XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, DornerWorks
•
4 likes•3,304 views
With the rapid growth in computing power of embedded platforms, system designers are turning to hypervisors to consolidate functionality in order to reduce the Size, Weight, Power, and Cost of embedded systems. With the recent addition of ARM support to the Xen hypervisor, Xen provides an attractive Open Source option for such systems. However, some of the industries most interested in this technology, such as automotive, medical, and avionics, have strict safety certification requirements. Nathan Studer will give a brief overview on DornerWorks efforts certifying Xen, describe the hurdles and advantages that Xen and its development model lend to the certification effort, and layout a proposed path for certifying Xen.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, DornerWorks
Similar to XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, DornerWorks (20)
More from The Linux Foundation
More from The Linux Foundation (20)
Recently uploaded
Recently uploaded (20)
XPDS14: Xen and the Art of Certification - Nathan Studer & Robert VonVossen, DornerWorks
- 1. Xen and the Art of Certification Nathan Studer and Robert VanVossen Xen Developer Summit 2014 Embedded Systems Engineering
- 2. Certification – Why? B787-2139 by MilborneOne is licensed under http://creativecommons.org/licenses/by-sa/3.0/deed.en Xen Developer Summit Xen and the Art of Certification 2014
- 3. Certification – Why? Xen Developer Summit Xen and the Art of Certification 2014
- 4. Earning Trust Assurance standards /= “No Bugs” standards Demonstrate that your software can be trusted This trust is required for Medical, Automotive, and Aviation applications Xen Developer Summit Xen and the Art of Certification 2014
- 5. Importance Server flaws do not usually cause direct personal harm. Flaws in safety-critical systems can kill ► Car: Controlled Fireball ► Plane: Passenger Carrying Missile ► Robotic Surgery: Tamed Terminator Xen Developer Summit Xen and the Art of Certification 2014
- 6. Overview DornerWorks Work Certification Certifying Core Xen Patch Examples Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 7. DornerWorks Work Started with the ARINC653 scheduler Continued with support by Navy Small Business Innovative Research (SBIR) topics ► Rockwell Collins ► Leanna Rierson – Designated Engineering Representative (DER) ► Accuvant Xen Developer Summit Xen and the Art of Certification 2014
- 8. DornerWorks Work Main Goals ► Demonstrate Xen on Embedded Platforms ► Understand what certifying Xen to DO-178 Design Assurance Level (DAL)-A and Common Criteria (CC) Evaluation Assurance Level (EAL) 6+ would take ► Begin the certification process ► Do some Formal Methods Analysis on Xen Xen Developer Summit Xen and the Art of Certification 2014
- 9. Overview DornerWorks Work Certification Certifying Core Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 10. What is certification Requires things that everyone knows should be done, but tend to skip. (e.g. Documentation) Enforces good practices. (e.g. design and test independence) Interesting Verification Activities Prevent certification loopholes. (e.g. tool qualification) Xen Developer Summit Xen and the Art of Certification 2014
- 11. Tool Qualification Normal Software Engineering Reflex: Automation. What if the automated tool introduces an error? Xen Developer Summit Xen and the Art of Certification 2014
- 12. What is Required? What does each level require ► DAL-E: The software must exist. ► DAL-D: High-Level Documentation/Tests ► DAL-C: Low-Level Documentation/Unit Tests, Statement Coverage, and Code/Data Coupling Analysis ► DAL-B: Branch Coverage ► DAL-A: Source to Object Analysis and MC/DC Coverage DO-178 D-A closely related to ASIL A-D[1] Xen Developer Summit Xen and the Art of Certification 2014
- 13. Example Applications DAL-E: Infotainment ► Failure is a minor inconvenience DAL-D/C: Instruments ► Failure can be mitigated by operator DAL-B/A: Engine Control ► Failure could kill someone without warning Xen Developer Summit Xen and the Art of Certification 2014
- 14. Certification Metrics[2] With Certification Experience ► DAL-A: 0.67 hour / SLOC ► DAL-B: 0.40 hour / SLOC ► DAL-C: 0.20 hour / SLOC ► DAL-D: 0.13 hour / SLOC ► DAL-E: 0.11 hour / SLOC Without Certification Experience: Multiply by 3-4 Xen Developer Summit Xen and the Art of Certification 2014
- 15. Certification Metrics In Pictures Rate: $100/hr Two Examples: ► 30K SLOC: ~Xen ARM ► 1 Million SLOC: Small Linux Kernel? Xen Developer Summit Xen and the Art of Certification 2014
- 16. Example Certification Cost – 30K SLOC Cost to Certify 30K SLOC versus DAL $2,000,000.00 $1,500,000.00 $1,000,000.00 $500,000.00 $- E D C Xen Developer Summit Xen and the Art of Certification 2014 DAL Cost ($) With Experience Without Experience
- 17. Example Certification Cost – 30K SLOC Cost to Certify 30K SLOC versus DAL $10,000,000.00 $8,000,000.00 $6,000,000.00 $4,000,000.00 $2,000,000.00 $- E D C B A Xen Developer Summit Xen and the Art of Certification 2014 DAL Cost ($) With Experience Without Experience
- 18. Example Certification Cost – 1M SLOC Cost to Certify 1M SLOC versus DAL $60,000,000.00 $50,000,000.00 $40,000,000.00 $30,000,000.00 $20,000,000.00 $10,000,000.00 $- E D C Xen Developer Summit Xen and the Art of Certification 2014 DAL Cost ($) With Experience Without Experience
- 19. Example Certification Cost – 1M SLOC Cost to Certify 1M SLOC versus DAL $300,000,000.00 $250,000,000.00 $200,000,000.00 $150,000,000.00 $100,000,000.00 $50,000,000.00 $- E D C B A Xen Developer Summit Xen and the Art of Certification 2014 DAL Cost ($) With Experience Without Experience
- 20. Where does the time go? Breakdown of DO-178 Objectives (DAL-A) Xen Developer Summit Xen and the Art of Certification 2014 Planning Development Verification Configuration Management Quality Assurance Certification Source Code
- 21. Overview DornerWorks Work Certification Certifying Core Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 22. General Xen Certification Plan Create a small subset Reverse Engineer Certification Artifacts for any extant features Forward Engineer any additional features Xen Developer Summit Xen and the Art of Certification 2014
- 23. Xen Certification Guidelines 1. Create a small subset 2. Use virtualization extensions Xen Developer Summit Xen and the Art of Certification 2014
- 24. Reverse Engineering – What can go wrong? [3] ► Poor reverse engineering justification ► Lack of a well defined Software Lifecycle Plan ► Abstraction and traceability problems ► No Access to original developers ► Complex and poorly documented source code Commercial Aviation Safety Team (CAST) Xen Developer Summit Xen and the Art of Certification 2014
- 25. Access to Original Developers “Developing the design, requirements, and test cases for a complex software component, such as an operating system, can be nearly impossible without some access to the original developers.” [3] Xen Developer Summit Xen and the Art of Certification 2014
- 26. Xen Original Developers ARM ► Ian Campbell ► Ian Jackson ► Stefano Stabellini ► Julien Grall X86 ► Kier Frasier? ► ??? Xen Developer Summit Xen and the Art of Certification 2014
- 27. Backup Plan 1. Git commit messages. 2. Archived Design Discussions on the mailing list. Xen Developer Summit Xen and the Art of Certification 2014
- 28. Documentation and Comments “Many reverse engineering efforts start with source code that is complex and poorly documented. The code may contain numerous pointers and complex data structures. The code may also not contain commentary statements, which can make it difficult to understand.” [3] Reoccurring topic on Slashdot Xen Developer Summit Xen and the Art of Certification 2014
- 29. Xen Certification Guidelines 1. Create a small subset 2. Use virtualization extensions 3. Focus on ARM Xen Developer Summit Xen and the Art of Certification 2014
- 30. Overview DornerWorks Work Certification Certifying Core Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 31. Good Patch – Design Details David Vrabel – Scalable Event Channels Xen Developer Summit Xen and the Art of Certification 2014
- 32. Design Details (DAL-E) Xen Developer Summit Xen and the Art of Certification 2014
- 33. Design Details (DAL-D) Xen Developer Summit Xen and the Art of Certification 2014
- 34. Design Details (DAL-D) Xen Developer Summit Xen and the Art of Certification 2014
- 35. Design Details (DAL-C, B, A) Xen Developer Summit Xen and the Art of Certification 2014
- 36. Overview DornerWorks Work Certification Certifying Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 37. Xen Helpers ►U-boot or bootloader ► Qemu ► XL and friends ► Dom0 Xen Developer Summit Xen and the Art of Certification 2014
- 38. Xen Certification Guidelines 1. Create a small subset 2. Use virtualization extensions 3. Focus on ARM 4. Create a simpler bootloader Xen Developer Summit Xen and the Art of Certification 2014
- 39. Xen Helpers ► U-boot or bootloader ►Qemu ► XL and friends ► Dom0 Xen Developer Summit Xen and the Art of Certification 2014
- 40. Xen Certification Guidelines 1. Create a small subset 2. Use virtualization extensions 3. Focus on ARM 4. Create a simpler bootloader 5. Use direct pass-through or PV drivers Xen Developer Summit Xen and the Art of Certification 2014
- 41. Xen Helpers ► U-boot or bootloader ► Qemu ►XL and friends ► Dom0 Xen Developer Summit Xen and the Art of Certification 2014
- 42. Xen Certification Guidelines 1. Create a small subset 2. Use virtualization extensions 3. Focus on ARM 4. Create a simpler bootloader 5. Use direct pass-through or PV drivers 6. Create a simpler toolstack Xen Developer Summit Xen and the Art of Certification 2014
- 43. Xen Helpers ► U-boot or bootloader ► Qemu ► XL and friends ►Dom0 Xen Developer Summit Xen and the Art of Certification 2014
- 44. How hard is certifying Linux? It’s been done… to DAL-D. DAL-C is a big hurdle. It must be the “Rate of Change”, right? Xen Developer Summit Xen and the Art of Certification 2014
- 45. Why such a big hurdle? DAL-D ► High-Level Documentation ► Functional Tests Information already exists. Xen Developer Summit Xen and the Art of Certification 2014
- 46. Why such a big hurdle? DAL-C ► Statement Coverage ► Code/Data Coupling Analysis ► Low-Level Documentation ► Exhaustive Unit Tests Extremely unpopular tasks in the open source community. Xen Developer Summit Xen and the Art of Certification 2014
- 47. Xen Certification Guidelines 1. Create a small subset 2. Use virtualization extensions 3. Focus on ARM 4. Create a simpler bootloader 5. Use direct pass-through or PV drivers 6. Create a simpler toolstack 7. Replace or Offload Linux dom0 Xen Developer Summit Xen and the Art of Certification 2014
- 48. Avoiding Linux – Open Source Mini-os dom0 Custom dom0 FreeRTOS? Xen Developer Summit Xen and the Art of Certification 2014
- 49. Avoiding Linux - Other Already Certified dom0 (e.g. VxWorks, GreenHills, etc…) ► HVM (or PVH) dom0 Certified service domains ► Still certifying a subset of Linux Unikernels Xen Developer Summit Xen and the Art of Certification 2014
- 50. Overview DornerWorks Work Certification Certifying Core Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 51. Cost Certification Packages are expected to be expensive, but not that expensive Amortize certification costs, somehow Start with something less critical Xen Developer Summit Xen and the Art of Certification 2014
- 52. Overview DornerWorks Work Certification Certifying Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 53. Conclusion Certification is a lot of work It needs to be done if a Xen guest is ever going to: ► Fly a plane ► Drive a Car ► Perform Orthopedic Surgery The Xen developer community has a good frame work in place to make it happen Xen Developer Summit Xen and the Art of Certification 2014
- 54. References [1] Matthias Gerlach and Stephan Weißleder, Can Cars Fly? From Avionics to Automotive: Comparability of Domain Specifc Safety Standards [2] Certification Cost Estimates for Future Communication Radio Platforms, 2009 [3] CAST-18: Reverse Engineering in Certification Projects, 2003 Xen Developer Summit Xen and the Art of Certification 2014
- 55. Overview DornerWorks Work Certification Certifying Xen Patch Example Beyond Core Xen Cost Conclusion Questions Xen Developer Summit Xen and the Art of Certification 2014
- 56. Questions Xen Developer Summit Xen and the Art of Certification 2014
- 57. Contact Information Nathan Studer: nate.studer@gmail.com Robert VanVossen: robert.vanvossen@dornerworks.com Xen Developer Summit Xen and the Art of Certification 2014