Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...

More documents

Recommendations

Info

Chapter 6. Security in Open Source Software 6.2.1. Bandwidth Protection As the bandwidth protection of the host system’s hardware resource is of high relevance, possible solutions for Prob.1 are introduced in this subsection. Unlimited bandwidth consumption is a possibility to influence or compromise the execution of other implementations over the boundaries of a VM. Unfortunately, a general solution for any kind of hardware resource cannot currently be provided. Nevertheless, a possible solution is the usage of partitioning, which will be described exemplary for CPUs and network interfaces. 6.2.1.1. Process Scheduling For a host system, a VM is mainly like a normal process, which is executed, but knowledge about certain processes in a VM is typically not available in the host. Therefore, partitioning for the process execution must be done on the host system for the hypervisor process. As for static memory partitioning (Subsection 6.1.1), the ARINC 653P1-2 requires for embedded avionics systems the usage of static temporal partitioning [3]. This means a global sample or cycle time T c is defined, which is divided in n temporal slots s i with i ∈ {0, 1, 2, . . . , n−1}, t i = length(s i ), and T c = ∑ n−1 i=0 t i. Each temporal slot s i is exactly executed once in one cycle T c for the duration of its execution time t i while a certain process is assigned to each temporal slot s i . Static temporal partitioning is very robust and and easy to implement but inflexible and mainly usable in embedded systems. Process scheduling for multi-process operating systems with a not-fixed number of processes is far more complex because statical temporal partitioning cannot be used. One important requirement for the scheduler of the host system is that it behaves – at least partly – deterministically. Thus, it must be assured that no process starves [77, pp. 457-504]. It exist several scheduler strategies that are deterministic and avoid starving, but a fair-share scheduler [77, pp. 457-504] probably fits the requirements the best. It does not only avoid starving of processes completely and is deterministic but also provides the possibility to group processes while the execution of these groups is done in a “fair way”. Accordingly, if supplier and open model implementations are in separated groups, a malicious or faulty supplier implementation could only influence other supplier implementation in their scheduling. 6.2.1.2. Network Traffic Scheduling It is not avoidable that processes of the software have to communicate with processes on other computers or systems and also processes jailed in VMs need access to real network interfaces. Although this access is never direct, a malicious or faulty implementation could consume too much network bandwidth by, for example, sending plenty of user datagram protocol (UDP) packets. This could limit the ability of any other process on the local system – independent from if it is executed in a VM or not – to transfer data. This problem is mainly related to network traffic or bandwidth outgoing from the local system because network traffic incoming to the local system is generated by other computers on the network, which can be hardly influenced by the retrieving system. 72
6.2. Hardware Virtualisation Again, partitioning is a possible solution for this bandwidth problem. Similar to the scheduling of processes, this is a temporal scheduling, not of CPU time but of network bandwidth usage. Temporal slots are defined, which certain services / connections are assigned to. An example for static temporal partitioning is the Time Triggered Protocol (TTP) [49], which defines fixed temporal slots for each node on the bus. The scheduling of network traffic is provided by hardware or by software. An industrial solution for hardware scheduling of network traffic is, for example, the Avionics Full-Duplex Ethernet (AFDX) [2], which is a real-time extension for Ethernet in avionic systems. Its main disadvantage is that additional hardware is needed. Of course, there exist also open source solutions, like the traffic control (tc) tool for GNU/Linux, which is a part of the iproute suite [52]. With tc, it is possible to assign to each network interface a so-called queuing discipline. The default discipline is a simple first-in-first-out (FIFO) discipline, which does not protect the bandwidth of network interfaces. A possible solution for bandwith protection is the usage of the Stochastic Fairness Queuing (SFQ) discipline [52], which is a network traffic scheduler. Like the fair-share scheduler (Subsection 6.2.1.1), the SFQ schedules all network connections in a fair way that no connection can starve. Unfortunately, the term “stochastic” in its name is misleading because the scheduler behaviour is deterministic. It divides the network traffic on a certain interface into certain number n of FIFO queues. Network traffic is assigned to this n FIFO queues by a hash function, which is chosen in a stochastic way. The n FIFO queues are dequeued by a Round Robin [77, pp. 457-504] algorithm while here the quantum q [77, pp. 457-504] is not in time but in data size. This means that the SFQ does not provide temporal partitioning directly, but because time t, bandwidth b ,and data size s are related by t = s b with typically b = const it can be called temporal partitioning anyway. 6.2.2. Minimal Host Operating System A possible solution for Prob.2 could be the usage of an additional on-top security layer for the host operating system, such as SELinux for Linux. Its source code would be simple enough to be validated and certified and it supervises all security functions of the host operating system. The disadvantage of this solution is that an additional execution layer is added to the host operating system, which increase the complexity. Therefore, it the usage of some kind of minimal operating system is proposed here. This operating system should mainly consist of the hypervisor implementation(s), a scheduler, which only switches between hypervisor processes and device handle routines, and device drivers and interfaces. An example for such a minimal host operating system for hardware virtualisation is LynxSecure [55]. Due to its reduced complexity, it can be validated and certified and then the host operating system and hypervisors can be assumed to be secure. 6.2.3. Hardware Assisted Virtualisation This section describes a possible solution for Prob.3 with the usage of hardware assisted virtualisation. Most modern x86 compatible CPUs provide a support for virtualisation. Hence, they offer two modes: Host and guest. The host mode is the “normal” mode of a CPU while the 73
Page 1:
Open Source Software for Train Cont
Page 4 and 5:
Datum des Promotionskolloquiums: 21
Page 7 and 8:
Acknowledgments I would like to tha
Page 9:
Abstract This document describes th
Page 12 and 13:
Contents 3.3.3. Rascal . . . . . .
Page 14 and 15:
Contents 8.4. Behavioural Design .
Page 16 and 17:
Contents D.3. Domain Framework Mode
Page 18 and 19:
List of Figures 6.4. Simple CORBA u
Page 20 and 21:
List of Figures 10.27. General read
Page 22 and 23:
Chapter 1. Introduction Railway Con
Page 24 and 25:
Chapter 1. Introduction MontiCore M
Page 26 and 27:
Chapter 1. Introduction ERTMS Forma
Page 29:
Part I. Background 9
Page 32 and 33:
Chapter 2. Concepts for Safe Railwa
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43: Chapter 3. Domain-Specific Modellin
Page 59 and 60: 4The GOPPRR Meta Meta Model - An Ex
Page 61 and 62: 4.1. Concrete Syntax Description Fo
Page 63 and 64: 4.2. GOPPRR C++ Abstract Syntax Mod
Page 65 and 66: 4.2. GOPPRR C++ Abstract Syntax Mod
Page 67 and 68: 4.5. The Object Constraint Language
Page 69 and 70: 4.5. The Object Constraint Language
Page 71 and 72: 4.6. Tool Chain where artefacts are
Page 73 and 74: 4.7. Conclusion External Artefacts
Page 75: Part II. Dependability 55
Page 78 and 79: Chapter 5. Verification and Validat
Page 85 and 86: 6Security in Open Source Software A
Page 87 and 88: 6.1. Memory Management Open Meta Me
Page 89 and 90: 6.2. Hardware Virtualisation a fixe
Page 91: 6.2. Hardware Virtualisation in a v
Page 95 and 96: 6.2. Hardware Virtualisation the fa
Page 97: Part III. openETCS Case Study 77
Page 100 and 101: Chapter 7. openETCS Meta Model far
Page 102 and 103: Chapter 7. openETCS Meta Model gEVC
Page 104 and 105: Chapter 7. openETCS Meta Model gEVC
Page 106 and 107: Chapter 7. openETCS Meta Model gMai
Page 108 and 109: Chapter 7. openETCS Meta Model Outp
Page 110 and 111: Chapter 7. openETCS Meta Model thei
Page 112 and 113: Chapter 7. openETCS Meta Model gSub
Page 114 and 115: Chapter 7. openETCS Meta Model The
Page 116 and 117: Chapter 7. openETCS Meta Model can
Page 118 and 119: Chapter 7. openETCS Meta Model The
Page 120 and 121: Chapter 7. openETCS Meta Model List
Page 122 and 123: Chapter 7. openETCS Meta Model 5 s
Page 124 and 125: Chapter 7. openETCS Meta Model 7.5.
Page 126 and 127: Chapter 7. openETCS Meta Model 12 )
Page 130 and 131: Chapter 7. openETCS Meta Model Thus
Page 132 and 133: Chapter 7. openETCS Meta Model In t
Page 134 and 135: Chapter 7. openETCS Meta Model Valu
Page 136 and 137: Chapter 7. openETCS Meta Model This
Page 138 and 139: Chapter 7. openETCS Meta Model and
Page 142 and 143:
Chapter 8. openETCS Domain Framewor
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Chapter 9. openETCS Generator Appli
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Chapter 10. openETCS Model No Power
Page 202 and 203:
Chapter 10. openETCS Model c4 bool
Page 204 and 205:
Chapter 10. openETCS Model c1 c8 c1
Page 206 and 207:
Chapter 10. openETCS Model Applicat
Page 208 and 209:
Chapter 10. openETCS Model c1 c25 c
Page 210 and 211:
Chapter 10. openETCS Model Initiali
Page 212 and 213:
Chapter 10. openETCS Model Reverse
Page 214 and 215:
Chapter 10. openETCS Model 0 (CONST
Page 216 and 217:
Chapter 10. openETCS Model Current
Page 218 and 219:
Chapter 10. openETCS Model c7 bool
Page 220 and 221:
Chapter 10. openETCS Model Current
Page 222 and 223:
Chapter 10. openETCS Model The purp
Page 224 and 225:
Chapter 10. openETCS Model 10.3.3.
Page 226 and 227:
Chapter 10. openETCS Model be expla
Page 228 and 229:
Chapter 10. openETCS Model 10.4.4.
Page 231 and 232:
11 openETCS Simulation Generally, a
Page 233 and 234:
11.2. Platform Specific Model for t
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
11.3. Simulation Model Figure 11.6.
Page 241 and 242:
11.3. Simulation Model 11.3.2. CDMI
Page 243 and 244:
11.3. Simulation Model sets the Boo
Page 245 and 246:
11.3. Simulation Model Entering_Dri
Page 247 and 248:
11.3. Simulation Model The states o
Page 249 and 250:
11.3. Simulation Model Figure 11.13
Page 251 and 252:
Page 253 and 254:
Page 255:
11.6. Conclusion about warnings, fa
Page 258 and 259:
Chapter 12. Conclusion and Outlook
Page 261:
Part IV. Appendix 241
Page 264 and 265:
Appendix A. GOPPRR to MOF Transform
Page 266 and 267:
Appendix B. openETCS Meta Model Con
Page 268 and 269:
Page 270 and 271:
Page 273 and 274:
DopenETCS Domain Framework D.1. Dom
Page 275 and 276:
D.2. Domain Framework Source Code 8
Page 277:
D.3. Domain Framework Model 32 m_pT
Page 280 and 281:
Appendix E. openETCS Generator 39 <
Page 282 and 283:
Appendix E. openETCS Generator 200
Page 284 and 285:
Appendix E. openETCS Generator 46 4
Page 287 and 288:
FMetaEdit+ Generators F.1. GOPPRR X
Page 289:
GopenETCS Unit Testing G.1. Unit Te
Page 292 and 293:
Appendix H. openETCS Simulation 14
Page 294 and 295:
Page 296 and 297:
Page 299 and 300:
Glossary ANTLR ANother Tool for Lan
Page 301 and 302:
Glossary EVC An European Vital Comp
Page 303 and 304:
Glossary OEM An original equipment
Page 305:
Glossary XML The Extensible Markup
Page 308 and 309:
Bibliography [12] “EN 50128 - Rai
Page 310 and 311:
Bibliography [39] ——, ““Ope
Page 312 and 313:
Bibliography [69] T. J. Parr and R.
Page 315 and 316:
Index Artefact, 51 Automatic train
Page 317 and 318:
Index Linux, 149 Memory management,
show all

Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...

Create successful ePaper yourself

Delete template?

Save as template?