A Cost-effective Methodology for Achieving ISO26262 Software Compliance. Mark Pitchford

Transcription

1 A Cost-effective Methodology for Achieving ISO26262 Software Compliance Mark Pitchford

2 Agenda 1 What are the Challenges? 2 Traceability to Requirements 3 Coding Standards 4 Unit Test and Structural Coverage 5 Summary 2

3 Agenda 1 What are the Challenges? 2 Traceability to Requirements 3 Coding Standards 4 Unit Test and Structural Coverage 5 Summary 3

4 Safety versus Security ISO is a Functional Safety Standard Does that mean it is not concerned with Security? Of Course Not! 4

5 Understanding Quality and Security Software Security Software Quality Reliability Processes Security Processes Safety Critical Security Critical Thinking Safety vs Security Does the application perform reliably as designed? Is the application resistant to external attacks Failing Functionality vs Attack Surface 5

6 ISO Challenges Requirements Traceability Through Code Testing Meeting Coding Standards Data Flow & Control Flow Structural Coverage Integration with Targets Certificate Of Quality Tool Qualification Objectives and Projects Documents Verification Evidence and Audit Trail Software has been tested and conforms to ISO Reduce Cost of Compliance Manage Distributed Team Reduce Time To Compliance And Market 6

7 Agenda 1 What are the Challenges? 2 Traceability to Requirements 3 Coding Standards 4 Unit Test and Structural Coverage 5 Summary 7

8 Requirements Section 6-6 Objectives ASIL decomposition to software safety Plan, refine and verify the software safety requirements and hardware-software interface specification Above objectives - In compliance and consistency with the technical safety requirements 8

9 Traceability Across Requirements, Code and Tests in ISO Software functional safety standards require traceability Functional, safety and security requirements must be decomposed, implemented and verified Requirements must be traced bi-directionally to tests that verify them Security Safety 9

10 Traceability Challenges Requirement, design, implementation and test artifacts often reside in multiple repositories Reused elements from one project that are incorporated into a new project may be written using different tools and/or formats As requirements change traceability reports need to be updated and maintained Traceability over a large project can involve a large number of requirements and can be difficult to manage Simulink Tracing into source code can require analysis of the code to find the procedures Tests and source code are often managed by different tools/teams, than those used to manage requirements Managing traceability in medium to large scale projects requires careful planning 10

11 Tracing Requirement to Code and Test Requirements traceability to code ensures that the requirement is implemented and that the code serves a valid purpose Requirements traceability to test ensures that the requirement is verified and that the test is useful These techniques can be combined with structural coverage data to show that the code implemented for a requirement is exercised by tests for that requirement 11

12 Integrating Across the Lifecycle Requirements Source Languages & Host Platforms Compilers IDE s Version Control RTOS Communication Protocols Processors Modeling Tools 12

13 Identifying Traceability Issues Identifying Potential Traceability Issues Improper decomposition The all encompassing requirement Many to one/few could reveal poor traceability analysis Reasonable decomposition Detect issues early in the lifecycle by visualizing traceability 13

14 Agenda 1 What are the Challenges? 2 Traceability to Requirements 3 Coding Standards 4 Unit Test and Structural Coverage 5 Summary 14

15 Section 8 Software Unit Design and Implementation (Second Objective) Objectives Design principles for software unit design and implementation at the source code level as listed in Table 8 shall be applied to achieve the following properties Coding guidelines such as MISRA ensures correctness and consistency of unit design and implementation 15

16 Coding Standards Adherence Pre-empt security and reliability issues early in the lifecycle Hand Reduce defects, verification cost Code Consistent coding style and form across teams Portability and reusability across environments Security vs Reliability MISRA AC AGC, MISRA C++:2008, MISRA C:2012 CERT, CWE focus on security MISRA C:2012 AMD1/ADD2 safety and security Tailorable for new development, legacy code and runtime error checking the design and coding guidelines shall address the topics listed Legacy Code Autogenerated Code 16

17 Security Coding Standards In 2013, ISO/IEC JTC1/SC22/WG14, the ISO body responsible for the C language, released ISO/IEC TS 17961:2013 C Secure MISRA C:2012 Amendment 1 represented an extension to a standard that was always designed to address safety AND security issues CERT C was developed following the analysis of more than 1000 vulnerabilities, and is applicable to both software under development, and software that is already deployed. 17

18 Safe AND Secure There is NO contradiction between safe and secure code development 18

19 Agenda 1 What are the Challenges? 2 Traceability to Requirements 3 Coding Standards 4 Unit Test and Structural Coverage 5 Summary 19

20 ISO 26262: Structural Coverage The following Structural Coverage is required: Safety Integrity Level ASIL D ASIL C ASIL B ASIL A Verification Level Entry Points + Statement + Branches + MC/DC Entry Points + Statement + Branches Entry Points + Statement Entry Points 20

21 Unit Testing Within a Functional Safety Context Requirements Design Implementation Unit Test System Test Deployment Managing test case data and collaboration Traceability requirements, code and results Facilitating reviews Impact analysis and targeted regression Automation Generating test code Automating execution and result collection and analysis Integration with varying embedded target environments Reduce costs of authoring tests, linking to requirements and performing impact analysis 21

22 Automated Testing and Code Coverage Functional and unit level tests should be automated Run with or without instrumentation Code coverage aggregation Artefacts must show compliance to Table A-7: Verification of Process Results 22

23 Code Coverage in Safety and Security Safety Security ISO objectives align with security practices Demonstrate that the software units fulfill the software unit design specifications and do not contain undesired functionality Hidden and undesired functionality approach differs but structural coverage data can be reused to meet both safety and security goals 23

24 From the Simulation to the Target Model Test Execution In Simulation Simulation Modeling tools Reusing model tests Model Behaviour And Model Coverage Application Behaviour And Code Coverage Generated Code Executed on Host Test Cases Host Computer Model Coverage/Code Coverage Generated Code Executed on Target Test Cases Target H/W Test Cases Test Cases Reused Test Cases Pass 100% Coverage Requirements Met 24

25 Agenda 1 What are the Challenges? 2 Traceability to Requirements 3 Coding Standards 4 Unit Test and Structural Coverage 5 Summary 25

26 Summary ISO explicitly demands safety, and hence implicitly demands security Requirements traceability need not be compromised by a mismatched collection of documentation Security requirements are complementary to safety requirements Structural coverage is demanded from both the safety perspective of ISO 26262, and the security perspective of CWE 26

27 Any Questions Q & A 27

28 Contact Us Need more information?.com 28