SlideShare a Scribd company logo

MISRA C in an ISO 26262 context

AdaCore
AdaCore

MISRA C provides guidelines for using the C programming language in safety-critical systems. The document discusses how MISRA C relates to ISO 26262, which specifies functional safety standards for automotive systems. Key points include that MISRA C addresses many criteria specified in ISO 26262 for suitable programming languages, such as enforcing low complexity, using a language subset, strong typing, and defensive implementation techniques. The document also discusses how to achieve and demonstrate compliance with the MISRA C guidelines.

Technology
1 of 54
Download to read offline
MISRA C: How to achieve ISO 26262 Compliance Presented by Andrew Banks (Andrew.Banks@LDRA.com) High Integrity Software 2019 Bristol, 5th November 2019
Agenda 2 MISRA C – A quick history MISRA C in an ISO 26262 context Cybersecurity & Autonomy 1 2 3 4 5 MISRA C in a little bit more detail Achieving MISRA C compliance
LDRA Overview Provider of Software Quality, Compliance Management & Testing Solutions Established 1975 ISO 9001 certified company Certified for use in safety related software development according to IEC 61508, EN 50128, ISO 26262, IEC 62304 & IEC 60880 Active participants in standards e.g. DO-178C, MISRA C/C++, CERT 3
Experts in Safety and Security Critical Software Aerospace Defence Medical Industrial & Energy Rail Transportation Automotive 4
The LDRA tool suite® Solution 5 Visualisation of Standards Compliance, Quality Metrics & Code Coverage Collaborative Test Management, Requirements Traceability & Verification Workflow Host & Target Unit/Integration Test Core Static and Dynamic Analysis Engine Plug-ins for: Eclipse, Visual Studio, MPLABX, Rhapsody… TBmanager® TBvision® TBrun® LDRA Testbed® C/C++, Java, Ada83/Ada95 & Assemblers
MISRA C ... A quick history 1
▪ K&R C ▪ 1972 First created by Dennis Ritchie ▪ 1976 Lint, the first C static analyser, created by Stephen Johnson ▪ 1978 The C Programming Language published ▪ ANSI C ▪ 1989 ANSI X3.159-1989 aka C89 First standardized version ▪ ISO C ▪ 1990 ISO/IEC 9899:1990 aka C90 Equivalent to C89 ▪ 1995 Amendment 1 aka C95 ▪ 1999 ISO/IEC 9899:1999 aka C99 ▪ 2011 ISO/IEC 9899:2011 aka C11 ▪ 2018 ISO/IEC 9899:2018 aka C18 A “TC” in all but name ▪ Very few (if any) of you will be using ANSI C any more! The C Language – A Quick History 7
▪Despite its popularity, there are several drawbacks with the C language, eg: ▪ The ISO Standard language definition is incomplete ▪ Behaviour that is Undefined ▪ Behaviour that is Unspecified ▪ Behaviour that is Implementation Defined ▪ Language misuse and obfuscation ▪ Language misunderstanding ▪ Run-time error checking ▪MISRA C is one solution... MISRA C – The Rationale 8
▪ November 1994: Development guidelines for vehicle based software (aka The MISRA Guidelines) ▪ The first automotive publication concerning functional safety ▪ Commenced more than 10 years before work started on ISO 26262 ▪ April 1998: Guidelines for the use of the C language in vehicle based software (MISRA C) ▪ December 1998: IEC 61508 (first edition) published! Original MISRA publications 9
▪ MISRA-C:1998 ▪ “Guidelines for the use of the C language in vehicle based software” ▪ Compatible with ISO/IEC 9899:1990 (aka C90) ▪ MISRA-C:2004 ▪ “Guidelines for the use of the C language in critical systems” ▪ Remains compatible with ISO/IEC 9899:1990 (aka C90) ▪ MISRA C:2012 (3rd Edition) ▪ Adds compatibility with ISO/IEC 9899:1999 (aka C99) ▪ Updated to 1st Revision in 2019 to include AMD1 and TC1 MISRA C – A Quick History 10
MISRA C in an ... ISO 26262 context 2
ISO 26262-6:2018, section 5.4.3 ▪Criteria for suitable modelling, design or programming languages that are not sufficiently addressed by the language itself shall be covered by the corresponding guidelines, or by the development environment, considering the topics listed in Table 1 ▪Example 1: MISRA C is a coding guideline for the programming language C and includes guidance on automatically generated code MISRA C – In an ISO 26262 Context 12
ISO 26262-6:2018, Table 1 MISRA C – In an ISO 26262 Context 13
▪ISO 26262-6:2018, section 8.4.5 ▪Design principles for software unit design and implementation at the source code level as listed in Table 6 shall be applied to achieve the following properties: ▪ correct order of execution of subprograms and functions within the software units, based on the software architectural design; ▪ consistency of the interfaces between the software units; ▪ correctness of data flow and control flow between and within the software units; ▪ simplicity; ▪ readability and comprehensibility; ▪ robustness; ▪ suitability for software modification; and ▪ verifiability MISRA C – In an ISO 26262 Context 14
ISO 26262-6:2018, Table 6 MISRA C – In an ISO 26262 Context 15
Static Analysis, control flow analysis and data flow analysis are mentioned twice as a set: ▪Table 7 ... software unit verification ▪Table 10 ... verification of software integration Control flow analysis and data flow analysis are also mentioned in Table 4: ▪Table 4 ... verification of software architectural design MISRA C – In an ISO 26262 Context 16
ISO 26262-6:2018, Table 7 (unit) MISRA C – In an ISO 26262 Context 17
ISO 26262-6:2018, Table 10 This also maps to the MISRA C guideline scope: ▪Unit Verification Single-translation-unit guidelines ▪Integration System-wide guidelines MISRA C – In an ISO 26262 Context 18
MISRA C... ... in a little bit more detail 3
ISO 26262-6:2018, Table 1 MISRA C – In an ISO 26262 Context 20
▪1a) Enforcement of low complexity ▪MISRA C deliberately avoids the topic of measurement, other than suggesting you need to do it! ▪MISRA Report 5 “Software Metrics” (February 1995) offers good advice! Table 1 21
▪Keep it simple ▪ Keep the design as simple and small as possible. ▪ Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use Enforce Low Complexity 22
Enforce Low Complexity 23 Impossible to understand, maintain or test
▪Treat Code Complexity with caution... For example a switch() construct has a high calculated complexity! Enforce Low Complexity 24
▪1b) Use of a language subset ▪The MISRA C Vision ▪ The MISRA C Guidelines define a subset of the C language in which the opportunity to make mistakes is either removed or reduced. ▪ Many standards for the development of safety-related software require, or recommend, the use of a language subset, and this can also be used to develop any application with security, high integrity or high reliability requirements. Table 1 25
▪1c) Use of strong typing ▪Section 8.10 “The Essential Type Model” ▪ The rules in this section collectively define the essential type model and restrict the C type system so as to: 1. Support a stronger system of type-checking; 2. Provide a rational basis for defining rules to control the use of implicit and explicit type conversions; 3. Promote portable coding practices; 4. Address some of the type conversion anomalies found within ISO C. ▪ The essential type model does this by allocating an essential type to those objects and expressions which ISO C considers to be of arithmetic type. For example, adding an int to a char gives a result having essentially character type rather than the int type that is actually produced by integer promotion. Table 1 26
▪1d) Use of defensive implementation techniques ▪MISRA C has guidance relating to: ▪ Control flow ▪ If / else if / else ▪ Switch / default ▪ While / do ▪ For loops ▪ Unreachable code ▪ The shall be no unreachable code ▪ There shall be no unused code Table 1 27
▪Consider the Required MISRA C:2012 Rule 2.1 ▪ A project shall not contain unreachable code ▪Consider the Required MISRA C:2012 Rule 15.6 ▪ The body of an iteration-statement or a selection-statement shall be a compound-statement. eg: if ( condition ) { action(); } ▪Some suggest that these Rules are (to be polite) unnecessary ▪I wonder if Apple’s software team agree? ▪ CVE-2014-1266 Defensive Implementation Techniques 28
The Apple iPhone SSL Bug 29 if ( ( err = SSLFreeBuffer( &hashCtx ) ) != 0 ) goto fail; if ( ( err = ReadyHash(&SSLHashSHA1, &hashCtx ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &clientRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &serverRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.final( &hashCtx, &hashOut ) ) != 0 ) goto fail;
The Apple iPhone SSL Bug 30 if ( ( err = SSLFreeBuffer( &hashCtx ) ) != 0 ) goto fail; if ( ( err = ReadyHash(&SSLHashSHA1, &hashCtx ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &clientRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &serverRandom ) ) != 0 ) goto fail; if ( (err = SSLHashSHA1.update( &hashCtx, &signedParams ) ) != 0 ) goto fail; goto fail; if ( ( err = SSLHashSHA1.final( &hashCtx, &hashOut ) ) != 0 ) goto fail;  Now unconditional  Now unreachable!
The Apple iPhone SSL Bug 31 if ( ( err = SSLFreeBuffer( &hashCtx ) ) != 0 ) goto fail; if ( ( err = ReadyHash(&SSLHashSHA1, &hashCtx ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &clientRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &serverRandom ) ) != 0 ) goto fail; if ( (err = SSLHashSHA1.update( &hashCtx, &signedParams ) ) != 0 ) {  would this have helped? goto fail; goto fail; }  not forgetting this one... if ( ( err = SSLHashSHA1.final( &hashCtx, &hashOut ) ) != 0 ) goto fail;  Now unreachable!  Now reachable!
ISO 26262-6:2018, Table 6 MISRA C – In an ISO 26262 Context 32
▪1a) One entry and one exit point ▪MISRA C Rule 15.5 (Advisory) ▪ Justification cites IEC 61508 and ISO 26262 ▪A single entry point is a given in a structured language... ▪Lots of debate as to the usefulness of the single exit point requirement; often (eg error trapping) early returns can make for simpler (and hence more maintainable) code Table 6 33
▪ 1b) No dynamic objects ▪ MISRA C Directive 4.12 (Required) plus several Rules ▪ The C standard library dynamic memory functions are poorly defined ▪ Error handling if allocation fails is a common cause of a software “crash” (ie null pointer returned) ▪ Restriction in C++ harder to enforce due to automatic allocations....... ▪ Note: JSF AV Coding Guidelines permit dynamic allocation during program start-up Table 6 34
▪1c) Initialization of variables ▪MISRA C Rule 8.9 (Mandatory) ▪The C Standard requires “static” variables to be initialised to zero (unless otherwise explicitly initialised) ▪However “automatic” variables are not initialized and this have indeterminant values. ▪But is a default value of zero correct? Table 6 35
MISRA Compliance 4
▪MISRA has always included guidance related to compliance ▪ Previously, this has been included in the introductory chapters ▪ Going forward, this important guidance now has its own document ▪ The guidance has always made it clear what must be done when using and claiming compliance with the Guidelines, but there were some misconceptions and the guidance has been known to be ignored or adopted selectively MISRA Compliance:2016 37
▪Available as a standalone document (click for free download) ▪Compatible with MISRA C:2012 (and any future versions) ▪Compatible with forthcoming MISRA C++:20xx ▪No reason it cannot be applied to earlier versions of either document! MISRA Compliance 38
▪Clearer definition of what is meant by MISRA Compliance ▪ and how Compliance should be demonstrated ▪Provides a mechanism for tailoring classification of the guidelines ▪ introduces the Guideline Recategorization Plan ▪Provides guidance on dealing with adopted code ▪Clarifies/tightens the Deviation process ▪Provides a mechanism for establishing pre-approved Permits MISRA Compliance 39
▪MISRA Compliance is NOT ▪ claimed for an organisation ... but only for a deliverable item ▪ applicable to the software ... but to the development lifecycle ▪MISRA Compliance does NOT mean ▪ No deviations ... but no unresolved violations ▪MISRA Compliance is achieved when ▪ development of a software item has been conducted in accordance with the processes and principles specified in the Guidelines ▪ all violations are accepted by means of a deviation, or are against advisory guidelines and are documented as being considered acceptable. MISRA Compliance 40
▪What is Adopted Code? ▪ Code developed outside of the current project ▪ May or may not have been developed to comply with the Guidelines ▪ Source code or binary/library that is adopted unchanged ▪Examples include: ▪ The Standard Library ▪ Device driver files ▪ Third-party libraries ▪ Auto-generated code ▪ Legacy code ▪Note: Source code that is revised or modified in any way, within the project, is no longer considered adopted code MISRA C – Adopted Code 41
▪Sometimes a violation may be justified ▪ A deviation is an appropriate way of handling such a violation ▪ Legitimate reasons may be ▪ Code quality See ISO/IEC 25010 “SQuaRE” ▪ Access to hardware ▪ Adopted code integration ▪ Non-compliant adopted code ▪A deviation should not merely document the existence of a violation ▪A deviation should ▪ document the reason why it is required ▪ be targeted in scope and specify any necessary precautions ▪ be subject to approval by a defined process MISRA C – Deviations 42
▪Check the code manually ▪ Needs to be done on MISRA C:2012 “undecidable” rules ▪ But don’t really want to do it on all the code! ▪Use a lightweight tool, such as is often built into compilers ▪ Fast (Checks just a subset) ▪ Detects the easy to find defects ▪ Tends to be “Optimistic” – False Negatives ▪Use a heavyweight tool ▪ Slow (Deep analysis, Check all rules) ▪ Detects the easy and hard to find defects (The ones that occur once a year!) ▪ Tends to be “Pessimistic” – False Positives Checking Compliance 43
▪Summary: ▪ MISRA Compliance is achieved when development of a software item has been conducted in accordance with the processes and principles specified in the Guidelines ▪Evidence: ▪ Guideline Recategorization Plan (if applicable) ▪ Guideline Enforcement Plan ▪ Guideline Compliance Summary ▪ Deviation Records covering all violations of Required guidelines ▪Note: ▪ Items 1, 2 and 3 can be combined into a single spreadsheet MISRA Compliance – Claiming Compliance 44
Cybersecurity & Autonomy 5
ISO/SAE JWG + ISO/TC22/SC32/WG11
1. Applicable to road-vehicles 2. Goal of reasonably secure vehicles and systems 3. Management activities for cybersecurity 4. Automakers and suppliers can use to show “due diligence” 5. Focus on automotive cybersecurity engineering 6. Based on current state-of-the-art for cybersecurity engineering 7. Risk-oriented approach 8. Cybersecurity activities/processes for all phases of vehicle lifecycle ISO/SAE 21434 – Key Principles 47
Applicable to: ▪ The Road Vehicle, ▪ Its systems, sub-systems, and components ▪ The software installed ▪ Its connection from the vehicle to any external device/network. Is designed to be compatible with ISO 26262 ISO/SAE 21434 – Scope 48
What about autonomy? • Many initiatives under way • ISO/IEC • BSI • SCSC • etc etc
In Summary 6
▪MISRA C is ▪ widely respected as a safety-related coding standard ▪ equally applicable as a security-related coding standard ▪ appropriate for use in all high-integrity and high-reliability environments ▪MISRA C has ▪ evolved from an automotive standard into a pan-industry standard ▪ but has specific applicability to the automotive industry in general ... and ISO 26262 in particular ▪MISRA C will ▪ continue to evolve as new editions of the C standard are produced ▪ seek to address other constraints as they become identified MISRA C – In Summary 51
Q A& Any Questions 52
.com Need more information? info@ldra.com Contact Us 53
▪Biography ▪ Over 30 years experience in developing real-time embedded software systems, across a number of industries ▪ Chartered Fellow of the British Computer Society ▪ Member of the Institution of Engineering & Technology ... Member of the System Safety TPN Executive ▪ Technical Specialist / Field Application Engineer, LDRA ▪Standards ▪ Chairman of MISRA C Working Group since June 2013... ... Working Group member since 2007 ▪ Chairman of the BSI Software Testing Working Group ▪ Contributor to ISO/IEC JTC1/SC7 and WG26 ▪ Contributor to ISO 29119 “Software Testing” ▪ Contributor to ISO 26262 2nd Edition “Functional Safety” ▪ etc About the speaker 54 @AndrewBanks AndrewBanks

Recommended

An Introduction to MISRA C:2012
An Introduction to MISRA C:2012An Introduction to MISRA C:2012
An Introduction to MISRA C:2012
PRQA
 
Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)
Embitel Technologies (I) PVT LTD
 
An approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyzeAn approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyze
Bernhard Kaiser
 
Misra c rules
Misra c rulesMisra c rules
Misra c rules
kiranyeligati
 
What is AUTOSAR Communiation Stack
What is AUTOSAR Communiation StackWhat is AUTOSAR Communiation Stack
What is AUTOSAR Communiation Stack
Embitel Technologies (I) PVT LTD
 
PCI express
PCI expressPCI express
PCI express
sarangaprabod
 
Diagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARDiagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSAR
Bernhard Wagner
 
Misra c
Misra cMisra c
Misra cPradeep Kumar TS
 

Recommended

An Introduction to MISRA C:2012
An Introduction to MISRA C:2012An Introduction to MISRA C:2012
An Introduction to MISRA C:2012
PRQA
 
Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)Autosar MCAL (Microcontroller Abstraction Layer)
Autosar MCAL (Microcontroller Abstraction Layer)
Embitel Technologies (I) PVT LTD
 
An approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyzeAn approach towards sotif with ansys medini analyze
An approach towards sotif with ansys medini analyze
Bernhard Kaiser
 
Misra c rules
Misra c rulesMisra c rules
Misra c rules
kiranyeligati
 
What is AUTOSAR Communiation Stack
What is AUTOSAR Communiation StackWhat is AUTOSAR Communiation Stack
What is AUTOSAR Communiation Stack
Embitel Technologies (I) PVT LTD
 
PCI express
PCI expressPCI express
PCI express
sarangaprabod
 
Diagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARDiagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSAR
Bernhard Wagner
 
Misra c
Misra cMisra c
Misra cPradeep Kumar TS
 
Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
Biddika Manjusree
 
Tutorial getting started with RISC-V verification
Tutorial getting started with RISC-V verificationTutorial getting started with RISC-V verification
Tutorial getting started with RISC-V verification
RISC-V International
 
The flex ray protocol
The flex ray protocolThe flex ray protocol
The flex ray protocol
Wissam Kafa
 
Session 8,9 PCI Express
Session 8,9 PCI ExpressSession 8,9 PCI Express
Session 8,9 PCI ExpressSubhash Iyer
 
The Basics of Automotive Ethernet Webinar Slidedeck
The Basics of Automotive Ethernet Webinar SlidedeckThe Basics of Automotive Ethernet Webinar Slidedeck
The Basics of Automotive Ethernet Webinar Slidedeck
teledynelecroy
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safety
Bernhard Kaiser
 
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyFrequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Embitel Technologies (I) PVT LTD
 
UDS Protocol Stack | Manual Guide | Fact Sheet
UDS Protocol Stack | Manual Guide | Fact SheetUDS Protocol Stack | Manual Guide | Fact Sheet
UDS Protocol Stack | Manual Guide | Fact Sheet
Embitel Technologies (I) PVT LTD
 
ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introduction
KoenLeekens
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR ToolingWebinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
KPIT
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
Embitel Technologies (I) PVT LTD
 
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Deepak Shankar
 
Pci express modi
Pci express modiPci express modi
Pci express modi
proma_goswami
 
CAN (Controller Area Network)
CAN (Controller Area Network)CAN (Controller Area Network)
CAN (Controller Area Network)
Ajay Sukruth
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development Standard
Vittorio Giovara
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Andrei Kholodnyi
 
PCIe
PCIePCIe
PCIeChiaYang Tsai
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore
 
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStackWhat is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
Embitel Technologies (I) PVT LTD
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
ChantalWauters
 
VDA 2015 Presentation - Full
VDA 2015 Presentation - FullVDA 2015 Presentation - Full
VDA 2015 Presentation - FullAndrew Banks
 

More Related Content

What's hot

Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
Biddika Manjusree
 
Tutorial getting started with RISC-V verification
Tutorial getting started with RISC-V verificationTutorial getting started with RISC-V verification
Tutorial getting started with RISC-V verification
RISC-V International
 
The flex ray protocol
The flex ray protocolThe flex ray protocol
The flex ray protocol
Wissam Kafa
 
Session 8,9 PCI Express
Session 8,9 PCI ExpressSession 8,9 PCI Express
Session 8,9 PCI ExpressSubhash Iyer
 
The Basics of Automotive Ethernet Webinar Slidedeck
The Basics of Automotive Ethernet Webinar SlidedeckThe Basics of Automotive Ethernet Webinar Slidedeck
The Basics of Automotive Ethernet Webinar Slidedeck
teledynelecroy
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safety
Bernhard Kaiser
 
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyFrequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Embitel Technologies (I) PVT LTD
 
UDS Protocol Stack | Manual Guide | Fact Sheet
UDS Protocol Stack | Manual Guide | Fact SheetUDS Protocol Stack | Manual Guide | Fact Sheet
UDS Protocol Stack | Manual Guide | Fact Sheet
Embitel Technologies (I) PVT LTD
 
ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introduction
KoenLeekens
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR ToolingWebinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
KPIT
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
Embitel Technologies (I) PVT LTD
 
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Deepak Shankar
 
Pci express modi
Pci express modiPci express modi
Pci express modi
proma_goswami
 
CAN (Controller Area Network)
CAN (Controller Area Network)CAN (Controller Area Network)
CAN (Controller Area Network)
Ajay Sukruth
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development Standard
Vittorio Giovara
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Andrei Kholodnyi
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore
 
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStackWhat is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
Embitel Technologies (I) PVT LTD
 

What's hot (20)

Pci express technology 3.0
Pci express technology 3.0Pci express technology 3.0
Pci express technology 3.0
 
Tutorial getting started with RISC-V verification
Tutorial getting started with RISC-V verificationTutorial getting started with RISC-V verification
Tutorial getting started with RISC-V verification
 
The flex ray protocol
The flex ray protocolThe flex ray protocol
The flex ray protocol
 
Session 8,9 PCI Express
Session 8,9 PCI ExpressSession 8,9 PCI Express
Session 8,9 PCI Express
 
The Basics of Automotive Ethernet Webinar Slidedeck
The Basics of Automotive Ethernet Webinar SlidedeckThe Basics of Automotive Ethernet Webinar Slidedeck
The Basics of Automotive Ethernet Webinar Slidedeck
 
An integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safetyAn integrative solution towards SOTIF and AV safety
An integrative solution towards SOTIF and AV safety
 
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional SafetyFrequently Asked Question (FAQ's) on ISO 26262 Functional Safety
Frequently Asked Question (FAQ's) on ISO 26262 Functional Safety
 
UDS Protocol Stack | Manual Guide | Fact Sheet
UDS Protocol Stack | Manual Guide | Fact SheetUDS Protocol Stack | Manual Guide | Fact Sheet
UDS Protocol Stack | Manual Guide | Fact Sheet
 
ISO 26262 introduction
ISO 26262 introductionISO 26262 introduction
ISO 26262 introduction
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR ToolingWebinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
Webinar Presentation- Typical Challenges Faced by Tier 1s in AUTOSAR Tooling
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
 
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
Compare Performance-power of Arm Cortex vs RISC-V for AI applications_oct_2021
 
Pci express modi
Pci express modiPci express modi
Pci express modi
 
CAN (Controller Area Network)
CAN (Controller Area Network)CAN (Controller Area Network)
CAN (Controller Area Network)
 
Misra C Software Development Standard
Misra C Software Development StandardMisra C Software Development Standard
Misra C Software Development Standard
 
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
Mixed-critical adaptive AUTOSAR stack based on VxWorks, Linux, and virtualiza...
 
PCIe
PCIePCIe
PCIe
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStackWhat is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
What is AUTOSAR Communication Stack (ComStack)?Get introduced to CAN ComStack
 

Similar to MISRA C in an ISO 26262 context

Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
ChantalWauters
 
VDA 2015 Presentation - Full
VDA 2015 Presentation - FullVDA 2015 Presentation - Full
VDA 2015 Presentation - FullAndrew Banks
 
Achieve iso 26262 certification
Achieve iso 26262 certificationAchieve iso 26262 certification
Achieve iso 26262 certification
PRQA
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Andrey Karpov
 
What's New in Helix QAC 2019.1
What's New in Helix QAC 2019.1What's New in Helix QAC 2019.1
What's New in Helix QAC 2019.1
Perforce
 
Coding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR GuidelinesCoding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR Guidelines
Perforce
 
HIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-CHIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-C
AdaCore
 
Model-Driven Development for Safety-Critical Software
Model-Driven Development for Safety-Critical SoftwareModel-Driven Development for Safety-Critical Software
Model-Driven Development for Safety-Critical Software
gjuljo
 
Clean Infrastructure as Code
Clean Infrastructure as Code Clean Infrastructure as Code
Clean Infrastructure as Code
QAware GmbH
 
AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...
AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...
AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...
Lucas Jellema
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaS
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaSAMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaS
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaS
Getting value from IoT, Integration and Data Analytics
 
MISRA C Chairman - Device Developer Conference 2016
MISRA C Chairman - Device Developer Conference 2016MISRA C Chairman - Device Developer Conference 2016
MISRA C Chairman - Device Developer Conference 2016Andrew Banks
 
Tech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGenTech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGen
AdaCore
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems
Naveen Jakhar, I.T.S
 
To study pcms pegasus erp cargo management system-release-7 from architectu...
To study pcms pegasus erp cargo management system-release-7 from architectu...To study pcms pegasus erp cargo management system-release-7 from architectu...
To study pcms pegasus erp cargo management system-release-7 from architectu...
Shahzad
 
Application Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportApplication Assessment - Executive Summary Report
Application Assessment - Executive Summary Report
CAST
 
ABAP Test Cockpit in action with Doctor ZedGe and abap2xlsx
ABAP Test Cockpit in action with Doctor ZedGe and abap2xlsxABAP Test Cockpit in action with Doctor ZedGe and abap2xlsx
ABAP Test Cockpit in action with Doctor ZedGe and abap2xlsx
Ivan Femia
 
Dlf2
Dlf2Dlf2
Dlf2
ANANDU KB
 
Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...
Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...
Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...
IRJET Journal
 
DICE & Cloudify – Quality Big Data Made Easy
DICE & Cloudify – Quality Big Data Made EasyDICE & Cloudify – Quality Big Data Made Easy
DICE & Cloudify – Quality Big Data Made Easy
Cloudify Community
 

Similar to MISRA C in an ISO 26262 context (20)

Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
 
VDA 2015 Presentation - Full
VDA 2015 Presentation - FullVDA 2015 Presentation - Full
VDA 2015 Presentation - Full
 
Achieve iso 26262 certification
Achieve iso 26262 certificationAchieve iso 26262 certification
Achieve iso 26262 certification
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
 
What's New in Helix QAC 2019.1
What's New in Helix QAC 2019.1What's New in Helix QAC 2019.1
What's New in Helix QAC 2019.1
 
Coding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR GuidelinesCoding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR Guidelines
 
HIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-CHIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-C
 
Model-Driven Development for Safety-Critical Software
Model-Driven Development for Safety-Critical SoftwareModel-Driven Development for Safety-Critical Software
Model-Driven Development for Safety-Critical Software
 
Clean Infrastructure as Code
Clean Infrastructure as Code Clean Infrastructure as Code
Clean Infrastructure as Code
 
AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...
AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...
AMIS Oracle OpenWorld & CodeOne Review - Pillar 2 - SaaS and Standard Applica...
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaS
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaSAMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaS
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: SaaS
 
MISRA C Chairman - Device Developer Conference 2016
MISRA C Chairman - Device Developer Conference 2016MISRA C Chairman - Device Developer Conference 2016
MISRA C Chairman - Device Developer Conference 2016
 
Tech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGenTech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGen
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems
 
To study pcms pegasus erp cargo management system-release-7 from architectu...
To study pcms pegasus erp cargo management system-release-7 from architectu...To study pcms pegasus erp cargo management system-release-7 from architectu...
To study pcms pegasus erp cargo management system-release-7 from architectu...
 
Application Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportApplication Assessment - Executive Summary Report
Application Assessment - Executive Summary Report
 
ABAP Test Cockpit in action with Doctor ZedGe and abap2xlsx
ABAP Test Cockpit in action with Doctor ZedGe and abap2xlsxABAP Test Cockpit in action with Doctor ZedGe and abap2xlsx
ABAP Test Cockpit in action with Doctor ZedGe and abap2xlsx
 
Dlf2
Dlf2Dlf2
Dlf2
 
Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...
Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...
Limited Budget but Effective End to End MLOps Practices (Machine Learning Mod...
 
DICE & Cloudify – Quality Big Data Made Easy
DICE & Cloudify – Quality Big Data Made EasyDICE & Cloudify – Quality Big Data Made Easy
DICE & Cloudify – Quality Big Data Made Easy
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
AdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
AdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
AdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
AdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
AdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
AdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
AdaCore
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
AdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
AdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
AdaCore
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
AdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
AdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
AdaCore
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems
AdaCore
 
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant news
AdaCore
 

More from AdaCore (20)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems
 
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant news
 

Recently uploaded

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 

MISRA C in an ISO 26262 context

  • 1. MISRA C: How to achieve ISO 26262 Compliance Presented by Andrew Banks (Andrew.Banks@LDRA.com) High Integrity Software 2019 Bristol, 5th November 2019
  • 2. Agenda 2 MISRA C – A quick history MISRA C in an ISO 26262 context Cybersecurity & Autonomy 1 2 3 4 5 MISRA C in a little bit more detail Achieving MISRA C compliance
  • 3. LDRA Overview Provider of Software Quality, Compliance Management & Testing Solutions Established 1975 ISO 9001 certified company Certified for use in safety related software development according to IEC 61508, EN 50128, ISO 26262, IEC 62304 & IEC 60880 Active participants in standards e.g. DO-178C, MISRA C/C++, CERT 3
  • 4. Experts in Safety and Security Critical Software Aerospace Defence Medical Industrial & Energy Rail Transportation Automotive 4
  • 5. The LDRA tool suite® Solution 5 Visualisation of Standards Compliance, Quality Metrics & Code Coverage Collaborative Test Management, Requirements Traceability & Verification Workflow Host & Target Unit/Integration Test Core Static and Dynamic Analysis Engine Plug-ins for: Eclipse, Visual Studio, MPLABX, Rhapsody… TBmanager® TBvision® TBrun® LDRA Testbed® C/C++, Java, Ada83/Ada95 & Assemblers
  • 6. MISRA C ... A quick history 1
  • 7. ▪ K&R C ▪ 1972 First created by Dennis Ritchie ▪ 1976 Lint, the first C static analyser, created by Stephen Johnson ▪ 1978 The C Programming Language published ▪ ANSI C ▪ 1989 ANSI X3.159-1989 aka C89 First standardized version ▪ ISO C ▪ 1990 ISO/IEC 9899:1990 aka C90 Equivalent to C89 ▪ 1995 Amendment 1 aka C95 ▪ 1999 ISO/IEC 9899:1999 aka C99 ▪ 2011 ISO/IEC 9899:2011 aka C11 ▪ 2018 ISO/IEC 9899:2018 aka C18 A “TC” in all but name ▪ Very few (if any) of you will be using ANSI C any more! The C Language – A Quick History 7
  • 8. ▪Despite its popularity, there are several drawbacks with the C language, eg: ▪ The ISO Standard language definition is incomplete ▪ Behaviour that is Undefined ▪ Behaviour that is Unspecified ▪ Behaviour that is Implementation Defined ▪ Language misuse and obfuscation ▪ Language misunderstanding ▪ Run-time error checking ▪MISRA C is one solution... MISRA C – The Rationale 8
  • 9. ▪ November 1994: Development guidelines for vehicle based software (aka The MISRA Guidelines) ▪ The first automotive publication concerning functional safety ▪ Commenced more than 10 years before work started on ISO 26262 ▪ April 1998: Guidelines for the use of the C language in vehicle based software (MISRA C) ▪ December 1998: IEC 61508 (first edition) published! Original MISRA publications 9
  • 10. ▪ MISRA-C:1998 ▪ “Guidelines for the use of the C language in vehicle based software” ▪ Compatible with ISO/IEC 9899:1990 (aka C90) ▪ MISRA-C:2004 ▪ “Guidelines for the use of the C language in critical systems” ▪ Remains compatible with ISO/IEC 9899:1990 (aka C90) ▪ MISRA C:2012 (3rd Edition) ▪ Adds compatibility with ISO/IEC 9899:1999 (aka C99) ▪ Updated to 1st Revision in 2019 to include AMD1 and TC1 MISRA C – A Quick History 10
  • 11. MISRA C in an ... ISO 26262 context 2
  • 12. ISO 26262-6:2018, section 5.4.3 ▪Criteria for suitable modelling, design or programming languages that are not sufficiently addressed by the language itself shall be covered by the corresponding guidelines, or by the development environment, considering the topics listed in Table 1 ▪Example 1: MISRA C is a coding guideline for the programming language C and includes guidance on automatically generated code MISRA C – In an ISO 26262 Context 12
  • 13. ISO 26262-6:2018, Table 1 MISRA C – In an ISO 26262 Context 13
  • 14. ▪ISO 26262-6:2018, section 8.4.5 ▪Design principles for software unit design and implementation at the source code level as listed in Table 6 shall be applied to achieve the following properties: ▪ correct order of execution of subprograms and functions within the software units, based on the software architectural design; ▪ consistency of the interfaces between the software units; ▪ correctness of data flow and control flow between and within the software units; ▪ simplicity; ▪ readability and comprehensibility; ▪ robustness; ▪ suitability for software modification; and ▪ verifiability MISRA C – In an ISO 26262 Context 14
  • 15. ISO 26262-6:2018, Table 6 MISRA C – In an ISO 26262 Context 15
  • 16. Static Analysis, control flow analysis and data flow analysis are mentioned twice as a set: ▪Table 7 ... software unit verification ▪Table 10 ... verification of software integration Control flow analysis and data flow analysis are also mentioned in Table 4: ▪Table 4 ... verification of software architectural design MISRA C – In an ISO 26262 Context 16
  • 17. ISO 26262-6:2018, Table 7 (unit) MISRA C – In an ISO 26262 Context 17
  • 18. ISO 26262-6:2018, Table 10 This also maps to the MISRA C guideline scope: ▪Unit Verification Single-translation-unit guidelines ▪Integration System-wide guidelines MISRA C – In an ISO 26262 Context 18
  • 19. MISRA C... ... in a little bit more detail 3
  • 20. ISO 26262-6:2018, Table 1 MISRA C – In an ISO 26262 Context 20
  • 21. ▪1a) Enforcement of low complexity ▪MISRA C deliberately avoids the topic of measurement, other than suggesting you need to do it! ▪MISRA Report 5 “Software Metrics” (February 1995) offers good advice! Table 1 21
  • 22. ▪Keep it simple ▪ Keep the design as simple and small as possible. ▪ Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use Enforce Low Complexity 22
  • 23. Enforce Low Complexity 23 Impossible to understand, maintain or test
  • 24. ▪Treat Code Complexity with caution... For example a switch() construct has a high calculated complexity! Enforce Low Complexity 24
  • 25. ▪1b) Use of a language subset ▪The MISRA C Vision ▪ The MISRA C Guidelines define a subset of the C language in which the opportunity to make mistakes is either removed or reduced. ▪ Many standards for the development of safety-related software require, or recommend, the use of a language subset, and this can also be used to develop any application with security, high integrity or high reliability requirements. Table 1 25
  • 26. ▪1c) Use of strong typing ▪Section 8.10 “The Essential Type Model” ▪ The rules in this section collectively define the essential type model and restrict the C type system so as to: 1. Support a stronger system of type-checking; 2. Provide a rational basis for defining rules to control the use of implicit and explicit type conversions; 3. Promote portable coding practices; 4. Address some of the type conversion anomalies found within ISO C. ▪ The essential type model does this by allocating an essential type to those objects and expressions which ISO C considers to be of arithmetic type. For example, adding an int to a char gives a result having essentially character type rather than the int type that is actually produced by integer promotion. Table 1 26
  • 27. ▪1d) Use of defensive implementation techniques ▪MISRA C has guidance relating to: ▪ Control flow ▪ If / else if / else ▪ Switch / default ▪ While / do ▪ For loops ▪ Unreachable code ▪ The shall be no unreachable code ▪ There shall be no unused code Table 1 27
  • 28. ▪Consider the Required MISRA C:2012 Rule 2.1 ▪ A project shall not contain unreachable code ▪Consider the Required MISRA C:2012 Rule 15.6 ▪ The body of an iteration-statement or a selection-statement shall be a compound-statement. eg: if ( condition ) { action(); } ▪Some suggest that these Rules are (to be polite) unnecessary ▪I wonder if Apple’s software team agree? ▪ CVE-2014-1266 Defensive Implementation Techniques 28
  • 29. The Apple iPhone SSL Bug 29 if ( ( err = SSLFreeBuffer( &hashCtx ) ) != 0 ) goto fail; if ( ( err = ReadyHash(&SSLHashSHA1, &hashCtx ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &clientRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &serverRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.final( &hashCtx, &hashOut ) ) != 0 ) goto fail;
  • 30. The Apple iPhone SSL Bug 30 if ( ( err = SSLFreeBuffer( &hashCtx ) ) != 0 ) goto fail; if ( ( err = ReadyHash(&SSLHashSHA1, &hashCtx ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &clientRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &serverRandom ) ) != 0 ) goto fail; if ( (err = SSLHashSHA1.update( &hashCtx, &signedParams ) ) != 0 ) goto fail; goto fail; if ( ( err = SSLHashSHA1.final( &hashCtx, &hashOut ) ) != 0 ) goto fail;  Now unconditional  Now unreachable!
  • 31. The Apple iPhone SSL Bug 31 if ( ( err = SSLFreeBuffer( &hashCtx ) ) != 0 ) goto fail; if ( ( err = ReadyHash(&SSLHashSHA1, &hashCtx ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &clientRandom ) ) != 0 ) goto fail; if ( ( err = SSLHashSHA1.update( &hashCtx, &serverRandom ) ) != 0 ) goto fail; if ( (err = SSLHashSHA1.update( &hashCtx, &signedParams ) ) != 0 ) {  would this have helped? goto fail; goto fail; }  not forgetting this one... if ( ( err = SSLHashSHA1.final( &hashCtx, &hashOut ) ) != 0 ) goto fail;  Now unreachable!  Now reachable!
  • 32. ISO 26262-6:2018, Table 6 MISRA C – In an ISO 26262 Context 32
  • 33. ▪1a) One entry and one exit point ▪MISRA C Rule 15.5 (Advisory) ▪ Justification cites IEC 61508 and ISO 26262 ▪A single entry point is a given in a structured language... ▪Lots of debate as to the usefulness of the single exit point requirement; often (eg error trapping) early returns can make for simpler (and hence more maintainable) code Table 6 33
  • 34. ▪ 1b) No dynamic objects ▪ MISRA C Directive 4.12 (Required) plus several Rules ▪ The C standard library dynamic memory functions are poorly defined ▪ Error handling if allocation fails is a common cause of a software “crash” (ie null pointer returned) ▪ Restriction in C++ harder to enforce due to automatic allocations....... ▪ Note: JSF AV Coding Guidelines permit dynamic allocation during program start-up Table 6 34
  • 35. ▪1c) Initialization of variables ▪MISRA C Rule 8.9 (Mandatory) ▪The C Standard requires “static” variables to be initialised to zero (unless otherwise explicitly initialised) ▪However “automatic” variables are not initialized and this have indeterminant values. ▪But is a default value of zero correct? Table 6 35
  • 37. ▪MISRA has always included guidance related to compliance ▪ Previously, this has been included in the introductory chapters ▪ Going forward, this important guidance now has its own document ▪ The guidance has always made it clear what must be done when using and claiming compliance with the Guidelines, but there were some misconceptions and the guidance has been known to be ignored or adopted selectively MISRA Compliance:2016 37
  • 38. ▪Available as a standalone document (click for free download) ▪Compatible with MISRA C:2012 (and any future versions) ▪Compatible with forthcoming MISRA C++:20xx ▪No reason it cannot be applied to earlier versions of either document! MISRA Compliance 38
  • 39. ▪Clearer definition of what is meant by MISRA Compliance ▪ and how Compliance should be demonstrated ▪Provides a mechanism for tailoring classification of the guidelines ▪ introduces the Guideline Recategorization Plan ▪Provides guidance on dealing with adopted code ▪Clarifies/tightens the Deviation process ▪Provides a mechanism for establishing pre-approved Permits MISRA Compliance 39
  • 40. ▪MISRA Compliance is NOT ▪ claimed for an organisation ... but only for a deliverable item ▪ applicable to the software ... but to the development lifecycle ▪MISRA Compliance does NOT mean ▪ No deviations ... but no unresolved violations ▪MISRA Compliance is achieved when ▪ development of a software item has been conducted in accordance with the processes and principles specified in the Guidelines ▪ all violations are accepted by means of a deviation, or are against advisory guidelines and are documented as being considered acceptable. MISRA Compliance 40
  • 41. ▪What is Adopted Code? ▪ Code developed outside of the current project ▪ May or may not have been developed to comply with the Guidelines ▪ Source code or binary/library that is adopted unchanged ▪Examples include: ▪ The Standard Library ▪ Device driver files ▪ Third-party libraries ▪ Auto-generated code ▪ Legacy code ▪Note: Source code that is revised or modified in any way, within the project, is no longer considered adopted code MISRA C – Adopted Code 41
  • 42. ▪Sometimes a violation may be justified ▪ A deviation is an appropriate way of handling such a violation ▪ Legitimate reasons may be ▪ Code quality See ISO/IEC 25010 “SQuaRE” ▪ Access to hardware ▪ Adopted code integration ▪ Non-compliant adopted code ▪A deviation should not merely document the existence of a violation ▪A deviation should ▪ document the reason why it is required ▪ be targeted in scope and specify any necessary precautions ▪ be subject to approval by a defined process MISRA C – Deviations 42
  • 43. ▪Check the code manually ▪ Needs to be done on MISRA C:2012 “undecidable” rules ▪ But don’t really want to do it on all the code! ▪Use a lightweight tool, such as is often built into compilers ▪ Fast (Checks just a subset) ▪ Detects the easy to find defects ▪ Tends to be “Optimistic” – False Negatives ▪Use a heavyweight tool ▪ Slow (Deep analysis, Check all rules) ▪ Detects the easy and hard to find defects (The ones that occur once a year!) ▪ Tends to be “Pessimistic” – False Positives Checking Compliance 43
  • 44. ▪Summary: ▪ MISRA Compliance is achieved when development of a software item has been conducted in accordance with the processes and principles specified in the Guidelines ▪Evidence: ▪ Guideline Recategorization Plan (if applicable) ▪ Guideline Enforcement Plan ▪ Guideline Compliance Summary ▪ Deviation Records covering all violations of Required guidelines ▪Note: ▪ Items 1, 2 and 3 can be combined into a single spreadsheet MISRA Compliance – Claiming Compliance 44
  • 46. ISO/SAE JWG + ISO/TC22/SC32/WG11
  • 47. 1. Applicable to road-vehicles 2. Goal of reasonably secure vehicles and systems 3. Management activities for cybersecurity 4. Automakers and suppliers can use to show “due diligence” 5. Focus on automotive cybersecurity engineering 6. Based on current state-of-the-art for cybersecurity engineering 7. Risk-oriented approach 8. Cybersecurity activities/processes for all phases of vehicle lifecycle ISO/SAE 21434 – Key Principles 47
  • 48. Applicable to: ▪ The Road Vehicle, ▪ Its systems, sub-systems, and components ▪ The software installed ▪ Its connection from the vehicle to any external device/network. Is designed to be compatible with ISO 26262 ISO/SAE 21434 – Scope 48
  • 49. What about autonomy? • Many initiatives under way • ISO/IEC • BSI • SCSC • etc etc
  • 51. ▪MISRA C is ▪ widely respected as a safety-related coding standard ▪ equally applicable as a security-related coding standard ▪ appropriate for use in all high-integrity and high-reliability environments ▪MISRA C has ▪ evolved from an automotive standard into a pan-industry standard ▪ but has specific applicability to the automotive industry in general ... and ISO 26262 in particular ▪MISRA C will ▪ continue to evolve as new editions of the C standard are produced ▪ seek to address other constraints as they become identified MISRA C – In Summary 51
  • 54. ▪Biography ▪ Over 30 years experience in developing real-time embedded software systems, across a number of industries ▪ Chartered Fellow of the British Computer Society ▪ Member of the Institution of Engineering & Technology ... Member of the System Safety TPN Executive ▪ Technical Specialist / Field Application Engineer, LDRA ▪Standards ▪ Chairman of MISRA C Working Group since June 2013... ... Working Group member since 2007 ▪ Chairman of the BSI Software Testing Working Group ▪ Contributor to ISO/IEC JTC1/SC7 and WG26 ▪ Contributor to ISO 29119 “Software Testing” ▪ Contributor to ISO 26262 2nd Edition “Functional Safety” ▪ etc About the speaker 54 @AndrewBanks AndrewBanks