Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...

More documents

Recommendations

Info

Chapter 6. Security in Open Source Software pp. 353-453]. Static partitioning is very easy to implement, but it provides a very inefficient usage of the main memory. In a fixed environment, like in embedded systems, it can be used as a very simple but efficient memory management strategy due to the systems constrains. For example, the ARINC specification 653P1-2 [3], which is applicable for avionics software standard interfaces, requires the usage of static partitioning for operating systems for the corresponding embedded systems. Dynamic partitioning: The memory M is divided in m = {1, 2, 3, . . . } partitions p j with ∑ dynamic sizes: ∀j : length(p j ) > 0, M = {p 0 , p 1 , . . . , p m−1 } while length(M) ≥ m−1 j=0 length(p j) [77, pp. 353-453]. Compared to static partitioning, dynamic partitioning provides a more efficient usage of the main memory but needs in general more computation time for its management. 6.1.2. Paging For paging with virtual memory, the virtual memory V consists of the main memory M and the swap space S: V = M ∪ S. This virtual memory V is divided in pages p k , which all have the same size: ∀k : length(p k ) = s. Programs or processes are loaded in different but not necessarily sequential pages depending on their required memory. Pages of a program can be loaded on demand and do not need to be loaded completely at program start. A program can access its memory in a sequential manner because the physical memory addresses are mapped. Therefore, a program can only access pages that belong to it [77, pp. 353-453]. Paging with virtual memory provides an effective way of memory management for multiprocessing operating systems, but it is quite complex to implement. 6.1.3. Segmentation For segmentation with virtual memory, also the virtual memory V consists of the main memory M and the swap space S: V = M ∪ S. A program e ∈ {0, 1, 2, . . . , n} is divided in certain number of segments s e,l (l ∈ {1, 2, 3, . . . m}), which have a dynamic size. This size can be influenced by the developer of a program or the used compiler for high-level languages: ∀e : ∀l : length(s e,l ) > 0 while V ≥ ∑ n ∑ m e=0 l=1 length(s e,l). As in paging, the segments are not necessarily sequential and not all segments of a program must be loaded at its start. Also, the physical memory is mapped to provide each program a sequential access to its allocated memory / segments [77, pp. 353-453]. The main difference, compared with the advantages of paging, is that a developer can influence the size of the segments. This can also be used to define areas of shared data segments, where several programs have access to. Its implementation is even more complex as for paging. 6.1.4. Segmentation combined with Paging To gain the advantages from paging and segmentation together, another more sophisticated strategy is to combine both strategies. This means that segmentation is used for programs while the segments s e,l of each program e ∈ {0, 1, 2, . . . , n} are again divided in pages p e,l,k of 68
6.2. Hardware Virtualisation a fixed size s: ∀e : ∀l : s e,l = {p e,l,0 , p e,l,1 , . . . }, length(s e , l) > 0, V ≥ ∑ n e=0 ∑ m l=1 length(s e,l), ∀k : length(p e,l,k ) = s [77, pp. 353-453]. This strategy is used in most of the current multi-user-multiprocessing operating systems, like GNU/Linux. 6.2. Hardware Virtualisation Section 6.1 described traditional strategies for avoiding the influence of faulty or malicious components on the rest of the system. This strategy must be integrated in the hardware 1 and the software and/or the operating system. That means for the usage of these strategies, it is important how the hardware platform and the operating system are chosen. This is often problematic because open source software is typically not limited to a certain hardware or software platform. For a concrete open model software for industrial usage, this is almost mandatory because during its development not all potentially used hardware and software platforms can be known in advance. This leads to the need for another mechanism for memory protection that better fulfils the requirements of open model software in industrial applications. The solution proposed in this work is the usage of hardware virtualisation [92]. Ideally, each supplier implementation or program should be executed in a separated virtual machine. The term virtual machine (VM) refers to the hardware virtualisation of any operating system representing a computer. Since a VM is completely separated from its host’s operating system, the virtualised operating system does not have any direct access or knowledge about it. Programs executed in a VM can only communicate via a (virtual) network or a shared file system with programs on the host system or on other VMs. The application of the hardware virtualisation concept to the initial problem of open models is shown in Figure 6.3. It holds the generated and certified model implementation and the two supplier implementations from Figure 6.2, but, in contrast, all supplier implementations are now locked in own virtual machines. This assures that the malicious implementation cannot compromise any other part of the software while a communication still is possible. This hardware virtualisation concept fits the typical use cases of open model software in industrial applications because: • Supplier implementations in a VM can never access memory of the host system or any other VM independent from the used operating system or memory management strategies and can only communicate with other components over defined and known channels. • There exist several OSS / FLOSS implementations for hardware virtualisation, e.g., QEMU (KVM) [73], VirtualBox [66], Xen [97], and User Mode Linux [91]. Furthermore, the usage of hardware virtualisation provides additional advantages compared to traditional memory management strategies: Adv.1: Hardware virtualisation protects the host operating system from any kind of negative and direct influence by failures, errors, or malicious behaviours of components executed 1 typically CPU and MMU 69
Page 1:
Open Source Software for Train Cont
Page 4 and 5:
Datum des Promotionskolloquiums: 21
Page 7 and 8:
Acknowledgments I would like to tha
Page 9:
Abstract This document describes th
Page 12 and 13:
Contents 3.3.3. Rascal . . . . . .
Page 14 and 15:
Contents 8.4. Behavioural Design .
Page 16 and 17:
Contents D.3. Domain Framework Mode
Page 18 and 19:
List of Figures 6.4. Simple CORBA u
Page 20 and 21:
List of Figures 10.27. General read
Page 22 and 23:
Chapter 1. Introduction Railway Con
Page 24 and 25:
Chapter 1. Introduction MontiCore M
Page 26 and 27:
Chapter 1. Introduction ERTMS Forma
Page 29:
Part I. Background 9
Page 32 and 33:
Chapter 2. Concepts for Safe Railwa
Page 34 and 35:
Page 36 and 37:
Page 38 and 39: Chapter 2. Concepts for Safe Railwa
Page 40 and 41: Chapter 2. Concepts for Safe Railwa
Page 42 and 43: Chapter 3. Domain-Specific Modellin
Page 59 and 60: 4The GOPPRR Meta Meta Model - An Ex
Page 61 and 62: 4.1. Concrete Syntax Description Fo
Page 63 and 64: 4.2. GOPPRR C++ Abstract Syntax Mod
Page 65 and 66: 4.2. GOPPRR C++ Abstract Syntax Mod
Page 67 and 68: 4.5. The Object Constraint Language
Page 69 and 70: 4.5. The Object Constraint Language
Page 71 and 72: 4.6. Tool Chain where artefacts are
Page 73 and 74: 4.7. Conclusion External Artefacts
Page 75: Part II. Dependability 55
Page 78 and 79: Chapter 5. Verification and Validat
Page 85 and 86: 6Security in Open Source Software A
Page 87: 6.1. Memory Management Open Meta Me
Page 91 and 92: 6.2. Hardware Virtualisation in a v
Page 93 and 94: 6.2. Hardware Virtualisation Again,
Page 95 and 96: 6.2. Hardware Virtualisation the fa
Page 97: Part III. openETCS Case Study 77
Page 100 and 101: Chapter 7. openETCS Meta Model far
Page 102 and 103: Chapter 7. openETCS Meta Model gEVC
Page 104 and 105: Chapter 7. openETCS Meta Model gEVC
Page 106 and 107: Chapter 7. openETCS Meta Model gMai
Page 108 and 109: Chapter 7. openETCS Meta Model Outp
Page 110 and 111: Chapter 7. openETCS Meta Model thei
Page 112 and 113: Chapter 7. openETCS Meta Model gSub
Page 114 and 115: Chapter 7. openETCS Meta Model The
Page 116 and 117: Chapter 7. openETCS Meta Model can
Page 118 and 119: Chapter 7. openETCS Meta Model The
Page 120 and 121: Chapter 7. openETCS Meta Model List
Page 122 and 123: Chapter 7. openETCS Meta Model 5 s
Page 124 and 125: Chapter 7. openETCS Meta Model 7.5.
Page 126 and 127: Chapter 7. openETCS Meta Model 12 )
Page 128 and 129: Chapter 7. openETCS Meta Model 7.5.
Page 130 and 131: Chapter 7. openETCS Meta Model Thus
Page 132 and 133: Chapter 7. openETCS Meta Model In t
Page 134 and 135: Chapter 7. openETCS Meta Model Valu
Page 136 and 137: Chapter 7. openETCS Meta Model This
Page 138 and 139:
Chapter 7. openETCS Meta Model and
Page 140 and 141:
Chapter 7. openETCS Meta Model 7.8.
Page 142 and 143:
Chapter 8. openETCS Domain Framewor
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Chapter 9. openETCS Generator Appli
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Chapter 10. openETCS Model No Power
Page 202 and 203:
Chapter 10. openETCS Model c4 bool
Page 204 and 205:
Chapter 10. openETCS Model c1 c8 c1
Page 206 and 207:
Chapter 10. openETCS Model Applicat
Page 208 and 209:
Chapter 10. openETCS Model c1 c25 c
Page 210 and 211:
Chapter 10. openETCS Model Initiali
Page 212 and 213:
Chapter 10. openETCS Model Reverse
Page 214 and 215:
Chapter 10. openETCS Model 0 (CONST
Page 216 and 217:
Chapter 10. openETCS Model Current
Page 218 and 219:
Chapter 10. openETCS Model c7 bool
Page 220 and 221:
Chapter 10. openETCS Model Current
Page 222 and 223:
Chapter 10. openETCS Model The purp
Page 224 and 225:
Chapter 10. openETCS Model 10.3.3.
Page 226 and 227:
Chapter 10. openETCS Model be expla
Page 228 and 229:
Chapter 10. openETCS Model 10.4.4.
Page 231 and 232:
11 openETCS Simulation Generally, a
Page 233 and 234:
11.2. Platform Specific Model for t
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
11.3. Simulation Model Figure 11.6.
Page 241 and 242:
11.3. Simulation Model 11.3.2. CDMI
Page 243 and 244:
11.3. Simulation Model sets the Boo
Page 245 and 246:
11.3. Simulation Model Entering_Dri
Page 247 and 248:
11.3. Simulation Model The states o
Page 249 and 250:
11.3. Simulation Model Figure 11.13
Page 251 and 252:
Page 253 and 254:
Page 255:
11.6. Conclusion about warnings, fa
Page 258 and 259:
Chapter 12. Conclusion and Outlook
Page 261:
Part IV. Appendix 241
Page 264 and 265:
Appendix A. GOPPRR to MOF Transform
Page 266 and 267:
Appendix B. openETCS Meta Model Con
Page 268 and 269:
Page 270 and 271:
Page 273 and 274:
DopenETCS Domain Framework D.1. Dom
Page 275 and 276:
D.2. Domain Framework Source Code 8
Page 277:
D.3. Domain Framework Model 32 m_pT
Page 280 and 281:
Appendix E. openETCS Generator 39 <
Page 282 and 283:
Appendix E. openETCS Generator 200
Page 284 and 285:
Appendix E. openETCS Generator 46 4
Page 287 and 288:
FMetaEdit+ Generators F.1. GOPPRR X
Page 289:
GopenETCS Unit Testing G.1. Unit Te
Page 292 and 293:
Appendix H. openETCS Simulation 14
Page 294 and 295:
Page 296 and 297:
Page 299 and 300:
Glossary ANTLR ANother Tool for Lan
Page 301 and 302:
Glossary EVC An European Vital Comp
Page 303 and 304:
Glossary OEM An original equipment
Page 305:
Glossary XML The Extensible Markup
Page 308 and 309:
Bibliography [12] “EN 50128 - Rai
Page 310 and 311:
Bibliography [39] ——, ““Ope
Page 312 and 313:
Bibliography [69] T. J. Parr and R.
Page 315 and 316:
Index Artefact, 51 Automatic train
Page 317 and 318:
Index Linux, 149 Memory management,
show all

Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?