With the rapid growth in computing power of embedded platforms, system designers are turning to hypervisors to consolidate functionality in order to reduce the Size, Weight, Power, and Cost of embedded systems. With the recent addition of ARM support to the Xen hypervisor, Xen provides an attractive Open Source option for such systems. However, some of the industries most interested in this technology, such as automotive, medical, and avionics, have strict safety certification requirements. Nathan Studer will give a brief overview on DornerWorks efforts certifying Xen, describe the hurdles and advantages that Xen and its development model lend to the certification effort, and layout a proposed path for certifying Xen.
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, DornerWorks
1. Xen and the Art of
Certification
Nathan Studer and Robert VanVossen
Xen Developer Summit 2014
Embedded Systems Engineering
2. Certification – Why?
B787-2139 by MilborneOne is licensed under
http://creativecommons.org/licenses/by-sa/3.0/deed.en
Xen Developer Summit Xen and the Art of Certification
2014
4. Earning Trust
Assurance standards /= “No Bugs”
standards
Demonstrate that your software can be
trusted
This trust is required for Medical,
Automotive, and Aviation applications
Xen Developer Summit Xen and the Art of Certification
2014
5. Importance
Server flaws do not usually cause direct
personal harm.
Flaws in safety-critical systems can kill
► Car: Controlled Fireball
► Plane: Passenger Carrying Missile
► Robotic Surgery: Tamed Terminator
Xen Developer Summit Xen and the Art of Certification
2014
6. Overview
DornerWorks Work
Certification
Certifying Core Xen
Patch Examples
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
7. DornerWorks Work
Started with the ARINC653 scheduler
Continued with support by Navy Small
Business Innovative Research (SBIR)
topics
► Rockwell Collins
► Leanna Rierson – Designated Engineering
Representative (DER)
► Accuvant
Xen Developer Summit Xen and the Art of Certification
2014
8. DornerWorks Work
Main Goals
► Demonstrate Xen on Embedded Platforms
► Understand what certifying Xen to DO-178
Design Assurance Level (DAL)-A and
Common Criteria (CC) Evaluation Assurance
Level (EAL) 6+ would take
► Begin the certification process
► Do some Formal Methods Analysis on Xen
Xen Developer Summit Xen and the Art of Certification
2014
9. Overview
DornerWorks Work
Certification
Certifying Core Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
10. What is certification
Requires things that everyone knows
should be done, but tend to skip. (e.g.
Documentation)
Enforces good practices. (e.g. design and
test independence)
Interesting Verification Activities
Prevent certification loopholes. (e.g. tool
qualification)
Xen Developer Summit Xen and the Art of Certification
2014
11. Tool Qualification
Normal Software Engineering Reflex:
Automation.
What if the automated tool introduces an
error?
Xen Developer Summit Xen and the Art of Certification
2014
12. What is Required?
What does each level require
► DAL-E: The software must exist.
► DAL-D: High-Level Documentation/Tests
► DAL-C: Low-Level Documentation/Unit Tests,
Statement Coverage, and Code/Data Coupling
Analysis
► DAL-B: Branch Coverage
► DAL-A: Source to Object Analysis and MC/DC
Coverage
DO-178 D-A closely related to ASIL A-D[1]
Xen Developer Summit Xen and the Art of Certification
2014
13. Example Applications
DAL-E: Infotainment
► Failure is a minor inconvenience
DAL-D/C: Instruments
► Failure can be mitigated by operator
DAL-B/A: Engine Control
► Failure could kill someone without warning
Xen Developer Summit Xen and the Art of Certification
2014
14. Certification Metrics[2]
With Certification Experience
► DAL-A: 0.67 hour / SLOC
► DAL-B: 0.40 hour / SLOC
► DAL-C: 0.20 hour / SLOC
► DAL-D: 0.13 hour / SLOC
► DAL-E: 0.11 hour / SLOC
Without Certification Experience: Multiply
by 3-4
Xen Developer Summit Xen and the Art of Certification
2014
15. Certification Metrics In Pictures
Rate: $100/hr
Two Examples:
► 30K SLOC: ~Xen ARM
► 1 Million SLOC: Small Linux Kernel?
Xen Developer Summit Xen and the Art of Certification
2014
16. Example Certification Cost – 30K
SLOC
Cost to Certify 30K SLOC versus DAL
$2,000,000.00
$1,500,000.00
$1,000,000.00
$500,000.00
$-
E D C
Xen Developer Summit Xen and the Art of Certification
2014
DAL
Cost ($)
With Experience Without Experience
17. Example Certification Cost – 30K
SLOC
Cost to Certify 30K SLOC versus DAL
$10,000,000.00
$8,000,000.00
$6,000,000.00
$4,000,000.00
$2,000,000.00
$-
E D C B A
Xen Developer Summit Xen and the Art of Certification
2014
DAL
Cost ($)
With Experience Without Experience
18. Example Certification Cost – 1M
SLOC
Cost to Certify 1M SLOC versus DAL
$60,000,000.00
$50,000,000.00
$40,000,000.00
$30,000,000.00
$20,000,000.00
$10,000,000.00
$-
E D C
Xen Developer Summit Xen and the Art of Certification
2014
DAL
Cost ($)
With Experience Without Experience
19. Example Certification Cost – 1M
SLOC
Cost to Certify 1M SLOC versus DAL
$300,000,000.00
$250,000,000.00
$200,000,000.00
$150,000,000.00
$100,000,000.00
$50,000,000.00
$-
E D C B A
Xen Developer Summit Xen and the Art of Certification
2014
DAL
Cost ($)
With Experience Without Experience
20. Where does the time go?
Breakdown of DO-178 Objectives (DAL-A)
Xen Developer Summit Xen and the Art of Certification
2014
Planning
Development
Verification
Configuration Management
Quality Assurance
Certification
Source Code
21. Overview
DornerWorks Work
Certification
Certifying Core Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
22. General Xen Certification Plan
Create a small subset
Reverse Engineer Certification Artifacts for
any extant features
Forward Engineer any additional features
Xen Developer Summit Xen and the Art of Certification
2014
23. Xen Certification Guidelines
1. Create a small subset
2. Use virtualization extensions
Xen Developer Summit Xen and the Art of Certification
2014
24. Reverse Engineering – What can go
wrong? [3]
► Poor reverse engineering justification
► Lack of a well defined Software Lifecycle Plan
► Abstraction and traceability problems
► No Access to original developers
► Complex and poorly documented source code
Commercial Aviation Safety Team
(CAST)
Xen Developer Summit Xen and the Art of Certification
2014
25. Access to Original Developers
“Developing the design, requirements, and
test cases for a complex software
component, such as an operating system,
can be nearly impossible without some
access to the original developers.” [3]
Xen Developer Summit Xen and the Art of Certification
2014
26. Xen Original Developers
ARM
► Ian Campbell
► Ian Jackson
► Stefano Stabellini
► Julien Grall
X86
► Kier Frasier?
► ???
Xen Developer Summit Xen and the Art of Certification
2014
27. Backup Plan
1. Git commit messages.
2. Archived Design Discussions on the
mailing list.
Xen Developer Summit Xen and the Art of Certification
2014
28. Documentation and Comments
“Many reverse engineering efforts start
with source code that is complex and
poorly documented. The code may contain
numerous pointers and complex data
structures. The code may also not contain
commentary statements, which can make
it difficult to understand.” [3]
Reoccurring topic on Slashdot
Xen Developer Summit Xen and the Art of Certification
2014
29. Xen Certification Guidelines
1. Create a small subset
2. Use virtualization extensions
3. Focus on ARM
Xen Developer Summit Xen and the Art of Certification
2014
30. Overview
DornerWorks Work
Certification
Certifying Core Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
31. Good Patch – Design Details
David Vrabel – Scalable Event Channels
Xen Developer Summit Xen and the Art of Certification
2014
36. Overview
DornerWorks Work
Certification
Certifying Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
37. Xen Helpers
►U-boot or bootloader
► Qemu
► XL and friends
► Dom0
Xen Developer Summit Xen and the Art of Certification
2014
38. Xen Certification Guidelines
1. Create a small subset
2. Use virtualization extensions
3. Focus on ARM
4. Create a simpler bootloader
Xen Developer Summit Xen and the Art of Certification
2014
39. Xen Helpers
► U-boot or bootloader
►Qemu
► XL and friends
► Dom0
Xen Developer Summit Xen and the Art of Certification
2014
40. Xen Certification Guidelines
1. Create a small subset
2. Use virtualization extensions
3. Focus on ARM
4. Create a simpler bootloader
5. Use direct pass-through or PV drivers
Xen Developer Summit Xen and the Art of Certification
2014
41. Xen Helpers
► U-boot or bootloader
► Qemu
►XL and friends
► Dom0
Xen Developer Summit Xen and the Art of Certification
2014
42. Xen Certification Guidelines
1. Create a small subset
2. Use virtualization extensions
3. Focus on ARM
4. Create a simpler bootloader
5. Use direct pass-through or PV drivers
6. Create a simpler toolstack
Xen Developer Summit Xen and the Art of Certification
2014
43. Xen Helpers
► U-boot or bootloader
► Qemu
► XL and friends
►Dom0
Xen Developer Summit Xen and the Art of Certification
2014
44. How hard is certifying Linux?
It’s been done… to DAL-D.
DAL-C is a big hurdle.
It must be the “Rate of Change”, right?
Xen Developer Summit Xen and the Art of Certification
2014
45. Why such a big hurdle?
DAL-D
► High-Level Documentation
► Functional Tests
Information already exists.
Xen Developer Summit Xen and the Art of Certification
2014
46. Why such a big hurdle?
DAL-C
► Statement Coverage
► Code/Data Coupling Analysis
► Low-Level Documentation
► Exhaustive Unit Tests
Extremely unpopular tasks in the open
source community.
Xen Developer Summit Xen and the Art of Certification
2014
47. Xen Certification Guidelines
1. Create a small subset
2. Use virtualization extensions
3. Focus on ARM
4. Create a simpler bootloader
5. Use direct pass-through or PV drivers
6. Create a simpler toolstack
7. Replace or Offload Linux dom0
Xen Developer Summit Xen and the Art of Certification
2014
48. Avoiding Linux – Open Source
Mini-os dom0
Custom dom0
FreeRTOS?
Xen Developer Summit Xen and the Art of Certification
2014
49. Avoiding Linux - Other
Already Certified dom0 (e.g. VxWorks,
GreenHills, etc…)
► HVM (or PVH) dom0
Certified service domains
► Still certifying a subset of Linux
Unikernels
Xen Developer Summit Xen and the Art of Certification
2014
50. Overview
DornerWorks Work
Certification
Certifying Core Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
51. Cost
Certification Packages are expected to be
expensive, but not that expensive
Amortize certification costs, somehow
Start with something less critical
Xen Developer Summit Xen and the Art of Certification
2014
52. Overview
DornerWorks Work
Certification
Certifying Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
53. Conclusion
Certification is a lot of work
It needs to be done if a Xen guest is ever
going to:
► Fly a plane
► Drive a Car
► Perform Orthopedic Surgery
The Xen developer community has a good
frame work in place to make it happen
Xen Developer Summit Xen and the Art of Certification
2014
54. References
[1] Matthias Gerlach and Stephan
Weißleder, Can Cars Fly? From Avionics
to Automotive: Comparability of Domain
Specifc Safety Standards
[2] Certification Cost Estimates for Future
Communication Radio Platforms, 2009
[3] CAST-18: Reverse Engineering in
Certification Projects, 2003
Xen Developer Summit Xen and the Art of Certification
2014
55. Overview
DornerWorks Work
Certification
Certifying Xen
Patch Example
Beyond Core Xen
Cost
Conclusion
Questions
Xen Developer Summit Xen and the Art of Certification
2014
57. Contact Information
Nathan Studer: nate.studer@gmail.com
Robert VanVossen:
robert.vanvossen@dornerworks.com
Xen Developer Summit Xen and the Art of Certification
2014