address. in the first inspection, the variable address is first incremented to the end of the address space of the memory and then decremented to its original value. the test is repeated with the checkerboard pattern inversed h. marching memory test a static memory test in which data is written to the memory area under test as in normal operation. every cell is then inspected in ascending order and a bit inversion performed on the contents. the inspection and bit inversion are then repeated in descending order. then this process is repeated after first performing a bit inversion on all the memory cells under test transparent galpat test (see h.) h.2.19.7 walkpat memory test a fault/error control technique in which a standard data pattern is written to the memory area under test as in normal operation. a bit inversion is performed on the first cell and the remaining memory area is inspected. then the first cell is again inverted and the memory inspected. this process is repeated for all memory cells under test. a second test is conducted by performing a bit inversion of all cells in