27. Februar - 1. März 2018 // Nürnberg, Germany

Konferenzen und Rahmenprogramm

Zurück zur Tagesansicht
Session 17 - Software Engineering III - Software Quality I

Finding Safety Defects and Security Vulnerabilities by Static Analysis Vortragssprache Englisch

In safety-critical systems tools for static analysis are widely used. Safety standards like ISO-26262, DO-178B/C, IEC-61508 require safety-critical software to be developed in accordance to coding guidelines, e.g., MISRA C. In addition, they require to identify potential functional and non-functional hazards and to demonstrate that the software does not violate the relevant safety goals. Examples of safety-relevant non-functional programming errors that can be detected by static analysis are violations of resource bounds, especially stack overflows and deadline violations, as well as run-time errors and data races. Making sure that no such errors can occur in the final system not only improves safety, but also improves availability – a particularly important aspect for higher levels of automatic driving which need fail-operational behavior. The increasing connectivity of safety-critical systems causes security concerns to become much more critical than they were before: security can be considered a prerequisite for functional safety. In recent years dedicated coding standards have been developed that focus on security aspects, examples are SEI CERT Secure C, the MITRE Common Weakness Enumeration, and ISO/IEC TS 27961:2013. Many of the CERT and CWE rules do not really apply to safety-critical systems, but there is a significant overlap with safety-relevant properties. As an example, many security-relevant exploits build on undefined behaviors of the programming language like buffer overflows, or non-terminated strings. Since many of these properties can be automatically checked by static analysis, one and the same static analysis tool can be used for the purpose of safety and security validation. In addition to safety hazards directly caused by security exploits (cf. the Jeep Hack of 2015) also the trustworthiness of data is an increasing concern. Corrupted data, e.g., provided by a corrupted cloud service may have an indirect impact on the safety of the system [1]. Static analysis techniques like taint analysis and program slicing can provide a valuable contribute to satisfying data safety requirements. This talk gives an overview of static analysis applied to safety and security properties, and discusses practical experience. [1] Data Safety Guidance, Version 2.0. The Data Safety Initiative Working Group (DSIWG), SCSC-217B. The Safety Critical Systems Club, ISBN-13:978-1540887481.

--- Datum: 28.02.2018 Uhrzeit: 11:30 Uhr - 12:00 Uhr Ort: Conference Counter NCC Ost

Sprecher

man

Dr. Daniel Kästner

/ AbsInt Angewandte Informatik GmbH

top

Der gewählte Eintrag wurde auf Ihre Merkliste gesetzt!

Wenn Sie sich registrieren, sichern Sie Ihre Merkliste dauerhaft und können alle Einträge selbst unterwegs via Laptop oder Tablett abrufen.

Hier registrieren Sie sich, um Daten der Aussteller- und Produkt-Plattform sowie des Rahmenprogramms dauerhaft zu speichern. Die Registrierung gilt nicht für den Ticket- und Aussteller-Shop.

Jetzt registrieren

Ihre Vorteile auf einen Blick

  • Vorteil Sichern Sie Ihre Merkliste dauerhaft. Nutzen Sie den sofortigen Zugriff auf gespeicherte Aussteller oder Produkte: egal wann und wo - inkl. Notizfunktion.
  • Vorteil Erhalten Sie auf Wunsch via Newsletter regelmäßig aktuelle Informationen zu neuen Ausstellern und Produkten - abgestimmt auf Ihre Interessen.
  • Vorteil Rufen Sie Ihre Merkliste auch mobil ab: Einfach einloggen und jederzeit darauf zugreifen.