misra c safety v security
play

MISRA C - Safety v Security Fifth VDA Automotive SYS Conference - PowerPoint PPT Presentation

Oct 17, 2022 •975 likes •1.44k views

MISRA C - Safety v Security Fifth VDA Automotive SYS Conference Andrew Banks BSc IEng MIET FBCS CITP Frazer-Nash Research Limited, and Chairman, MISRA C Working Group MISRA C A Quick History 2 July 14, 2015 MISRA-C The Rationale

  1. MISRA C - Safety v Security Fifth VDA Automotive SYS Conference Andrew Banks BSc IEng MIET FBCS CITP Frazer-Nash Research Limited, and Chairman, MISRA C Working Group

  2. MISRA C A Quick History 2 July 14, 2015

  3. MISRA-C – The Rationale Despite its popularity, there are several drawbacks with the C language, eg: • The ISO Standard language definition is incomplete • Behaviour that is Undefined • Behaviour that is Unspecified • Behaviour that is Implementation Defined • Language misuse and obfuscation • Language misunderstanding • Run-time error checking MISRA C is one solution... 3 July 14, 2015

  4. MISRA-C – A Quick History MISRA-C:1998 (aka MISRA-C1 ) “Guidelines for the use of the C language in vehicle based software” - - Compatible with ISO/IEC 9899:1990 (aka C90 ) MISRA-C:2004 (aka MISRA-C2 ) “Guidelines for the use of the C language in critical systems” - - Remains compatible with ISO/IEC 9899:1990 (aka C90 ) MISRA C:2012 (aka MISRA-C3 ) “Guidelines for the use of the C language in critical systems” - - Adds compatibility with ISO/IEC 9899:1999 (aka C99 ) 4 July 14, 2015

  5. MISRA-C – The 2012 Edition Published early 2013 159 Guidelines in total - 16 Directives o 9 Required o 7 Advisory - 143 Rules o 10 Mandatory o 101 Required o 32 Advisory A compliance and deviation policy 5 July 14, 2015

  6. MISRA-C – The Vision The vision of MISRA C is set out in the opening paragraph of the Guidelines: The MISRA C Guidelines define a subset of the C language in which the opportunity to make mistakes is either removed or reduced. Many standards for the development of safety-related software require, or recommend, the use of a language subset, and this can also be used to develop any application with high integrity or high reliability requirements . 6 July 14, 2015

  7. MISRA-C – Work In Progress MISRA C:2012 Technical Corrigendum 1 - Address typographical and clarification MISRA Compliance - Enhances guidance for compliance guidance - Clarifies/tightens the Deviation process - Standalone document o Compatible with MISRA C:2012 (and any future versions) o Compatible with MISRA C++:20xx o No reason it cannot be applied to earlier versions of either document! And a few other things... - Looking at C11 amongst them 7 July 14, 2015

  8. MISRA C Misunderstandings 8 July 14, 2015

  9. Myth Busting #1 The Misunderstanding - MISRA C is only applicable to the automotive industry The History - MISRA C was originated by the automotive industry, for the automotive industry... and we are proud of our automotive heritage. The Reality - MISRA C is applicable to any industry that requires high-integrity software - MISRA C has been adopted by many industries, including medical, rail, aerospace, space and defence. eg: • http://lars-lab.jpl.nasa.gov/JPL_Coding_Standard_C.pdf • http://www.stroustrup.com/JSF-AV-rules.pdf 9 July 14, 2015

  10. Myth Busting #2 The Misunderstanding - MISRA C is only a safety coding standard, not a secure/security one The History - MISRA C suggests (in its vision) its use in safety-related software The Reality - MISRA C also suggests (in its vision) its applicability to any application with high integrity or high reliability requirements - The difference between safety and security are largely semantic - Unfortunately, a perception remains... 10 July 14, 2015

  11. ESCAR 2014, Hamburg 11 July 14, 2015

  12. MISRA C Directives Guidelines that are not Rules! 12 July 14, 2015

  13. MISRA C Directives – What is a Directive? From the MISRA C:2012 - A directive is a guideline for which it is not possible to provide the full description necessary to perform a check for compliance. - Additional information, such as might be provided in design documents or requirement specifications, is required in order to be able to perform the check. - Static analysis tools may be able to assist in checking compliance with directives , but different tools may place different interpretations on what constitutes non-compliance. Note: Compliance is still required – just as for the rules! 13 July 14, 2015

  14. MISRA C Directives – Directive 4.1 From the MISRA C:2012 headline - Run-time failures shall be minimized Rationale - The C language was designed to provide very limited built-in run-time checking. This places the burden on the programmer... What does this mean? - Techniques to avoid run-time failures should be planned and documented, for example in design standards, test plans and code review checklists. - Dynamic checks should be added where-ever there is a potential for errors to occur Problem areas - arithmetic errors, array bound errors, function parameters, pointer arithmetic/de-referencing 14 July 14, 2015

  15. MISRA C Directives – Directive 4.11 From the MISRA C:2012 headline - The validity of values passed to library functions shall be checked Rationale - The C standard does not require the standard library to check the validity of parameters passed to them. What does this mean? - Dynamic checks should be added where-ever there is a potential for errors to occur Problem areas - Libraries ctype.h math.h and string.h (and others!) 15 July 14, 2015

  16. Safety v Security Comparison with other guidelines 16 July 14, 2015

  17. ISO/IEC TS 17961 C Secure Coding Rules 17 July 14, 2015

  18. ISO/IEC TS 17961 – C Secure Coding Rules Produced by ISO/IEC JTC 1/SC 22/WG 14 – the same people responsible for the C standard itself Originally proposed to be based on CERT-C (see later) but significantly rationalised From the document’s Background: “In practice, security-critical and safety-critical code have the same - requirements” “ The purpose of this Technical Specification is to specify analyzable - secure coding rules that can be automatically enforced to detect security flaws in C-conforming applications” 18 July 14, 2015

  19. ISO/IEC TS 17961 – C Secure Coding Coverage Coverage Method # Comments MISRA covers fully – explicitly 22 Some rules are stricter than SecureC MISRA covers fully – broad 11 Eg: bans dynamic memory, signal.h 6 Undefined/unspecified behaviour MISRA covers fully – implicitly 3 Standard library MISRA covers partially – broad 2 MISRA does not cover directly 2 46 19 July 14, 2015

  20. ISO/IEC TS 17961 – The Gaps The gaps (partial or not covered) can be grouped as follows: - Taintedness as a concept - The use of getenv() , localeconv() , setlocale() and strerror() 2 rules - Use of sizeof() on a pointer function parameter 1 rule - Comparisons of padding data 1 rule Proposal - MISRA C:2012 be enhanced to address these gaps 20 July 14, 2015

  21. The Gaps – Taintedness C Secure - Many! MISRA C:2012 - No explicit coverage of taintedness - Directives D4.1 and D4.11 cover many of the consequences. - Some undefined behaviour also trapped by R1.3 - Some unwanted behaviour also trapped by broad rules o General prohibition in the use of stdio.h, signal.h etc Proposed way ahead - Add a new MISRA C directive to require validation of externally sourced data to protect against taintedness. - Additional explicit rules may be added as required. 21 July 14, 2015

  22. The Gaps – Use of stdlib.h environment functions C Secure - Rule 5.29 and Rule 5.42 MISRA C:2012 - Rule R21.8 prohibits the use of getenv() but does not mention the use of localeconv() , setlocale() and strerror() Ideal Solution - Ideally, the C Standard should defines these functions as returning const char * rather than straight char * - Note: additional thread-safe functions added in C11 Proposed way ahead - Permit use of getenv() ; Add MISRA C rule(s) to enforce read-only nature, and to prevent wrong data being used after multiple calls. - Also applies to asctime() and ctime() 22 July 14, 2015

  23. The Gaps – Use of sizeof() on a pointer parameter C Secure - Rule 5.38 MISRA C:2012 - No explicit coverage - Could tenuously claim D4.1 and D4.11 covers, but... Proposed way ahead - Add an appropriate MISRA C rule to detect this. 23 July 14, 2015

  24. The Gaps – Comparison of padding data C Secure - Rule 5.9 MISRA C:2012 - No explicit coverage - Could tenuously claim D4.1 and D4.11 covers, but... Proposed way ahead - Add appropriate MISRA C rule(s) to prevent use of memcmp() with structures or unions. - Add appropriate MISRA C rule(s) to prevent use of memcmp() with character strings – use strcmp() or strncmp() instead. 24 July 14, 2015

  25. ISO/IEC TS 17961 – The Broad Approaches Some C Secure rules are implicitly fully covered by broad approaches - MISRA C:2012 prohibits the use of the restrict keyword 1 rule - MISRA C:2012 prohibits the use of dynamic memory allocation 3 rules - MISRA C:2012 prohibits the use of the features in <signal.h> 3 rules - MISRA C:2012 prohibits the use of the features in <stdio.h> 4 rules o The use of string formatting functions o The use of EOF Proposal - Keep these broad approaches under review - Establish more targeted rules where appropriate 25 July 14, 2015

  26. The Broad – string formatting functions C Secure - Rule 5.24 and Rule 5.45 MISRA C:2012 - Use of <stdio.h> generally prohibited by Advisory R21.6 - Some undefined behaviour generally trapped by R1.3 - Directives D4.1 and D4.11 also apply Possible way ahead No change – exiting undefined behaviour is caught - - Add catchall taint directive? - Add explicit MISRA C rule(s) - Avoid interaction by existing Rule R21.6 26 July 14, 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Safety and Security Certification Program Safety and Security Certification A process to

Safety and Security Certification Program Safety and Security Certification A process to

Safety and Security Certification Program Safety and Security Certification A process to assure that safety &amp; security concerns, vulnerabilities, and hazards are adequately addressed prior to the initiation of service. Safety and

97 views • 9 slides
Semantics of Orc William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

Semantics of Orc William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

D EPARTMENT OF C OMPUTER S CIENCES Semantics of Orc William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of Computer Science University of Texas at Austin Email: web: http://www.cs.utexas.edu/users/psp U NIVERSITY OF T EXAS

479 views • 31 slides
Implementation of Orc William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

Implementation of Orc William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

D EPARTMENT OF C OMPUTER S CIENCES Implementation of Orc William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of Computer Science University of Texas at Austin Email: web: http://www.cs.utexas.edu/users/psp U NIVERSITY OF T

680 views • 33 slides
Distributed Execution William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

Distributed Execution William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

D EPARTMENT OF C OMPUTER S CIENCES Distributed Execution William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of Computer Science University of Texas at Austin Email: web: http://www.cs.utexas.edu/users/psp U NIVERSITY OF T

301 views • 18 slides
CAC Safety Report 2018-19 John Heiderscheidt Director of Safety and Culture Safety and Security

CAC Safety Report 2018-19 John Heiderscheidt Director of Safety and Culture Safety and Security

CAC Safety Report 2018-19 John Heiderscheidt Director of Safety and Culture Safety and Security Technology What has been done to address safety and security? Using Safety Technology BASCO - Building Access Security Control Office

445 views • 26 slides
SECURITY &amp; SAFETY AWARENESS TRAINING Purpose of Security &amp; Safety Plan To inform

SECURITY &amp; SAFETY AWARENESS TRAINING Purpose of Security &amp; Safety Plan To inform

SECURITY &amp; SAFETY AWARENESS TRAINING Purpose of Security &amp; Safety Plan To inform employee of risk and threats To inform employee of companys safety &amp; security plans for: Company Terminals Customer To make

465 views • 15 slides
KeY Version for MISRA C Daniel Larsson KeY Symposium Gteborg, June 2005 KeY Version for MISRA

KeY Version for MISRA C Daniel Larsson KeY Symposium Gteborg, June 2005 KeY Version for MISRA

KeY Version for MISRA C Daniel Larsson KeY Symposium Gteborg, June 2005 KeY Version for MISRA C p.1/11 CEDES CEDES ( C ost E fficient D ependable E lectronic S ystems) Software-based methods for fault tolerance &amp; fault handling

989 views • 11 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Machine Learning for the Grid D. Deka, S. Backhaus &amp; M. Chertkov + A. Lokhov, S. Misra, M.

Machine Learning for the Grid D. Deka, S. Backhaus &amp; M. Chertkov + A. Lokhov, S. Misra, M.

Slide 1 Machine Learning for the Grid D. Deka, S. Backhaus &amp; M. Chertkov + A. Lokhov, S. Misra, M. Vuffray and K. Dvijotham DOE/OE &amp; LANL (Grid Science) + GMLC (1.4.9 + 2.0) UNCLASSIFIED Operated by Los Alamos National Security, LLC

689 views • 34 slides
Public Safety and Public Safety and Homeland Security Homeland Security Bureau Bureau 2008

Public Safety and Public Safety and Homeland Security Homeland Security Bureau Bureau 2008

Public Safety and Public Safety and Homeland Security Homeland Security Bureau Bureau 2008 Hurricane Summit Background Advance statutory mandate for the purpose of promoting safety of life and property through the use of

480 views • 11 slides
The Global Nuclear Safety and Security Network Yassine Chaari Office of Safety and Security

The Global Nuclear Safety and Security Network Yassine Chaari Office of Safety and Security

The Global Nuclear Safety and Security Network Yassine Chaari Office of Safety and Security Coordination Department of Nuclear Safety and Security What is GNSSN? GNSSN human network operating at global, regional and national levels,

355 views • 24 slides
4/20/18 Safety &amp; Security in Chesterfield School Board Safety Task Force - April 24, 2018

4/20/18 Safety &amp; Security in Chesterfield School Board Safety Task Force - April 24, 2018

4/20/18 Safety &amp; Security in Chesterfield School Board Safety Task Force - April 24, 2018 Donald R. Green, CPP Safety &amp; Security Manager Schools are Safe School mass violence attacks are very rare: Extremely Low Probability -

517 views • 4 slides
Convergence of Safety and Security Sebastian Fischmeister Dept. of Electrical and Comp.

Convergence of Safety and Security Sebastian Fischmeister Dept. of Electrical and Comp.

1 Convergence of Safety and Security Sebastian Fischmeister Dept. of Electrical and Comp. Engineering University of Waterloo esg.uwaterloo.ca 2 Research area: Safety and security of software- intensive embedded safety- critical systems 3

696 views • 38 slides
Safety &amp; Security 2019-2020 School Year Comprehensive School Safety Plan Chief of f Staff

Safety &amp; Security 2019-2020 School Year Comprehensive School Safety Plan Chief of f Staff

Safety &amp; Security 2019-2020 School Year Comprehensive School Safety Plan Chief of f Staff Chris Smith Director of Safety &amp; Security Ian Lopez Security Manager Eaglecrest HS Feeders Eaglecrest High School Thunder Ridge Middle

615 views • 28 slides
Safety &amp; Security Presented by: Chandra Ravada FAST ACT Safety &amp; Security Increase

Safety &amp; Security Presented by: Chandra Ravada FAST ACT Safety &amp; Security Increase

DMATS LRTP 2045 Safety &amp; Security Presented by: Chandra Ravada FAST ACT Safety &amp; Security Increase the safety of the transportation system for motorized and non-motorized users Increase the security of the transportation system

544 views • 15 slides
DEPARTMENT OF SAFETY &amp; SECURITY OVERVIEW Embracing A New Direction JANUARY 2013 March

DEPARTMENT OF SAFETY &amp; SECURITY OVERVIEW Embracing A New Direction JANUARY 2013 March

DEPARTMENT OF SAFETY &amp; SECURITY OVERVIEW Embracing A New Direction JANUARY 2013 March 25, 2010 DEPARTMENT OF SAFETY &amp; SECURITY WORKFLOW Public Safety Technical Security Cooperative Partnerships Emergency Management 2

335 views • 15 slides
Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By

Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By

Automated Target Testing with TTCN-3: Experiences from WiMAX Call Processing Features By Bhaskar Rao G Srinath Y Sridhar Y Jitesh M Motorola India Pvt Ltd, Hyderabad bhaskarraog@motorola.com 23 November 2009 T3UC-2009 1 Agenda

623 views • 20 slides
O M L TO Multilingual On-Line T ranslation non multa, sed multum MOLTO Consortium

O M L TO Multilingual On-Line T ranslation non multa, sed multum MOLTO Consortium

O M L TO Multilingual On-Line T ranslation non multa, sed multum MOLTO Consortium FP7-247914 Project summary MOLTOs goal is to develop a set of tools for translating texts between multiple languages in real time with high

595 views • 26 slides
1 SDL Trisoft Summit Corporate Overview Kevin Duffy - CEO SDL Structured Content Technology

1 SDL Trisoft Summit Corporate Overview Kevin Duffy - CEO SDL Structured Content Technology

1 SDL Trisoft Summit Corporate Overview Kevin Duffy - CEO SDL Structured Content Technology Division Agenda SDL leader in Global Information Mgt. The Structured Content Technology Div. Trisoft and XyEnterprise combine to become the

620 views • 24 slides
Jigme Dorji d_jigme@hotmail.com mm PROJECT TITLE : TH E PROTfCTJOft Of WHITE-BELLIED HEROn

Jigme Dorji d_jigme@hotmail.com mm PROJECT TITLE : TH E PROTfCTJOft Of WHITE-BELLIED HEROn

Population and Distribution of White-bellied Heron in Bhutan Presented to the College of Natural Resources, Lobesa October 17, 2013 Jigme Dorji d_jigme@hotmail.com mm PROJECT TITLE : TH E PROTfCTJOft Of WHITE-BELLIED HEROn (ARDEA nS1

724 views • 30 slides
Presentation to AMSA MRF Geosystems Corporation November 16, 2016 Gary Zhang, President Cell:

Presentation to AMSA MRF Geosystems Corporation November 16, 2016 Gary Zhang, President Cell:

http://www.geoalberta.com/Portals/0/images/ http://www.geoalberta.com/Portals/0/images/ 2012/geoalberta_10_anniversaryPNG.png 2012/geoalberta_10_anniversaryPNG.png Presentation to AMSA MRF Geosystems Corporation November 16, 2016 Gary Zhang,

671 views • 9 slides
Crime Prevention Nottinghamshire Polices Crime Prevention Unit are based at: Force HQ,

Crime Prevention Nottinghamshire Polices Crime Prevention Unit are based at: Force HQ,

Crime Prevention Nottinghamshire Polices Crime Prevention Unit are based at: Force HQ, Sherwood Lodge How best to contact us 101 extn 800 3011 or email crime.prevention@nottinghamshire.pnn.p olice.uk Office Hours Mon to

610 views • 16 slides
Development of the new cities in Egypt September 19, 2018 Holiday Inn Citystars Cairo ALI

Development of the new cities in Egypt September 19, 2018 Holiday Inn Citystars Cairo ALI

The Role of FM in the Sustainable and Urban Development of the new cities in Egypt September 19, 2018 Holiday Inn Citystars Cairo ALI AlSuwaidi Profile 1. Vice President - MEFMA 2. Global FM Board 3. Chief Operating Officer Global

894 views • 70 slides
Top-up Operation - Preservation of Bunch Pattern SPring-8 12/03/02 Michael B oge 31

Top-up Operation - Preservation of Bunch Pattern SPring-8 12/03/02 Michael B oge 31

Top-up Operation at the Swiss Light Source Top-up Operation - Preservation of Bunch Pattern SPring-8 12/03/02 Michael B oge 31 Top-up Operation at the Swiss Light Source Top-up Operation - Injection Oscillations BPM in single

238 views • 10 slides

More recommend