TY - GEN
T1 - Static analysis to enforce safe value flow in embedded control systems
AU - Kowshik, Sumant
AU - Rosu, Grigore
AU - Sha, Lui
PY - 2006/12/22
Y1 - 2006/12/22
N2 - Embedded control systems consist of multiple components with different criticality levels interacting with each other. For example, in a passenger jet, the navigation system interacts with the passenger entertainment system in providing passengers the distance-to-destination information. It is imperative that failures in the non-critical subsystem should not compromise critical functionality. This architectural principle for robustness can, however, be easily compromised by implementation-level errors. We describe Safe-Flow, which statically analyzes core components in the system to ensure that they use non-core values communicated through shared memory only if they are run-time monitored for safety or recoverability. Using simple, local annotations and semantic restrictions on shared memory usage in the core component, SafeFlow precisely identifies accesses to unmonitored non-core values. With a few false positives, it identifies erroneous dependencies of critical data on non-core values that can arise due to programming errors, inadvertent accesses, or wrong assumptions regarding the absence of difficult-to-detect implementation errors such as data races and synchronization. We demonstrate the utility of SafeFlow by applying it to discover critical value flow dependencies in three prototype systems.
AB - Embedded control systems consist of multiple components with different criticality levels interacting with each other. For example, in a passenger jet, the navigation system interacts with the passenger entertainment system in providing passengers the distance-to-destination information. It is imperative that failures in the non-critical subsystem should not compromise critical functionality. This architectural principle for robustness can, however, be easily compromised by implementation-level errors. We describe Safe-Flow, which statically analyzes core components in the system to ensure that they use non-core values communicated through shared memory only if they are run-time monitored for safety or recoverability. Using simple, local annotations and semantic restrictions on shared memory usage in the core component, SafeFlow precisely identifies accesses to unmonitored non-core values. With a few false positives, it identifies erroneous dependencies of critical data on non-core values that can arise due to programming errors, inadvertent accesses, or wrong assumptions regarding the absence of difficult-to-detect implementation errors such as data races and synchronization. We demonstrate the utility of SafeFlow by applying it to discover critical value flow dependencies in three prototype systems.
UR - http://www.scopus.com/inward/record.url?scp=33845596872&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33845596872&partnerID=8YFLogxK
U2 - 10.1109/DSN.2006.66
DO - 10.1109/DSN.2006.66
M3 - Conference contribution
AN - SCOPUS:33845596872
SN - 0769526071
SN - 9780769526072
T3 - Proceedings of the International Conference on Dependable Systems and Networks
SP - 23
EP - 32
BT - Proceedings - DSN 2006
T2 - DSN 2006: 2006 International Conference on Dependable Systems and Networks
Y2 - 25 June 2006 through 28 June 2006
ER -