SlideShare une entreprise Scribd logo

Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD)

A
AndreasBaerwald

Hypervisor - Virtualisation platform for separation of safety functions with different Safety Integrity Levels Hypervisor, Virtualisierungsplattform zur Trennung von Sicherheitsfunktionen verschiedener Safety Integrity Level (SIL)

1  sur  23
Hypervisor Virtualisierungsplattform zur Trennung von Sicherheitsfunktionen verschiedener Safety Integrity Level (SIL) Andreas Buchwieser (Wind River GmbH) Andreas Bärwald (TÜV SÜD Automotive GmbH) safetronic.’08 - München, 04.11.2008
Agenda • Motivation • Relevant Safety Standards • Use Cases • Definitions • Hypervisor Technology • Spatial Separation • Temporal Separation • Typical Steps • Outlook Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Motivation: example body controller (1) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Motivation: example body controller (2) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Relevant Safety Standards: IEC 61508 • Adequate Independence ”Adequate independence between the safety functions of the different safety integrity levels can be shown in the design. The justification for independence shall be documented.” [source: IEC 61508 part 3: 1998] • ”It shall be demonstrated either (1) that independence is achieved both in the spatial and temporal domain, or (2) that any violation of independence is controlled.” [source: IEC 61508-3, ED.2. Version 4:2007, Dated: 2007] Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Relevant Safety Standards: EN 50128 • „..Wenn unterschiedliche Softwarekomponenten unterschiedliche Software-Sicherheitsanforderungsstufen haben, so müssen diese in der Software-Architekturspezifikation beschrieben werden.“ • „Die Software Architektur muss den sicherheitsrelevanten Teil der Anwendung minimieren.“ • „..Softwareteile müssen so betrachtet werden, als würden sie der höchsten Software-Anforderungsstufe angehören, es sei denn, die Unabhängigkeit...ist klar ersichtlich“ [source:EN 50128, Dated: 2001] Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Relevant Safety Standards: ISO 26262 ISO/CD 26262-6 Annex D “Freedom from interference by software partitioning” Goal: The objective is to prevent propagation of a failure in one software partition to any other software partition Micro controller Task A.1 Task B.1 Task A.2 Task B.2 Task A.n Task B.n Partition A Partition B Operating system Hardware Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Impact on shared resources (1) CPU-time • Blocking of partitions: due to communication deadlocks; • Wrong allocation of processor execution time, e.g. by using – Time triggered scheduling; – Cycling execution scheduling policy; – Fixed priority based scheduling; – Monitoring of processor execution time of software partitions according to the allocation; – Program sequence; – Arrival rate monitoring. Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Impact on shared resources (2) Memory • Memory protection mechanisms; • Verification of safety-related data; • Offline analysis of code and data of other partitions; • Restricted access to memory; • Static analysis; and • Static allocation Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Impact on shared resources (3) I/O and communication • Failure of communication peer: communication peer is not available; • Blocking access to data bus • Continuous transmission of messages (babbling idiot) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Hypervisor Separation Concept Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Motivation for Separation • Standardised Approach for Separation • Limit Software Development Costs Certification of safety critical parts only • Flexibility third party deliveries can be easily integrated by OEM • Maintenance less safety-relevant areas can be influenced through maintenance • Reusability Legacy code, Architectural approach Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Use Case Separation Safety Related Application Functions Safe OS Hardware - Target Platform Virtualization Virtual Board 1 Virtual Board 2 Safety Related Application Functions Safe OS COTS OS Virtualization Mechanism - WR Hypervisor Hardware - Target Platform Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Use Case Integration Safety Related Functions Application Safe OS COTS Hardware - Target Platform 1 Hardware - Target Platform 2 Virtualization Virtual Board 1 Virtual Board 2 Safety Related Application Functions Safe OS COTS OS Virtualization Mechanism - WR Hypervisor Hardware - Target Platform Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Definitions • Virtualization Abstraction of computer resources, hiding the physical characteristics • Hypervisor Configurable supervisor program with both separation and scheduling that provides virtualization through software • Virtual Board (Software Partition in ISO/CD 26262-6) Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Hypervisor Technology Virtual Board 1 Virtual Board 2 Virtual Board 3 CPU Memory Ethernet1 CPU Memory Serial CPU Memory Ethernet2 Hypervisor Physical Board CPU Memory Ethernet Serial Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Non-interference on a single computer • Independence of execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Spatial Domain data used by a one element must not be changed by another element, in particular a non-safety related element – Spatial separation • MMU & I/OMMU to separate memory domains and I/O domains • VMMU to set up a system of virtual boards • Safe Inter Process Communication (SIPC) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Spatial Separation Virtual Board 1 Virtual Board 2 Virtual Board 3 Application Application User Mode Application Linux VxWorks Privileged Mode CPU Mem Eth CPU Mem ATA CPU Mem Serial Wind River Hypervisor VMMU Interrupt Exception System Mode Virtual Boards communication I/O resources Configuration Physical Board Serial ATA Ethernet Memory Core Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Non-interference on a single computer • Independence of execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind – Temporal separation • Deterministic scheduling – Scheduling policy (time slice, priority) • Exception Handling • Cache and DMA Management Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Temporal Separation VB 2 VB 2 VB 3 VB 2 Spare Time VB 1 VB 1 VB 1 VB 1 System Tick Minor Frame Major Frame Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Typical Steps • Hardware Certification – Diagnostic measures -> Software Safety Requirements (SSR) • Allocation SSRs – Hypervisor BSP – SafeOS BSP – Safety Application • Implementation Hypervisor BSP Virtualization Hardware • Partitioning claim – Hypervisor and Hypervisor BSP • Implementation SafeOS BSP Virtual Board 1 – Consideration Safety Manual Hypervisor and Hypervisor BSP • Implementation Safety Application – Consideration Safety Manual SafeOS and SafeOS BSP • System Safety Manual Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Outlook • Next Version of IEC 61508, Part3 specifies technics for separation (Annex G) • Virtualisation technics are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124) • Multi Core CPUs – Shared Resources (Cache, Bus, RAM, I/O devices) – Parallel Computing (SMP, AMP) • Device virtualization – Directed I/O Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
Contact Andreas Buchwieser Wind River GmbH Osterfeldstr. 84, 85737 Ismaning, Germany Tel.: +49 89 962445 432 andreas.buchwieser@windriver.com Andreas Bärwald TÜV SÜD Automotive GmbH Ridlerstr. 57, 80339 München, Germany Tel.: +49 89 5791 4441 andreas.baerwald@tuev-sued.de Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)

Recommandé

Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerationsOptima Control Solutions
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Time is ready for the Civil Infrastructure Platform
Time is ready for the Civil Infrastructure PlatformTime is ready for the Civil Infrastructure Platform
Time is ready for the Civil Infrastructure PlatformYoshitake Kobayashi
 
ICEflo Implementation Management Solution V1d1
ICEflo Implementation Management Solution V1d1ICEflo Implementation Management Solution V1d1
ICEflo Implementation Management Solution V1d1Agenor Technology Ltd
 
Honeywell L5100 Home Automation Guide
Honeywell L5100 Home Automation GuideHoneywell L5100 Home Automation Guide
Honeywell L5100 Home Automation GuideAlarm Grid
 
Honeywell L5100 User Guide
Honeywell L5100 User GuideHoneywell L5100 User Guide
Honeywell L5100 User GuideAlarm Grid
 

Recommandé

Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerationsOptima Control Solutions
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Slide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiSlide used at ACM-SAC 2014 by Suzaki
Slide used at ACM-SAC 2014 by SuzakiKuniyasu Suzaki
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Time is ready for the Civil Infrastructure Platform
Time is ready for the Civil Infrastructure PlatformTime is ready for the Civil Infrastructure Platform
Time is ready for the Civil Infrastructure PlatformYoshitake Kobayashi
 
ICEflo Implementation Management Solution V1d1
ICEflo Implementation Management Solution V1d1ICEflo Implementation Management Solution V1d1
ICEflo Implementation Management Solution V1d1Agenor Technology Ltd
 
Honeywell L5100 Home Automation Guide
Honeywell L5100 Home Automation GuideHoneywell L5100 Home Automation Guide
Honeywell L5100 Home Automation GuideAlarm Grid
 
Honeywell L5100 User Guide
Honeywell L5100 User GuideHoneywell L5100 User Guide
Honeywell L5100 User GuideAlarm Grid
 
DeltaV Virtualization
DeltaV VirtualizationDeltaV Virtualization
DeltaV VirtualizationEmerson Exchange
 
intouch
intouchintouch
intouchforyou1010
 
Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga
 
Power Management in Embedded Systems
Power Management in Embedded Systems Power Management in Embedded Systems
Power Management in Embedded Systems mentoresd
 
Cms instruction
Cms instructionCms instruction
Cms instructionDishHD Asia
 
Sukh
SukhSukh
Sukhsukhanandank
 
Ch13 annotated
Ch13 annotatedCh13 annotated
Ch13 annotatedMurali Krishna Kanajam
 
Va tech elin
Va tech elinVa tech elin
Va tech elinJose Manuel Mansilla Carrasco
 
Qnx os
Qnx os Qnx os
Qnx os Student
 
HKG18-116 - RAS Solutions for Arm64 Servers
HKG18-116 - RAS Solutions for Arm64 ServersHKG18-116 - RAS Solutions for Arm64 Servers
HKG18-116 - RAS Solutions for Arm64 ServersLinaro
 
Need To Automate Test And Integration Beyond Current Limits?
Need To Automate Test And Integration Beyond Current Limits?Need To Automate Test And Integration Beyond Current Limits?
Need To Automate Test And Integration Beyond Current Limits?Ghodhbane Mohamed Amine
 
Zertifizierung von Werkzeugen und Werkzeugketten
Zertifizierung von Werkzeugen und WerkzeugkettenZertifizierung von Werkzeugen und Werkzeugketten
Zertifizierung von Werkzeugen und WerkzeugkettenAndreasBaerwald
 
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Thorne & Derrick UK
 
Wind River Simics
Wind River SimicsWind River Simics
Wind River Simicskylefacchin
 
Fast Track Your IoT Development
Fast Track Your IoT DevelopmentFast Track Your IoT Development
Fast Track Your IoT DevelopmentSalesforce Developers
 
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)IoT613
 
Practica en una institución impartiendo clases
Practica en una institución impartiendo clasesPractica en una institución impartiendo clases
Practica en una institución impartiendo clasesnemessis138
 
Micaela
MicaelaMicaela
MicaelaColegio
 
Tienda en línea piña
Tienda en línea piñaTienda en línea piña
Tienda en línea piñamanuel Alvarez
 
3°me revolucion francesa
3°me revolucion francesa3°me revolucion francesa
3°me revolucion francesaXimena Prado
 
Chapter 7 web 2.0
Chapter 7 web 2.0Chapter 7 web 2.0
Chapter 7 web 2.0ash-89
 
Boletin Aeroley #47
Boletin Aeroley #47Boletin Aeroley #47
Boletin Aeroley #47Alfie Recarte
 

Contenu connexe

Tendances

Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga
 
Power Management in Embedded Systems
Power Management in Embedded Systems Power Management in Embedded Systems
Power Management in Embedded Systems mentoresd
 
HKG18-116 - RAS Solutions for Arm64 Servers
HKG18-116 - RAS Solutions for Arm64 ServersHKG18-116 - RAS Solutions for Arm64 Servers
HKG18-116 - RAS Solutions for Arm64 ServersLinaro
 

Tendances (10)

DeltaV Virtualization
DeltaV VirtualizationDeltaV Virtualization
DeltaV Virtualization
 
intouch
intouchintouch
intouch
 
Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware MonitoringIcinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
Icinga Camp Berlin 2017 - 10 Tips for better Hardware Monitoring
 
Power Management in Embedded Systems
Power Management in Embedded Systems Power Management in Embedded Systems
Power Management in Embedded Systems
 
Cms instruction
Cms instructionCms instruction
Cms instruction
 
Sukh
SukhSukh
Sukh
 
Ch13 annotated
Ch13 annotatedCh13 annotated
Ch13 annotated
 
Va tech elin
Va tech elinVa tech elin
Va tech elin
 
Qnx os
Qnx os Qnx os
Qnx os
 
HKG18-116 - RAS Solutions for Arm64 Servers
HKG18-116 - RAS Solutions for Arm64 ServersHKG18-116 - RAS Solutions for Arm64 Servers
HKG18-116 - RAS Solutions for Arm64 Servers
 

En vedette

Need To Automate Test And Integration Beyond Current Limits?
Need To Automate Test And Integration Beyond Current Limits?Need To Automate Test And Integration Beyond Current Limits?
Need To Automate Test And Integration Beyond Current Limits?Ghodhbane Mohamed Amine
 
Zertifizierung von Werkzeugen und Werkzeugketten
Zertifizierung von Werkzeugen und WerkzeugkettenZertifizierung von Werkzeugen und Werkzeugketten
Zertifizierung von Werkzeugen und WerkzeugkettenAndreasBaerwald
 
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Thorne & Derrick UK
 
Wind River Simics
Wind River SimicsWind River Simics
Wind River Simicskylefacchin
 
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)IoT613
 
Practica en una institución impartiendo clases
Practica en una institución impartiendo clasesPractica en una institución impartiendo clases
Practica en una institución impartiendo clasesnemessis138
 
Tienda en línea piña
Tienda en línea piñaTienda en línea piña
Tienda en línea piñamanuel Alvarez
 
3°me revolucion francesa
3°me revolucion francesa3°me revolucion francesa
3°me revolucion francesaXimena Prado
 
Chapter 7 web 2.0
Chapter 7 web 2.0Chapter 7 web 2.0
Chapter 7 web 2.0ash-89
 
Master bike plans Dallas and San Antonio
Master bike plans Dallas and San AntonioMaster bike plans Dallas and San Antonio
Master bike plans Dallas and San AntonioBikeTexas
 
Dossier seguridad mundial ponferrada 2014
Dossier seguridad mundial ponferrada 2014Dossier seguridad mundial ponferrada 2014
Dossier seguridad mundial ponferrada 2014marcosad
 
Market Publique at The Blend
Market Publique at The BlendMarket Publique at The Blend
Market Publique at The Blendmarketpublique
 
Presentación Alvarez Puga
Presentación Alvarez PugaPresentación Alvarez Puga
Presentación Alvarez Pugaalvarez puga
 
Portfolio - Advertisement
Portfolio - AdvertisementPortfolio - Advertisement
Portfolio - AdvertisementM Abdul Hannan
 

En vedette (20)

Need To Automate Test And Integration Beyond Current Limits?
Need To Automate Test And Integration Beyond Current Limits?Need To Automate Test And Integration Beyond Current Limits?
Need To Automate Test And Integration Beyond Current Limits?
 
Zertifizierung von Werkzeugen und Werkzeugketten
Zertifizierung von Werkzeugen und WerkzeugkettenZertifizierung von Werkzeugen und Werkzeugketten
Zertifizierung von Werkzeugen und Werkzeugketten
 
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
Drager Fixed Gas Detector - Functional Safety & Gas Detection Systems - SIL B...
 
Wind River Simics
Wind River SimicsWind River Simics
Wind River Simics
 
Fast Track Your IoT Development
Fast Track Your IoT DevelopmentFast Track Your IoT Development
Fast Track Your IoT Development
 
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
Innovation and the Internet of Things - Emeka Nwafor (Wind River Systems)
 
Practica en una institución impartiendo clases
Practica en una institución impartiendo clasesPractica en una institución impartiendo clases
Practica en una institución impartiendo clases
 
Micaela
MicaelaMicaela
Micaela
 
Tienda en línea piña
Tienda en línea piñaTienda en línea piña
Tienda en línea piña
 
3°me revolucion francesa
3°me revolucion francesa3°me revolucion francesa
3°me revolucion francesa
 
Chapter 7 web 2.0
Chapter 7 web 2.0Chapter 7 web 2.0
Chapter 7 web 2.0
 
Boletin Aeroley #47
Boletin Aeroley #47Boletin Aeroley #47
Boletin Aeroley #47
 
Camino3
Camino3Camino3
Camino3
 
Master bike plans Dallas and San Antonio
Master bike plans Dallas and San AntonioMaster bike plans Dallas and San Antonio
Master bike plans Dallas and San Antonio
 
Dossier seguridad mundial ponferrada 2014
Dossier seguridad mundial ponferrada 2014Dossier seguridad mundial ponferrada 2014
Dossier seguridad mundial ponferrada 2014
 
Revista zen
Revista zenRevista zen
Revista zen
 
Market Publique at The Blend
Market Publique at The BlendMarket Publique at The Blend
Market Publique at The Blend
 
Brochur
BrochurBrochur
Brochur
 
Presentación Alvarez Puga
Presentación Alvarez PugaPresentación Alvarez Puga
Presentación Alvarez Puga
 
Portfolio - Advertisement
Portfolio - AdvertisementPortfolio - Advertisement
Portfolio - Advertisement
 

Similaire à Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD)

HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationVEDLIoT Project
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...Jämes Ménétrey
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfDmitri Shiryaev
 
Remote Control System
Remote Control SystemRemote Control System
Remote Control SystemBloomberg LP
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Andrei Kholodnyi
 
NGSoft General Overview
NGSoft General OverviewNGSoft General Overview
NGSoft General OverviewMichael Starr
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...InfinIT - Innovationsnetværket for it
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Madness of the Clouds
Madness of the CloudsMadness of the Clouds
Madness of the Cloudsgazdagf
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Louis Göhl
 
Remote sensing and control of an irrigation system using a distributed wirele...
Remote sensing and control of an irrigation system using a distributed wirele...Remote sensing and control of an irrigation system using a distributed wirele...
Remote sensing and control of an irrigation system using a distributed wirele...nithinreddykaithi
 

Similaire à Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD) (20)

Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...Safety Monitoring system for a manufacturing workstation using Web Service Te...
Safety Monitoring system for a manufacturing workstation using Web Service Te...
 
HiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentationHiPEAC 2022_Marcelo Pasin presentation
HiPEAC 2022_Marcelo Pasin presentation
 
Prolucid vRTU Overview
Prolucid vRTU OverviewProlucid vRTU Overview
Prolucid vRTU Overview
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile Devices
 
Eclipse RT Day
Eclipse RT DayEclipse RT Day
Eclipse RT Day
 
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdfEnterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
Enterprise Cyber-Physical Edge Virtualization Engine (EVE) Project.pdf
 
InTouch Machine Edition Advantages and Features
InTouch Machine Edition Advantages and FeaturesInTouch Machine Edition Advantages and Features
InTouch Machine Edition Advantages and Features
 
Remote Control System
Remote Control SystemRemote Control System
Remote Control System
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
 
NGSoft General Overview
NGSoft General OverviewNGSoft General Overview
NGSoft General Overview
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
 
Madness of the Clouds
Madness of the CloudsMadness of the Clouds
Madness of the Clouds
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
Remote sensing and control of an irrigation system using a distributed wirele...
Remote sensing and control of an irrigation system using a distributed wirele...Remote sensing and control of an irrigation system using a distributed wirele...
Remote sensing and control of an irrigation system using a distributed wirele...
 

Safetronic\'08: Hypervisor (common speech Wind River - TüV SüD)

  • 1. Hypervisor Virtualisierungsplattform zur Trennung von Sicherheitsfunktionen verschiedener Safety Integrity Level (SIL) Andreas Buchwieser (Wind River GmbH) Andreas Bärwald (TÜV SÜD Automotive GmbH) safetronic.’08 - München, 04.11.2008
  • 2. Agenda • Motivation • Relevant Safety Standards • Use Cases • Definitions • Hypervisor Technology • Spatial Separation • Temporal Separation • Typical Steps • Outlook Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 3. Motivation: example body controller (1) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 4. Motivation: example body controller (2) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 5. Relevant Safety Standards: IEC 61508 • Adequate Independence ”Adequate independence between the safety functions of the different safety integrity levels can be shown in the design. The justification for independence shall be documented.” [source: IEC 61508 part 3: 1998] • ”It shall be demonstrated either (1) that independence is achieved both in the spatial and temporal domain, or (2) that any violation of independence is controlled.” [source: IEC 61508-3, ED.2. Version 4:2007, Dated: 2007] Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 6. Relevant Safety Standards: EN 50128 • „..Wenn unterschiedliche Softwarekomponenten unterschiedliche Software-Sicherheitsanforderungsstufen haben, so müssen diese in der Software-Architekturspezifikation beschrieben werden.“ • „Die Software Architektur muss den sicherheitsrelevanten Teil der Anwendung minimieren.“ • „..Softwareteile müssen so betrachtet werden, als würden sie der höchsten Software-Anforderungsstufe angehören, es sei denn, die Unabhängigkeit...ist klar ersichtlich“ [source:EN 50128, Dated: 2001] Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 7. Relevant Safety Standards: ISO 26262 ISO/CD 26262-6 Annex D “Freedom from interference by software partitioning” Goal: The objective is to prevent propagation of a failure in one software partition to any other software partition Micro controller Task A.1 Task B.1 Task A.2 Task B.2 Task A.n Task B.n Partition A Partition B Operating system Hardware Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 8. Impact on shared resources (1) CPU-time • Blocking of partitions: due to communication deadlocks; • Wrong allocation of processor execution time, e.g. by using – Time triggered scheduling; – Cycling execution scheduling policy; – Fixed priority based scheduling; – Monitoring of processor execution time of software partitions according to the allocation; – Program sequence; – Arrival rate monitoring. Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 9. Impact on shared resources (2) Memory • Memory protection mechanisms; • Verification of safety-related data; • Offline analysis of code and data of other partitions; • Restricted access to memory; • Static analysis; and • Static allocation Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 10. Impact on shared resources (3) I/O and communication • Failure of communication peer: communication peer is not available; • Blocking access to data bus • Continuous transmission of messages (babbling idiot) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 11. Hypervisor Separation Concept Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 12. Motivation for Separation • Standardised Approach for Separation • Limit Software Development Costs Certification of safety critical parts only • Flexibility third party deliveries can be easily integrated by OEM • Maintenance less safety-relevant areas can be influenced through maintenance • Reusability Legacy code, Architectural approach Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 13. Use Case Separation Safety Related Application Functions Safe OS Hardware - Target Platform Virtualization Virtual Board 1 Virtual Board 2 Safety Related Application Functions Safe OS COTS OS Virtualization Mechanism - WR Hypervisor Hardware - Target Platform Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 14. Use Case Integration Safety Related Functions Application Safe OS COTS Hardware - Target Platform 1 Hardware - Target Platform 2 Virtualization Virtual Board 1 Virtual Board 2 Safety Related Application Functions Safe OS COTS OS Virtualization Mechanism - WR Hypervisor Hardware - Target Platform Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 15. Definitions • Virtualization Abstraction of computer resources, hiding the physical characteristics • Hypervisor Configurable supervisor program with both separation and scheduling that provides virtualization through software • Virtual Board (Software Partition in ISO/CD 26262-6) Environment for one operating system or bare application; has physical and/or virtual hardware controlled by the Hypervisor Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 16. Hypervisor Technology Virtual Board 1 Virtual Board 2 Virtual Board 3 CPU Memory Ethernet1 CPU Memory Serial CPU Memory Ethernet2 Hypervisor Physical Board CPU Memory Ethernet Serial Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 17. Non-interference on a single computer • Independence of execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Spatial Domain data used by a one element must not be changed by another element, in particular a non-safety related element – Spatial separation • MMU & I/OMMU to separate memory domains and I/O domains • VMMU to set up a system of virtual boards • Safe Inter Process Communication (SIPC) Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 18. Spatial Separation Virtual Board 1 Virtual Board 2 Virtual Board 3 Application Application User Mode Application Linux VxWorks Privileged Mode CPU Mem Eth CPU Mem ATA CPU Mem Serial Wind River Hypervisor VMMU Interrupt Exception System Mode Virtual Boards communication I/O resources Configuration Physical Board Serial ATA Ethernet Memory Core Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 19. Non-interference on a single computer • Independence of execution Software elements will not adversely interfere with each other’s execution behaviour such that a dangerous failure would occur – Temporal Domain one element must not cause another element to function incorrectly by taking too high a share of the available processor execution time, or by blocking execution of the other element by locking a shared resource of some kind – Temporal separation • Deterministic scheduling – Scheduling policy (time slice, priority) • Exception Handling • Cache and DMA Management Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 20. Temporal Separation VB 2 VB 2 VB 3 VB 2 Spare Time VB 1 VB 1 VB 1 VB 1 System Tick Minor Frame Major Frame Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 21. Typical Steps • Hardware Certification – Diagnostic measures -> Software Safety Requirements (SSR) • Allocation SSRs – Hypervisor BSP – SafeOS BSP – Safety Application • Implementation Hypervisor BSP Virtualization Hardware • Partitioning claim – Hypervisor and Hypervisor BSP • Implementation SafeOS BSP Virtual Board 1 – Consideration Safety Manual Hypervisor and Hypervisor BSP • Implementation Safety Application – Consideration Safety Manual SafeOS and SafeOS BSP • System Safety Manual Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 22. Outlook • Next Version of IEC 61508, Part3 specifies technics for separation (Annex G) • Virtualisation technics are deployed in Aerospace (e.g 787, A380, A400, C130-AMP...) (ARINC653, DO178B, DO297 / ED124) • Multi Core CPUs – Shared Resources (Cache, Bus, RAM, I/O devices) – Parallel Computing (SMP, AMP) • Device virtualization – Directed I/O Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)
  • 23. Contact Andreas Buchwieser Wind River GmbH Osterfeldstr. 84, 85737 Ismaning, Germany Tel.: +49 89 962445 432 andreas.buchwieser@windriver.com Andreas Bärwald TÜV SÜD Automotive GmbH Ridlerstr. 57, 80339 München, Germany Tel.: +49 89 5791 4441 andreas.baerwald@tuev-sued.de Wind River GmbH (www.windriver.com) TÜV SÜD Automotive GmbH (www.tuev-sued.de/elektronik)