Linköping University | Department of Computer and Information Science Master thesis, 30 ECTS | Datateknik 2019 | LIU-IDA/LITH-EX-A--19/074--SE Taint analysis for automotive safety using the LLVM compiler infrastructure Éléonore Goblé Supervisor : Ulf Kargén Examiner : Nahid Shahmehri Linköpings universitet SE–581 83 Linköping +46 13 28 10 00 , www.liu.se Upphovsrätt Detta dokument hålls tillgängligt på Internet - eller dess framtida ersättare - under 25 år från publicer- ingsdatum under förutsättning att inga extraordinära omständigheter uppstår. Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka ko- pior för enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervis- ning. Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säker- heten och tillgängligheten finns lösningar av teknisk och administrativ art. Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsman- nens litterära eller konstnärliga anseende eller egenart. För ytterligare information om Linköping University Electronic Press se förlagets hemsida http://www.ep.liu.se/. Copyright The publishers will keep this document online on the Internet - or its possible replacement - for a period of 25 years starting from the date of publication barring exceptional circumstances. The online availability of the document implies permanent permission for anyone to read, to down- load, or to print out single copies for his/hers own use and to use it unchanged for non-commercial research and educational purpose. Subsequent transfers of copyright cannot revoke this permission. All other uses of the document are conditional upon the consent of the copyright owner. The publisher has taken technical and administrative measures to assure authenticity, security and accessibility. According to intellectual property law the author has the right to be mentioned when his/her work is accessed as described above and to be protected against infringement. For additional information about the Linköping University Electronic Press and its procedures for publication and for assurance of document integrity, please refer to its www home page: http://www.ep.liu.se/. © Éléonore Goblé Abstract Software safety is getting more and more important in the automotive industry as me- chanical functions are replaced by complex embedded computer systems. Errors during development can lead to accidents and threaten users’ lives. The safety level of the soft- ware must therefore be monitored through Automotive Safety Integrity Levels (ASILs), according to the standard ISO 26262. This thesis presents the development of a static taint analysis tool using the LLVM compiler infrastructure in order to identify safety-critical components and analyze their dependencies in automotive software. The aim was to pro- vide a useful visualization tool to help safety engineers in their work and save time during development. It was concluded that this static taint analysis tool can facilitate and improve the precision of the ASIL decomposition of automotive software. Acknowledgments First and foremost, I would like to thank ARCCORE for giving me the opportunity to conduct this master thesis. In addition, I would like to thank my supervisor Daniels Umanovskis and my colleague John Tinnerholm for their valuable help. I would also like to thank all my colleagues at ARCCORE for their friendly welcome and their support. Furthermore, I would like to thank my supervisor Ulf Kargén and my examiner Nahid Shahmehri for providing me with valuable feedback. I would also like to thank my sister Morgane for proofreading my thesis. Finally, I would like to thank Linköping University and the University of Technology of Compiègne for giving me the possibility to carry out this double-degree project. Éléonore Goblé iv Contents Abstract iii Acknowledgments iv Contents v List of Figures vii List of Tables viii 1 Introduction 1 1.1 Company . 1 1.2 Motivation . 1 1.3 Aim............................................ 2 1.4 Research questions . 2 1.5 Delimitations . 3 1.6 Outline . 3 2 Theory 5 2.1 Automotive industry . 5 2.2 Functional safety . 6 2.3 Static Analysis . 7 2.4 Pointer and Alias Analysis . 8 2.5 LLVM........................................... 9 2.6 Related Work . 10 2.7 Visualization . 11 2.8 Evaluation . 13 3 Method 15 3.1 LLVM . 15 3.2 Taint analysis . 16 3.3 Visualization . 24 3.4 Evaluation . 26 4 Results 30 4.1 LLVM . 30 4.2 Taint analysis . 30 4.3 Visualization . 31 4.4 Evaluation . 34 5 Discussion 39 5.1 Taint analysis . 39 5.2 Results . 40 v 5.3 Method . 42 5.4 Source criticism . 43 5.5 The work in a wider context . 43 6 Conclusion 44 6.1 Consequences . 45 6.2 Further work . 45 Bibliography 46 vi List of Figures 1.1 Master thesis outline . 4 2.1 Compilation process . 9 3.1 An overview of the LLVM Value inheritance . 17 3.2 UML Diagram, describing the architecture of the taint analysis pass . 18 3.3 SafeValue and SafeInstruction classes . 23 4.1 The list of tainted functions and global variables in each file . 31 4.2 An example of the tree view, whose initiator is the variable safe. 32 4.3 The alias view of the variable safe in the function testInterProcedural . 32 4.4 Visualization tool overview . 33 4.5 Which aspect has been used to find the ASIL rating of an object? . 35 4.6 An overview of the result of the taint analysis pass on the project (real names have been modified) . 37 vii List of Tables 3.1 Taint propagation policy . 20 3.2 Linear scale questions . 27 3.3 Tasks . 27 3.4 Store test cases . 28 3.5 Load address test case . 28 3.6 Pointer parameter test cases . 28 3.7 Global initialization test case . 28 3.8 File test case . 28 3.9 Call test case . 28 3.10 Violation test case . 28 4.1 Linear scale questions . 34 4.2 LLVM IR metrics . 35 4.3 Taint information . 36 4.4 Taint analysis results . 36 4.5 Results . 38 4.6 Program execution time results . 38 viii 1 Introduction The importance of safety in the automotive industry has significantly increased in recent years. Purely mechanical functions have been replaced by complex embedded computer sys- tems, which require high levels of safety. In fact, errors during development can lead to accidents and threaten users’ lives. The safety level of the software must therefore be as- sessed and monitored. ISO 26262 [1] is an industry-specific standard for functional safety of road vehicles, similar to the broader standard IEC 61508 which defines Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems [2]. According to ISO 26262, the safety level of an application can be measured by Automotive Safety Integrity Lev- els (ASILs). This standard recommends separating safety-critical objects from non-hazardous objects in the memory. 1.1 Company This master thesis is done in collaboration with ARCCORE AB [3], headquartered in Gothen- burg, Sweden. ARCCORE is a fully-owned subsidiary of Vector Informatik GmbH, head- quartered in Stuttgart, Germany. ARCCORE provides leading solutions for embedded sys- tems development in the automotive industry. ARCCORE software aims at being developed with respect to the automotive standard AUTOSAR [4]. 1.2 Motivation In the automotive industry, the embedded code supplier needs to provide guarantees to the Original Equipment Manufacturer (OEM) with regards to safety requirements. In order to attempt to establish that the software is safe, the company needs to perform analysis on the code. Dynamic analysis techniques such as testing and verification are common ways to check software safety, however these methods are tedious. The number of possible paths grows exponentially with the size of the program, therefore, testing only provides a “partial ver- ification”, according to Silva et al. [5]. Hardware protection can also be developed to en- sure safety. AUTOSAR [4] defines a standard for the architecture of Electronic Control Units (ECUs) and recommends functional measures for safety-relevant systems. In embedded sys- tems, a hardware Memory Protection Unit (MPU) [6] allows memory protection by defining 1 1.3. Aim access rights to different parts of memory. In a safety-critical system, the MPU can be used to partition the memory and prevent unsafe components from writing into the safe memory during run-time [7]. Static analysis consists in analyzing the source code before executing it, and thus enables engineers to prove code safety. Static analysis could be used to find out the components to be placed in the safe partition. Static analysis can be combined with dynamic analysis to improve the efficiency of the analysis [8]. However, developing a sound static analyzer is expensive in terms of complexity. Moreover, safe components which have a higher ASIL need “Freedom from interference” (FFI) [9] from lower level components, which ensures that “a fault in a less safety critical software component will not lead to a fault in a more safety critical component“, according to Leitner-Fischer et al. [7]. Nevertheless, monitoring the safety of the entire software can be costly, according to Azevedo et al. [10]. For a developer of automotive software, it is desirable to limit the amount of ASIL components. In fact, such components have to be developed according to additional requirements imposed by ISO 26262, which significantly increases the effort during imple- mentation and testing phases. The goal is to reduce the volume of code involved by high safety levels as much as possible, in order to be able to study these slices precisely and to limit the risks.