seminar_software_evaluation.ppt

softwareevaluation软件安全评估presentedby franksong 宋青红 e mail frank song tel 021 61278364 softwareevaluation软件安全评估 目前产品越来越智能化 多功能化 产品内使用单片机 使用软件实现其功能的非常多 甚至不少还使用软件进行安全保护的 例如变频电机堵转保护 车库卷帘门遭遇障碍物保护 电磁炉的过热保护 微波炉的门开关安全互锁等等 并不是有软件的就要评估 而是起安全保护的才要进行评估 这时软件的可靠性对于产品的安全就非常重要了 对软件的评估就是必须要进行了 softwareevaluation软件安全评估 安全保护作用的软件的分类iec体系iec en60730 1annexhclassb其软件控制的功能是防止被控制的设备出现不安全的动作 类如热保护 洗衣机的门锁等controlfunctionsintendedtopreventunsafeoperationofthecontrolledequipment examplesofcontrolswhichmayincludeclassbfunctionsare thermalcut outsanddoorlocksforlaundryequipment classc其软件控制的功能是防止特殊危险的 被控制设备的爆炸 类如自动点火控制器 密封式热水器的等controlfunctionswhichareintendedtopreventspecialhazards e g explosionofthecontrolledequipment examplesofcontrolswhichmayincludeclasscfunctionsare automaticburnercontrolsandthermalcutoutsforclosedwaterheatersystems unvented ul体系ul1998class1 等同与iec体系的classbclass2 等同与iec体系的classc softwareevaluation软件安全评估 软件实现安全功能是必须依赖硬件的 就像一个人一样 大脑再能干 如果没有五官 没有四肢 也就无法做出任何事可以这么理解 软件是人的神经系统 而硬件就是人的身体 而对于软件出错可能会影响安全就理解成人的神经系统有问题人就会出问题一样我们在这里评估软件的目的就是一旦出现神经系统方面的问题 保证他的工作正常进行或至少会通知一下别人 喂 我不行了 我不干了 让别人接过他的工作或是通知上级 整个活都停下 以免出现不可收拾的后果 softwareevaluation软件安全评估 i o输入输出接口数模或模数转换中断输入pwm调制系统终止或暂停 时钟输入接口 主频 内部或外部定时器接口 程序指令地址 刚通电时一定指向只读内存的第一个位置如0000000h 看单片机的内存的容量了 只读内存 指令寄存器 指令解码器 时钟发生器 时钟振荡器引脚 晶振 softwareevaluation软件安全评估 堆栈 保留中断或调用子程序前的指令地址 这样在完成中断或调用子程序后可顺利返回 中断电路 数据内存 内存片选 中央计算单元 定时器 看门狗 softwareevaluation软件安全评估 对于单片机 一旦通电 如果系统正常 其pc内地址就为000h 然后累加器读取000h的内容 进行解码并执行 之后在没有跳转语句的情况下转向001h 依次类推 这就是程序运行的基本情况 softwareevaluation软件安全评估 微电脑系统的硬件构成一 总线交通系统 神经系统二 数据 地址 指令门牌号码 工作要求三 输入输出端口眼耳口手四 累加器大脑五 堆栈相当于便签条六 内存相当于记事本 临时 长期 七 中断领导发来紧急命令八 时钟工作计划九 程序计数器下一步工作目的地 softwareevaluation软件安全评估 软件评估有一个原则就是一般不考虑两个故障同时发生 要注意一点就是需要通过emc测试保证其系统可以不受外在电磁干扰而正常工作 否则通过软件评估 也是安全不合格的 因为系统抗干扰能力不足 而导致系统出现多个地方同时出错一般来讲 软件评估的方法也就是模拟上面各种地方出错后 判别系统是否能够识别出来 然后进行相应处理的手段这样 若是某一个故障若是被两种手段识别出来 那么就认为识别就不会出错了 例如电机堵转 电流过大 温升过高 转速为零这三种现象里可以识别出两种 就可以认为识别输入上不会出错了 软件系统出错的几种现象和可能性 1 软件逻辑设计和编程错误同一变量对应不同的定义 死循环 除数为零 用户可以修改程序而不是输入数据 等等 这个一般在客户自检时纠正 2 软件系统中对应的硬件出错单片机自身出错 外围元件出错 可以用下页的表格进行逐项检查 softwareevaluation软件安全评估 tableh 11 12 7 partforsoftwareofclassb softwareevaluation软件安全评估 softwareevaluation软件安全评估 tableh 11 12 7 partforsoftwareofclassb continue softwareevaluation软件安全评估 tableh 11 12 7 partforsoftwareofclassb continue softwareevaluation软件安全评估 tableh 11 12 7 partforsoftwareofclassb continue softwareevaluation软件安全评估 对于不同的软件出错模式 标准里也有相应的纠错或防错的手段周期性自检 对于可能出问题的地方 先让它工作一下 看是否出现预期的现象 从而确定系统是否正常 看门狗技术 其实就是类似倒计时定时闹钟 若系统不正常 无法给闹钟清除 就会报警 冗余技术 就是备份 可以是软件备份 也可以是硬件备份 同一个数据 存在不同地方 进行比较 如果不同就说明系统有问题了 特定逻辑技术 特定的编码 约定的定时通讯等等 这对与时钟有关的错误比较有效下面一些就是具体的标准对应的纠错或防错的措施 h 2 16 1dualchannelastructurewhichcontainstwomutuallyindependentfunctionalmeanstoexecutespecifiedoperationsspecialprovisionmaybemadeforcontrolofcommonmodefault errors itisnotrequiredthatthetwochannelseachbealgorithmicorlogicalinnature h 2 16 2dualchannel diverse withcomparisonadualchannelstructurecontainingtwodifferentandmutuallyindependentfunctionalmeans eachcapableofprovidingadeclaredresponse inwhichcomparisonofoutputsignalsisperformedforfault errorrecognitionh 2 16 3dualchannel homogeneous withcomparisonadualchannelstructurecontainingtwoidenticalandmutuallyindependentfunctionalmeans eachcapableofprovidingadeclaredresponse inwhichcomparisonofinternalsignalsoroutputsignalsisperformedforfault errorrecognitionh 2 16 4singlechannelastructureinwhichasinglefunctionalmeansisusedtoexecutespecifiedoperationsh 2 16 5singlechannelwithfunctionaltestasinglechannelstructureinwhichtestdataisintroducedtothefunctionalunitpriortoitsoperationh 2 16 6singlechannelwithperiodicselftestasinglechannelstructureinwhichcomponentsofthecontrolareperiodicallytestedduringoperationh 2 16 7singlechannelwithperiodicselftestandmonitoringasinglechannelstructurewithperiodicselftestinwhichindependentmeans eachcapableofprovidingadeclaredresponse monitorsuchaspectsassafety relatedtiming sequencesandsoftwareoperations definitionofsoftwareprotectionmeasures h 2 18 1busredundancyh 2 18 1 1fullbusredundancyafault errorcontroltechniqueinwhichfullredundantdataand oraddressareprovidedbymeansofredundantbusstructureh 2 18 1 2multi bitbusparityafault errorcontroltechniqueinwhichthebusisextendedbytwoormorebitsandtheseadditionalbitsareusedforerrordetectionh 2 18 1 3singlebitbusparityafault errorcontroltechniqueinwhichthebusisextendedbyonebitandthisadditionalbitisusedforerrordetectionh 2 18 2codesafetyfault errorcontroltechniquesinwhichprotectionagainstcoincidentaland orsystematicerrorsininputandoutputinformationisprovidedbytheuseofdataredundancyand ortransferredundancy seealsoh 2 18 2 1andh 2 18 2 2 h 2 18 2 1dataredundancyaformofcodesafetyinwhichthestorageofredundantdataoccursh 2 18 2 2transferredundancyaformofcodesafetyinwhichdataistransferredatleasttwiceinsuccessionandthencomparedthistechniquewillrecognizeintermittenterrors h 2 18 3comparatoradeviceusedforfault errorcontrolindualchannelstructures thedevicecomparesdatafromthetwochannelsandinitiatesadeclaredresponseifadifferenceisdetectedh 2 18 4d c faultmodelastuck atfaultmodelincorporatingshortcircuitsbetweensignallinesbecauseofthenumberofpossibleshortsinthedeviceundertest usuallyonlyshortsbetweenrelatedsignallineswillbeconsidered alogicalsignallevelisdefined whichdominatesincaseswherethelinestrytodrivetotheoppositelevel definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 18 5equivalenceclasstestasystematictestintendedtodeterminewhethertheinstructiondecodingandexecutionareperformedcorrectly thetestdataisderivedfromthecpuinstructionspecificationsimilarinstructionsaregroupedandtheinputdatasetissubdividedintospecificdataintervals equivalenceclasses eachinstructionwithinagroupprocessesatleastonesetoftestdata sothattheentiregroupprocessestheentiretestdataset thetestdatacanbeformedfromthefollowing datafromvalidrange datafrominvalidrange datafromthebounds extremevaluesandtheircombinationsthetestswithinagrouparerunwithdifferentaddressingmodes sothattheentiregroupexecutesalladdressingmodes h 2 18 6errorrecognizingmeansindependentmeansprovidedforthepurposeofrecognizingerrorsinternaltothesystemexamplesaremonitoringdevices comparators andcodegenerators fullbusredundancy seeh 2 18 1 1 frequencymonitoring seeh 2 18 10 1 h 2 18 7hammingdistanceastatisticalmeasure representingthecapabilityofacodetodetectandcorrecterrors thehammingdistanceoftwocodewordsisequaltothenumberofpositionsdifferentinthetwocodewordsh holscherandj rader microcomputersinsafetytechniques verlagtuvbayern tuvrheinland isbn3 88585 315 9 h 2 18 8inputcomparisonafault errorcontroltechniquebywhichinputsthataredesignedtobewithinspecifiedtolerancesarecompared definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 18 9internalerrordetectingorcorrectingafault errorcontroltechniqueinwhichspecialcircuitryisincorporatedtodetectorcorrecterrorslogicalmonitoringoftheprogrammesequence seeh 2 18 10 2 multi bitbusparity seeh 2 18 1 2 h 2 18 10programmesequenceh 2 18 10 1frequencymonitoringafault errorcontroltechniqueinwhichtheclockfrequencyiscomparedwithanindependentfixedfrequencyanexampleiscomparisonwiththelinesupplyfrequency h 2 18 10 2logicalmonitoringoftheprogrammesequenceafault errorcontroltechniqueinwhichthelogicalexecutionoftheprogrammesequenceismonitoredexamplesaretheuseofcountingroutinesorselecteddataintheprogrammeitselforbyindependentmonitoringdevices h 2 18 10 3time slotandlogicalmonitoringthisisacombinationofh 2 18 10 2andh 2 18 10 4h 2 18 10 4time slotmonitoringoftheprogrammesequenceafault errorcontroltechniqueinwhichtimingdeviceswithanindependenttimebaseareperiodicallytriggeredinordertomonitortheprogrammefunctionandsequenceanexampleisawatchdogtimer h 2 18 11multipleparalleloutputsafault errorcontroltechniqueinwhichindependentoutputsareprovidedforoperationalerrordetectionorforindependentcomparators definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 18 12outputverificationafault errorcontroltechniqueinwhichoutputsarecomparedtoindependentinputsthistechniquemayormaynotrelateanerrortotheoutputwhichisdefective h 2 18 13plausibilitycheckafault errorcontroltechniqueinwhichprogrammeexecution inputsoroutputsarecheckedforinadmissibleprogrammesequence timingordataexamplesaretheintroductionofanadditionalinterruptaftercompletionofacertainnumberofcyclesorchecksfordivisionbyzero h 2 18 14protocoltestafault errorcontroltechniqueinwhichdataistransferredtoandfromcomputercomponentstodetecterrorsintheinternalcommunicationsprotocolh 2 18 15reciprocalcomparisonafault errorcontroltechniqueusedindualchannel homogeneous structuresinwhichacomparisonisperformedondatareciprocallyexchangedbetweenthetwoprocessingunitsreciprocalreferstoanexchangeofsimilardata h 2 18 16redundantdatagenerationtheavailabilityoftwoormoreindependentmeans suchascodegenerators toperformthesametaskh 2 18 17redundantmonitoringtheavailabilityoftwoormoreindependentmeanssuchaswatchdogdevicesandcomparatorstoperformthesametaskh 2 18 18scheduledtransmissionacommunicationprocedureinwhichinformationfromaparticulartransmitterisallowedtobesentonlyatapredefinedpointintimeandsequence otherwisethereceiverwilltreatitasacommunicationerrorsinglebitbusparity seeh 2 18 1 3 definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 18 19softwarediversityafault errorcontroltechniqueinwhichallorpartsofthesoftwareareincorporatedtwiceintheformofalternatesoftwarecodeforexample thealternateformsofsoftwarecodemaybeproducedbydifferentprogrammers differentlanguagesordifferentcompilingschemesandmayresideindifferenthardwarechannelsorindifferentareasofmemorywithinasinglechannel h 2 18 20stuck atfaultmodelafaultmodelrepresentinganopencircuitoranon varyingsignalleveltheseareusuallyreferredtoas stuckopen stuckat1 or stuckat0 h 2 18 21testedmonitoringtheprovisionofindependentmeanssuchaswatchdogdevicesandcomparatorswhicharetestedatstart uporperiodicallyduringoperationh 2 18 22testingpatternafault errorcontroltechniqueusedforperiodictestingofinputunits outputunitsandinterfacesofthecontrol atestpatternisintroducedtotheunitandtheresultscomparedtoexpectedvalues mutuallyindependentmeansforintroducingthetestpatternandevaluatingtheresultsareused thetestpatternisconstructedsoasnottoinfluencethecorrectoperationofthecontroltime slotandlogicalmonitoring seeh 2 18 10 3 time slotmonitoringoftheprogrammesequence seeh 2 18 10 4 transferredundancy seeh 2 18 2 2 definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 19 1abrahamtestaspecificformofavariablememorypatterntestinwhichallstuck atandcouplingfaultsbetweenmemorycellsareidentifiedthenumberofoperationsrequiredtoperformtheentirememorytestisabout30n wherenisthenumberofcellsinthememory thetestcanbemadetransparentforuseduringtheoperatingcycle bypartitioningthememoryandtestingeachpartitionindifferenttimesegments abraham j a thatte s m faultcoverageoftestprogramsforamicroprocessor proceedingsoftheieeetestconference1979 pp18 22 h 2 19 2galpatmemorytestafault errorcontroltechniqueinwhichasinglecellinafieldofuniformlywrittenmemorycellsisinverselywritten afterwhichtheremainingmemoryundertestisinspected aftereachreadoperationtooneoftheremainingcellsinthefield theinverselywrittencellisalsoinspectedandread thisprocessisrepeatedforallmemorycellsundertest asecondtestisthenperformedasaboveonthesamememoryrangewithoutinversewritingtothetestcellthetestcanbemadetransparentforuseduringtheoperatingcycle bypartitioningthememoryandtestingeachpartitionindifferenttimesegments seetransparentgalpattest h 2 19 2 1transparentgalpattestagalpatmemorytestinwhichfirstasignaturewordisformedrepresentingthecontentofthememoryrangetobetestedandthiswordissaved thecelltobetestedisinverselywrittenandthetestisperformedasabove however theremainingcellsarenotinspectedindividually butbyformationofandcomparisontoasecondsignatureword asecondtestisthenperformedasabovebyinverselywritingthepreviouslyinvertedvaluetothetestcellthistechniquerecognizesallstaticbiterrorsaswellaserrorsininterfacesbetweenmemorycells checkerboardmemorytest seeh 2 19 6 1 h 2 19 3checksumh 2 19 3 1modifiedchecksumafault errorcontroltechniqueinwhichasinglewordrepresentingthecontentsofallwordsinmemoryisgeneratedandsaved duringselftest achecksumisformedfromthesamealgorithmandcomparedwiththesavedchecksumthistechniquerecognizesalltheodderrorsandsomeoftheevenerrors definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 19 3 2multiplechecksumafault errorcontroltechniqueinwhichaseparatewordsrepresentingthecontentsofthememoryareastobetestedaregeneratedandsaved duringselftest achecksumisformedfromthesamealgorithmandcomparedwiththesavedchecksumforthatareathistechniquerecognizesalltheodderrorsandsomeoftheevenerrors h 2 19 4cyclicredundancycheck crc h 2 19 4 1crc singlewordafault errorcontroltechniqueinwhichasinglewordisgeneratedtorepresentthecontentsofmemory duringselftestthesamealgorithmisusedtogenerateanothersignaturewordwhichiscomparedwiththesavedwordthistechniquerecognizesallone bit andahighpercentageofmulti bit errors h 2 19 4 2crc doublewordafault errorcontroltechniqueinwhichatleasttwowordsaregeneratedtorepresentthecontentsofmemory duringselftestthesamealgorithmisusedtogeneratethesamenumberofsignaturewordswhicharecomparedwiththesavedwordsthistechniquecanrecognizeone bitandmulti biterrorswithagreateraccuracythanincrc singleword marchingmemorytest seeh 2 19 6 2 modifiedchecksum seeh 2 19 3 1 multiplechecksum seeh 2 19 3 2 h 2 19 5redundantmemorywithcomparisonastructureinwhichthesafety relatedcontentsofmemoryarestoredtwiceindifferentformatinseparateareassothattheycanbecomparedforerrorcontrolh 2 19 6staticmemorytestafault errorcontroltechniquewhichisintendedtodetectonlystaticerrors definitionofsoftwareprotectionmeasures continue softwareevaluation软件安全评估 h 2 19 6 1checkerboardmemorytestastaticmemorytestinwhichacheckerboardpatternofzerosandonesiswrittentothememoryareaundertestandthecellsareinspectedinpairs theaddressofthefirstcellineachpairisvariableandtheaddressofthesecondcellisderivedfromabitinversionofthefirstaddress inthefirstinspection thevariableaddressisfirstincrementedtotheendoftheaddressspaceofthememoryandthendecrementedtoitsoriginalvalue thetestisrepeatedwiththecheckerboardpatterninversedh 2 19 6 2marchingmemorytestastaticmemorytestinwhichdataiswrittentothememoryareaundertestasinnormaloperation everycellistheninspectedinascendingorderandabitinversionperformedonthecontents theinspectionandbitinversionarethenrepeatedindescendingorder thenthisprocessisrepeatedafterfirstperformingabitinversiononallthememorycellsundertesttransparentgalpattest seeh 2 19 2 1 h 2 19 7walkpatmemorytestafault err