Dr.-Ing. Daniel Kästner, AbsInt Angewandte Informatik GmbH, gives an overview of static analysis applied to safety and security properties and discusses practical experience.
In safety-critical systems tools for static analysis are widely used. Like other safety standards ISO-26262 requires safety-critical software to be developed in accordance to coding guidelines, e.g., MISRA C. In addition, they require to identify potential functional and non-functional hazards and to demonstrate that the software does not violate the relevant safety goals. Examples of safety-relevant non-functional programming errors that can be detected by static analysis are violations of resource bounds, especially stack overflows and deadline violations, as well as run-time errors and data races. Making sure that no such errors can occur in the final system not only improves safety, but also improves availability – a particularly important aspect for higher levels of automatic driving which need fail-operational behavior.
One of the major emerging trends in automotive systems is increasing connectivity, including vehicle-to-vehicle, vehicle-to-infrastructure, or vehicle-to-cloud communication. As some of the systems involved are safety-critical, e.g., in the context of highly automated driving, security concerns will become much more critical than they were before: security can be considered a prerequisite for functional safety. In recent years dedicated coding standards have been developed that focus on security aspects, examples are SEI CERT Secure C, the MITRE Common Weakness Enumeration, and ISO/IEC TS 27961:2013. Many of the CERT and CWE rules do not really apply to safety-critical systems, but there is a significant overlap with safety-relevant properties. As an example, many security-relevant exploits build on undefined behaviors of the programming language like buffer overflows, or non-terminated strings. In addition, novel cybersecurity challenges are emerging, like the recently discovered SPECTRE vulnerabilities. Since many of these defects can be automatically checked by static analysis, one and the same static analysis tool can be used for the purpose of safety and security validation.
In addition to safety hazards directly caused by security exploits (cf. the Jeep Hack of 2015) also the trustworthiness of data is an increasing concern. Corrupted data, e.g., provided by a corrupted cloud service may have an indirect impact on the safety of the system . Static analysis techniques like taint analysis and program slicing can provide a valuable contribution to satisfying data safety requirements. Data Safety Guidance, Version 2.0. The Data Safety Initiative Working Group (DSIWG), SCSC-217B. The Safety Critical Systems Club, ISBN-13:978-1540887481.