As software content has grown in embedded systems, the ability to develop robust software has not improved at the same rate, and the resulting software vulnerabilities pose a serious threat to safety, security, availability, and reliability.
That is the view of David Kleidermacher, CTO at Green Hills Software, who is teaching a course at the Embedded Systems Conference in San Jose, Ca. titled PHASE: Defense against dark arts (ESC-205). He believes that this threat demands new approaches to embedded software development.
“Much of the world's critical infrastructure, financial networks, medical information systems, telecommunications gear, and portable mobile devices,” he said, “are open to compromise by determined individuals, corporations, organized crime, and nation states.”
According to Kleidermacher, PHASE stands for Principles of High Assurance Software Engineering, and it is practical methodology that developers can apply to create software that is far more robust than most commercial software.
“PHASE has been used in systems that have passed the highest level for aviation safety certification (DO-178B), the highest level for industrial safety certification (IEC-16508), and the highest level of security certification (Common Criteria–ISO/IEC 15408),” he said. “In addition, the creative application of PHASE can maximize reuse of legacy software and enable powerful new capabilities.”
Recent developments, Kleidermacher said, have proven that high assurance software can be practical, even for complex applications such as operating systems.
“This architecture should help computer and security professionals as well as the average consumer understand what is meant by high assurance,” he said. It prescribes a set of five principles to be used in the creation of ultra reliable software and systems: 1) minimal implementation, 2) componentization, 3) least privilege, 4) secure development process, and 5)independent expert validation.
“It is much harder to create simple, elegant solutions to problems than complex, convoluted ones,” said Kleidermacher. “Most software developers do not work in an environment in which producing the absolute minimal possible solution to a problem is an unwavering requirement.”
In his view the result is spaghetti code, the source of vulnerabilities that run rampant in software and provide the avenue of exploitation for hackers. As an example, Kleidermacher recounts the experience developing an HTML 1.1-compliant web server.
“Engineers at Green Hills Software developed a high assurance web server that used state-driven protocol processing instead of the typical error-prone string parsing and manipulation,” he said. “The result: a few hundred lines of perfect code instead of the tens of thousands of lines found in many commercial web servers.”
Software that fulfills all five PHASE principles, Kleidermacher believes, can be trusted to manage and protect high value assets, even if those assets are under attack by the most determined and resourceful enemies (e.g. exposed to the Internet) or used in the safety critical systems.
PHASE, he said, does not attempt to rigorously define “secure development process” or specifically how the principles of least privilege apply to a particular software component or system. Interpretations will necessarily vary depending on the situation. But if followed, will insure that important software systems are not prone to the vulnerabilities that are, said Kliedermacher, all too common in software development today.
“Furthermore, PHASE can be applied selectively and creatively,” he said, “to both improve safety and reliability while maximizing investment in legacy software.
Embedded.com Editor Bernard Cole is also site leader of iApplianceweb and a partner in the Techrite Associates editorial services consultancy. He welcomes your feedback. Call him at 602-288-7257 or send an email to .