Functional Safety

DEVELOPMENT FUNCTIONAL SAFET Y

Separation Kernel – Basis for Certifiable © erdikocak | iStock Applications and Systems

AUTHOR Functional security and cybersecurity are among the most important issues in the development of complex connected vehicle systems. The certification of individual systems will become increasingly important in the future. Here the automotive industry has some backlog to do and can learn from certification solutions from the aviation industry, including working according to the Safety - Chris Berg and-Security-by-Design principles. Real-time operating systems based on a is Solution Architect Automotive at the Sysgo AG in Klein-Winternheim enable new approaches, as Sysgo describes. (Germany). 50 Functional Safety

CHALLENGES Level). Based on this standard, ISO separated from each other and therefore 26262 specifically defines the functional cannot influence each other. Today, how- Already today, many functions in automo- safety requirements for vehicles in road ever, more and more safety-critical and biles are fully or partially automated; traffic. Based on the safety integrity level non-critical applications are being oper- driver assistance systems such as distance of IEC 61508 and depending on the toler- ated in vehicles, and in order to save alarms, rear-view cameras or parking aids able failure frequency, it defines four costs and weight, a single hardware entered series production even of small Automotive Safety Integrity Levels serves as a platform for multiple func- and medium-sized vehicles. Fully autono- (ASILs) D to A, where D stands for the tions, including different levels of criti- mous passenger cars, buses and even most critical systems, FIGURE 1. cality. This trend harbours considerable trucks are in test operation on public IT security is primarily concerned risks. If, for example, an attacker gains roads; the first production vehicles can with protecting critical systems against access to a comparatively insecure enter- move at least semi-autonomously. The car unauthorized access and thus against tainment system based on Android and of the future will require even more elec- manipulation, but also against unautho- can also access security-critical systems tronics and computing power – on the rized access to personal data. There are via this gateway, this can have very seri- one hand to increase safety (driver assis- also international standards for security - ous consequences. It is therefore essen- tance systems) and on the other to meet critical systems. The most important tial to strictly separate applications with passengers’ demands for comfort, enter- worldwide is ISO 15408, better known as different criticality levels, even if they tainment and communication. The Inter- Common Criteria (for Information Tech- run on the same hardware. Here, the net of Things, which provides devices nology Security Evaluation). It intro- automotive industry can benefit from the within the vehicle with the necessary con- duces seven Evaluation Assurance Levels experience gained in the aerospace nectivity, brings with it considerable new (EAL 1-7) for trustworthiness. In the industry with its extreme requirements, security challenges. Safety aspects are automotive industry, SAE International where -based solutions have therefore increasingly determining soft- (formerly Society of Automotive Engi- already established themselves. ware design, and certification standards neers) is currently working on a series of will soon play a similarly important role standards for various aspects of IT sys- MULTIPLE PARTITIONS in automotive engineering as they do tems in automobiles; in Draft J3061, pub- INSTEAD OF MULTIPLE CPUS today in the aircraft industry. In addition lished in 2016 and based on the SILs, it is to functional safety, aspects of IT security introducing the term Automotive Cyber- A hypervisor can host different functions and data protection also come to the fore. security Integrity Level (ACsIL). ISO is on a controller in multiple partitions that also working on ISO 21434 (Road Vehi- previously required separate CPUs. How- cles – Cybersecurity Engineering). Once ever, it must be absolutely ensured that SAFETY AND SECURITY these standards have been adopted, it is the software that provides the hypervi- Safety is concerned with functional to be expected that many products will sor functionality actually guarantees safety and thus the prevention of system require corresponding certification. a strict separation between the parti- failures that can lead to damage to Some products already have Common tions. Otherwise, one has a unified hard- health and the environment. IEC 61508 Criteria (CC) certification. However, this ware platform, but possibly interactions is an industry-independent basic stan- does not automatically mean that they between critical and non-critical applica- dard for the functional safety of electri- are safe – in any case, detailed attention tions such as audio systems and brakes. cal, electronic and programmable sys- must be paid to exactly what has been ASIL-D and ISO 26262 certification tems with a safety reference. IEC 61508 certified here. ensures that functions in different distinguishes between four criticality Safety and security are easiest to partitions are actually separated as if levels: SIL-4 to SIL-1 (Safety Integrity ensure if all IT systems are strictly they were running on different CPUs.

Function Hazard ASIL-A ASIL-B ASIL-C ASIL-D

Sudden start

Driving Abrupt acceleration

Loss of driving power

Maximum 4-wheel braking Braking Loss of braking function

Self-steering

Steering Steering lock FIGURE 1 Different ASILs are required Loss of assistance depending on the function; D is the most stringent level (© Sysgo)

ATZ electronics worldwide 03|2019 51 DEVELOPMENT FUNCTIONAL SAFET Y

Especially on multicore systems, the the separate execution of different func- basis of the PikeOS platform is a small use of is a suitable way to tions, that means it is more of a separa- that provides a virtualiza- meet the challenges of system design. tion kernel than a simple RTOS. tion infrastructure. This makes it possi- Although such CPUs are primarily used ble to place different applications and for performance reasons, they can also resources in secure, individual parti- SPATIAL AND TEMPORAL support the required separation of indi- tions. These can run in various envi- SEPARATION vidual functions. However, the certifica- ronments – from Posix to and tion of multicore systems is very com- Such a separation kernel enables the Android to Autosar or Genivi, FIGURE 3. plex, and many certified systems actu- spatial and temporal separation between Thanks to the integrated time partition- ally use only one core. If, however, applications and provides the partitions ing, it is irrelevant whether the applica- different functions are bundled in a sin- for the execution of user applications. tions are real-time applications or not. gle software that runs under a Real-time Time separation is achieved by time The separation kernel of PikeOS 4.2.2 (RTOS) on only one partitioning, where CPU time is divided is currently the only one in the world to CPU core, interference between the func- into time partitions during configura- be certified according to CC EAL 3+ tions can easily occur – strict separation tion. Spatial separation is achieved by (for the popular platforms X86_64, is not guaranteed. For example, the resource partitioning, in which system ARMv7 and ARMv8). impact of one application on the runtime resources such as main memory, files, Especially in mixed environments behavior of another application can lead devices, secure communication channels with relatively poorly secured operating to security issues, such as exceeding and cores are partitioned and contain- systems such as Android and critical deadlines for real-time applications. Sim- ers, known as resource partitions, are environments such as Autosar, a separa- ilarly, timing effects due to the sharing assigned statically. User applications tion kernel can also perform an import- of system resources, such as caches and are executed in the context of a resource ant security function to aggravate memory buses, can lead to hidden infor- partition. attacks. This kernel, which acts as mation channels that violate the confi- An example of a software environ- a hypervisor for the different guest dentiality requirements of the applica- ment with strict separation of applica- operating systems, is able to intercept tion. These potential problems stem tions is Sysgo’s PikeOS, which has privileged system calls from the guest mainly from the fact that most hypervi- already proven itself in the aircraft systems and first check for the required sors are added to a RTOS, which does industry. PikeOS offers both a full real- permissions before they are actually exe- not support such a separation due to its time operating system (Hard RTOS) and cuted. While common desktop operating own design. Especially in safety-critical a and partitioning system systems have all device drivers inte- applications, it is important that the to support the specific requirements of grated into the kernel, it is possible to RTOS is already designed specifically for automotive applications, FIGURE 2. The create an environment in which only a

PikeOS architecture App. App. App. Volume System provider partition

PikeOS Para-virtualized HW-virtualized (Native, Posix, guest OS guest OS PikeOS Native ARINC653, ...) Linux, Android Linux, Android

User space/ partitions PikeOS system software System extension

PikeOS separation kernel (microkernel)

Kernel space/ hypervisor Architecture Platform Kernel level Support package Support package driver

Target boot loader SoC/ custom hardware CPU 1 Serial CAN Hardware Ethernet Graphics ...

FIGURE 2 The separation kernel of PikeOS provides a secure separation of the different partitions (© Sysgo) 52 PikeOS Guest OS Guest OS PikeOS Guest OS driver Renesas ELinOS native Renesas partition Linux comms Linux firewall partition Linux webserver and graphics

Cluster PikeOS native Virtual SD/MMC Sensor data Web USB Firewall and IVI device driver ethernet driver acquisition server driver graphics

PikeOS

Ethernet MMC CPU 1-8 R-Car H3 USB Graphics

FIGURE 3 PikeOS in an automotive application based on the Renesas R-Car H3 (© Sysgo)

very small set of services in “privileged mechanisms are essentially based on motive certification kit, which incor- mode” runs in the kernel – such as two principles: strict separation of porates Sysgo’s many years of compre- scheduling, context switching, applications through time and resource hensive certification expertise. The communication and synchronization, partitioning and control of communica- certifi cation kit contains an ISO 26262 and handling. Device drivers are tion channels. The individual applica- Part 6 compliant PikeOS Hypervisor then executed without privileges in normal tions within the overall system can have as well as comprehensive documenta- user mode like any other appli cation code. different criticality levels. tion aids for development and testing. In this way, the attack surface of the entire Due to these protection mechanisms of Additional safety information can also system is significantly reduced. PikeOS, certification according to indus- be provided to achieve ISO 26262 com- try-specific safety and security standards pliant systems. Important components can be carried out separately for each of these certification kits are a safety SECURITY AND CERTIFICATION application – an essential feature to keep manual with guidelines for the use of The PikeOS Hypervisor itself is certified costs under control. PikeOS was also the PikeOS in safety-critical system designs to the highest industry standards, pro- first platform to receive SIL 4 certifica- and a case study with characteristic viding a suitable foundation for critical tion in multicore environments. functional safety requirements accord- systems where both functional and IT To meet the requirements of ISO 26262, ing to the Automotive Safety Integrity security must be ensured. The protection PikeOS is optionally offered with an auto- Levels required.

ATZ electronics worldwide 03|2019 53