This website uses cookies to make the content more user-friendly and effective. By using this website, you agree to the use of cookies. You can find additonal information about the use of cookies and the possibility of objecting to the use of cookies here.

26 - 28 February 2019 // Nuremberg, Germany

Conferences and supporting programme

back to day overview
Session 17 - Software Engineering III - Software Quality I

Finding Safety Defects and Security Vulnerabilities by Static Analysis Vortragssprache Englisch

In safety-critical systems tools for static analysis are widely used. Safety standards like ISO-26262, DO-178B/C, IEC-61508 require safety-critical software to be developed in accordance to coding guidelines, e.g., MISRA C. In addition, they require to identify potential functional and non-functional hazards and to demonstrate that the software does not violate the relevant safety goals. Examples of safety-relevant non-functional programming errors that can be detected by static analysis are violations of resource bounds, especially stack overflows and deadline violations, as well as run-time errors and data races. Making sure that no such errors can occur in the final system not only improves safety, but also improves availability – a particularly important aspect for higher levels of automatic driving which need fail-operational behavior. The increasing connectivity of safety-critical systems causes security concerns to become much more critical than they were before: security can be considered a prerequisite for functional safety. In recent years dedicated coding standards have been developed that focus on security aspects, examples are SEI CERT Secure C, the MITRE Common Weakness Enumeration, and ISO/IEC TS 27961:2013. Many of the CERT and CWE rules do not really apply to safety-critical systems, but there is a significant overlap with safety-relevant properties. As an example, many security-relevant exploits build on undefined behaviors of the programming language like buffer overflows, or non-terminated strings. Since many of these properties can be automatically checked by static analysis, one and the same static analysis tool can be used for the purpose of safety and security validation. In addition to safety hazards directly caused by security exploits (cf. the Jeep Hack of 2015) also the trustworthiness of data is an increasing concern. Corrupted data, e.g., provided by a corrupted cloud service may have an indirect impact on the safety of the system [1]. Static analysis techniques like taint analysis and program slicing can provide a valuable contribute to satisfying data safety requirements. This talk gives an overview of static analysis applied to safety and security properties, and discusses practical experience. [1] Data Safety Guidance, Version 2.0. The Data Safety Initiative Working Group (DSIWG), SCSC-217B. The Safety Critical Systems Club, ISBN-13:978-1540887481.

--- Date: 28.02.2018 Time: 11:30 AM - 12:00 PM Location: Conference Counter NCC Ost

Speakers

man

Dr. Daniel Kästner

AbsInt Angewandte Informatik GmbH

top

The selected entry has been placed in your favourites!

If you register you can save your favourites permanently and access all entries even when underway – via laptop or tablet.

You can register an account here to save your settings in the Exhibitors and Products Database and as well as in the Supporting Programme.The registration is not for the TicketShop and ExhibitorShop.

Register now

Your advantages at a glance:

  • Advantage Save your favourites permanently. Use the instant access – mobile too, anytime and anywhere – incl. memo function.
  • Advantage The optional newsletter gives you regular up-to-date information about new exhibitors and products – matched to your interests.
  • Advantage Call up your favourites mobile too! Simply log in and access them at anytime.