《seminar_software_evaluation.ppt》由会员分享,可在线阅读,更多相关《seminar_software_evaluation.ppt(28页珍藏版)》请在三一办公上搜索。
1、Software evaluation 软件安全评估Presented by:Frank Song(宋青红)E-mail:Tel:021-61278364,Software evaluation 软件安全评估,目前产品越来越智能化,多功能化.产品内使用单片机,使用软件实现其功能的非常多.甚至不少还使用软件进行安全保护的,例如变频电机堵转保护,车库卷帘门遭遇障碍物保护,电磁炉的过热保护,微波炉的门开关安全互锁等等.(并不是有软件的就要评估,而是起安全保护的才要进行评估)这时软件的可靠性对于产品的安全就非常重要了,对软件的评估就是必须要进行了,Software evaluation 软件安全评估,
2、安全保护作用的软件的分类IEC 体系 IEC/EN60730-1 Annex HClass B 其软件控制的功能是防止被控制的设备出现不安全的动作,类如热保护,洗衣机的门锁等Control functions intended to prevent unsafe operation of the controlled equipment.Examples of controls which may include Class B functions are:thermal cut-outs and door locks for laundry equipment.Class C 其软件控制的功
3、能是防止特殊危险的(被控制设备的爆炸),类如自动点火控制器,密封式热水器的等Control functions which are intended to prevent special hazards(e.g.,explosion of the controlled equipment).Examples of controls which may include class C functions are:automatic burner controls and thermal cutouts for closed water heater systems(unvented).UL体系
4、UL1998Class 1 等同与IEC体系的Class BClass 2 等同与IEC体系的Class C,Software evaluation 软件安全评估,软件实现安全功能是必须依赖硬件的,就像一个人一样,大脑再能干,如果没有五官,没有四肢,也就无法做出任何事可以这么理解,软件是人的神经系统,而硬件就是人的身体.而对于软件出错可能会影响安全就理解成人的神经系统有问题人就会出问题一样我们在这里评估软件的目的就是一旦出现神经系统方面的问题,保证他的工作正常进行或至少会通知一下别人”喂,我不行了,我不干了”,让别人接过他的工作或是通知上级,整个活都停下,以免出现不可收拾的后果.,Softwa
5、re evaluation 软件安全评估,I/O输入输出接口数模或模数转换中断输入 PWM调制 系统终止或暂停,时钟输入接口,主频,内部或外部定时器接口,程序指令地址,刚通电时一定指向只读内存的第一个位置如0000000H(看单片机的内存的容量了),只读内存,指令寄存器,指令解码器,时钟发生器,时钟振荡器引脚(晶振),Software evaluation 软件安全评估,堆栈,保留中断或调用子程序前的指令地址,这样在完成中断或调用子程序后可顺利返回,中断电路,数据内存,内存片选,中央计算单元,定时器,看门狗,Software evaluation 软件安全评估,对于单片机,一旦通电,如果系统正
6、常,其PC内地址就为000H,然后累加器读取000H的内容,进行解码并执行,之后在没有跳转语句的情况下转向001H,依次类推,这就是程序运行的基本情况,Software evaluation 软件安全评估,微电脑系统的硬件构成一、总线 交通系统/神经系统二、数据、地址、指令 门牌号码/工作要求三、输入输出端口 眼耳口手四、累加器 大脑五、堆栈 相当于便签条六、内存 相当于记事本(临时/长期)七、中断 领导发来紧急命令八、时钟 工作计划九、程序计数器 下一步工作目的地,Software evaluation 软件安全评估,软件评估有一个原则就是一般不考虑两个故障同时发生.要注意一点就是需要通过E
7、MC测试保证其系统可以不受外在电磁干扰而正常工作,否则通过软件评估,也是安全不合格的,因为系统抗干扰能力不足,而导致系统出现多个地方同时出错 一般来讲,软件评估的方法也就是模拟上面各种地方出错后,判别系统是否能够识别出来,然后进行相应处理的手段 这样,若是某一个故障若是被两种手段识别出来,那么就认为识别就不会出错了.例如电机堵转,电流过大,温升过高,转速为零这三种现象里可以识别出两种,就可以认为识别输入上不会出错了,软件系统出错的几种现象和可能性:1.软件逻辑设计和编程错误 同一变量对应不同的定义,死循环,除数为零,用户可以修改程序而不是输入数据,等等(这个一般在客户自检时纠正)2.软件系统中
8、对应的硬件出错 单片机自身出错,外围元件出错,可以用下页的表格进行逐项检查,Software evaluation 软件安全评估,Table H.11.12.7(Part for software of Class B),Software evaluation 软件安全评估,Software evaluation 软件安全评估,Table H.11.12.7(Part for software of Class B)(continue),Software evaluation 软件安全评估,Table H.11.12.7(Part for software of Class B)(contin
9、ue),Software evaluation 软件安全评估,Table H.11.12.7(Part for software of Class B)(continue),Software evaluation 软件安全评估,对于不同的软件出错模式,标准里也有相应的纠错或防错的手段周期性自检,对于可能出问题的地方,先让它工作一下,看是否出现预期的现象,从而确定系统是否正常.看门狗技术,其实就是类似倒计时定时闹钟,若系统不正常,无法给闹钟清除,就会报警.冗余技术,就是备份,可以是软件备份,也可以是硬件备份.同一个数据,存在不同地方,进行比较,如果不同就说明系统有问题了.特定逻辑技术,特定的编码
10、,约定的定时通讯等等,这对与时钟有关的错误比较有效下面一些就是具体的标准对应的纠错或防错的措施,H.2.16.1dual channela structure which contains two mutually independent functional means to execute specified operationsSpecial provision may be made for control of common mode fault/errors.It is not required that the two channels each be algorithmic o
11、r logical in nature.H.2.16.2dual channel(diverse)with comparisona dual channel structure containing two different and mutually independent functional means,each capable of providing a declared response,in which comparison of output signals is performed for fault/error recognitionH.2.16.3dual channel
12、(homogeneous)with comparisona dual channel structure containing two identical and mutually independent functional means,each capable of providing a declared response,in which comparison of internal signals or output signals is performed for fault/error recognitionH.2.16.4single channela structure in
13、 which a single functional means is used to execute specified operationsH.2.16.5single channel with functional testa single channel structure in which test data is introduced to the functional unit prior to its operationH.2.16.6single channel with periodic self testa single channel structure in whic
14、h components of the control are periodically tested during operationH.2.16.7single channel with periodic self test and monitoringa single channel structure with periodic self test in which independent means,each capable of providing a declared response,monitor such aspects as safety-related timing,s
15、equences and software operations,Definition of software protection measures,H.2.18.1Bus redundancyH.2.18.1.1full bus redundancya fault/error control technique in which full redundant data and/or address are provided by means of redundant bus structureH.2.18.1.2multi-bit bus paritya fault/error contr
16、ol technique in which the bus is extended by two or more bits and these additional bits are used for error detectionH.2.18.1.3single bit bus paritya fault/error control technique in which the bus is extended by one bit and this additional bit is used for error detectionH.2.18.2code safetyfault/error
17、 control techniques in which protection against coincidental and/or systematic errors in input and output information is provided by the use of data redundancy and/or transfer redundancy(see also H.2.18.2.1 and H.2.18.2.2)H.2.18.2.1data redundancya form of code safety in which the storage of redunda
18、nt data occursH.2.18.2.2transfer redundancya form of code safety in which data is transferred at least twice in succession and then comparedThis technique will recognize intermittent errors.H.2.18.3comparatora device used for fault/error control in dual channel structures.The device compares data fr
19、om the two channels and initiates a declared response if a difference is detectedH.2.18.4d.c.fault modela stuck-at fault model incorporating short circuits between signal linesBecause of the number of possible shorts in the device under test,usually only shorts between related signal lines will be c
20、onsidered.A logical signal level is defined,which dominates in cases where the lines try to drive to the opposite level.,Definition of software protection measures(continue),Software evaluation 软件安全评估,H.2.18.5equivalence class testa systematic test intended to determine whether the instruction decod
21、ing and execution are performed correctly.The test data is derived from the CPU instruction specificationSimilar instructions are grouped and the input data set is subdivided into specific data intervals(equivalence classes).Each instruction within a group processes at least one set of test data,so
22、that the entire group processes the entire test data set.The test data can be formed from the following:data from valid rangedata from invalid rangedata from the boundsextreme values and their combinationsThe tests within a group are run with different addressing modes,so that the entire group execu
23、tes all addressing modes.H.2.18.6error recognizing meansindependent means provided for the purpose of recognizing errors internal to the systemExamples are monitoring devices,comparators,and code generators.full bus redundancy(see H.2.18.1.1).frequency monitoring(see H.2.18.10.1)H.2.18.7hamming dist
24、ancea statistical measure,representing the capability of a code to detect and correct errors.The hamming distance of two code words is equal to the number of positions different in the two code wordsH.Holscher and J.Rader;Microcomputers in safety techniques.Verlag TUV Bayern.TUV Rheinland.(ISBN 3-88
25、585-315-9).H.2.18.8input comparisona fault/error control technique by which inputs that are designed to be within specified tolerances are compared,Definition of software protection measures(continue),Software evaluation 软件安全评估,H.2.18.9internal error detecting or correctinga fault/error control tech
26、nique in which special circuitry is incorporated to detect or correct errorslogical monitoring of the programme sequence(see H.2.18.10.2)multi-bit bus parity(see H.2.18.1.2)H.2.18.10Programme sequenceH.2.18.10.1frequency monitoringa fault/error control technique in which the clock frequency is compa
27、red with an independent fixed frequencyAn example is comparison with the line supply frequency.H.2.18.10.2logical monitoring of the programme sequencea fault/error control technique in which the logical execution of the programme sequence is monitoredExamples are the use of counting routines or sele
28、cted data in the programme itself or by independent monitoring devices.H.2.18.10.3time-slot and logical monitoringthis is a combination of H.2.18.10.2 andH.2.18.10.4H.2.18.10.4time-slot monitoring of the programme sequencea fault/error control technique in which timing devices with an independent ti
29、me base are periodically triggered in order to monitor the programme function and sequenceAn example is a watchdog timer.H.2.18.11multiple parallel outputsa fault/error control technique in which independent outputs are provided for operational error detection or for independent comparators,Definiti
30、on of software protection measures(continue),Software evaluation 软件安全评估,H.2.18.12output verificationa fault/error control technique in which outputs are compared to independent inputsThis technique may or may not relate an error to the output which is defective.H.2.18.13plausibility checka fault/err
31、or control technique in which programme execution,inputs or outputs are checked for inadmissible programme sequence,timing ordataExamples are the introduction of an additional interrupt after completion of a certain number of cycles or checks for division by zero.H.2.18.14protocol testa fault/error
32、control technique in which data is transferred to and from computer components to detect errors in the internal communications protocolH.2.18.15reciprocal comparisona fault/error control technique used in dual channel(homogeneous)structures in which a comparison is performed on data reciprocally exc
33、hanged between the two processing unitsReciprocal refers to an exchange of similar data.H.2.18.16redundant data generationthe availability of two or more independent means,such as code generators,to perform the same taskH.2.18.17redundant monitoringthe availability of two or more independent means s
34、uch as watchdog devices and comparators to perform the same taskH.2.18.18scheduled transmissiona communication procedure in which information from a particular transmitter is allowed to be sent only at a predefined point in time and sequence,otherwise the receiver will treat it as a communication er
35、rorsingle bit bus parity(see H.2.18.1.3),Definition of software protection measures(continue),Software evaluation 软件安全评估,H.2.18.19software diversitya fault/error control technique in which all or parts of the software are incorporated twice in the form of alternate software codeFor example,the alter
36、nate forms of software code may be produced by different programmers,different languages or different compiling schemes and may reside in different hardware channels or in different areas of memory within a single channel.H.2.18.20stuck-at fault modela fault model representing an open circuit or a n
37、on-varying signal levelThese are usually referred to as stuck open,stuck at 1 or stuck at 0.H.2.18.21tested monitoringthe provision of independent means such as watchdog devices and comparators which are tested at start-up or periodically during operationH.2.18.22testing patterna fault/error control
38、 technique used for periodic testing of input units,output units and interfaces of the control.A test pattern is introduced to the unit and the results compared to expected values.Mutually independent means for introducing the test pattern and evaluating the results are used.The test pattern is cons
39、tructed so as not to influence the correct operation of the controltime-slot and logical monitoring(see H.2.18.10.3)time-slot monitoring of the programme sequence(see H.2.18.10.4)transfer redundancy(see H.2.18.2.2),Definition of software protection measures(continue),Software evaluation 软件安全评估,H.2.1
40、9.1Abraham testa specific form of a variable memory pattern test in which all stuck-at and coupling faults between memory cells are identifiedThe number of operations required to perform the entire memory test is about 30 n,where n is the number of cells in the memory.The test can be made transparen
41、t for use during the operating cycle,by partitioning the memory and testing each partition in different time segments.Abraham,J.A.;Thatte,S.M.;Fault coverage of test programs for a microprocessor,Proceedings of the IEEE Test Conference 1979,pp 18-22.H.2.19.2GALPAT memory testa fault/error control te
42、chnique in which a single cell in a field of uniformly written memory cells is inversely written,after which the remaining memory under test is inspected.After each read operation to one of the remaining cells in the field,the inversely written cell is also inspected and read.This process is repeate
43、d for all memory cells under test.A second test is then performed as above on the same memory range without inverse writing to the test cellThe test can be made transparent for use during the operating cycle,by partitioning the memory and testing each partition in different time segments(see transpa
44、rent GALPAT test).H.2.19.2.1transparent GALPAT testa GALPAT memory test in which first a signature word is formed representing the content of the memory range to be tested and this word is saved.The cell to be tested is inversely written and the test is performed as above.However,the remaining cells
45、 are not inspected individually,but by formation of and comparison to a second signature word.A second test is then performed as above by inversely writing the previously inverted value to the test cellThis technique recognizes all static bit errors as well as errors in interfaces between memory cel
46、ls.checkerboard memory test(see H.2.19.6.1)H.2.19.3ChecksumH.2.19.3.1modified checksuma fault/error control technique in which a single word representing the contents of all words in memory is generated and saved.During self test,a checksum is formed from the same algorithm and compared with the sav
47、ed checksumThis technique recognizes all the odd errors and some of the even errors.,Definition of software protection measures(continue),Software evaluation 软件安全评估,H.2.19.3.2multiple checksuma fault/error control technique in which a separate words representing the contents of the memory areas to b
48、e tested are generated and saved.During self test,a checksum is formed from the same algorithm and compared with the saved checksum for that areaThis technique recognizes all the odd errors and some of the even errors.H.2.19.4Cyclic redundancy check(CRC)H.2.19.4.1CRC single worda fault/error control
49、 technique in which a single word is generated to represent the contents of memory.During self test the same algorithm isused to generate another signature word which is compared with the saved wordThis technique recognizes all one-bit,and a high percentage of multi-bit,errors.H.2.19.4.2CRC double w
50、orda fault/error control technique in which at least two words are generated to represent the contents of memory.During self test the same algorithm is used to generate the same number of signature words which are compared with the saved wordsThis technique can recognize one-bit and multi-bit errors
