Toyota’s killer firmware: Bad design and its consequences


출처: http://www.edn.com/design/automotive/4423428/Toyota-s-killer-firmware–Bad-design-and-its-consequences

 

Barr’s ultimate conclusions were that:

  • Toyota’s electronic throttle control system (ETCS) source code is of unreasonable quality.
  • Toyota’s source code is defective and contains bugs, including bugs that can cause unintended acceleration (UA).
  • Code-quality metrics predict presence of additional bugs.
  • Toyota’s fail safes are defective and inadequate (referring to them as a “house of cards” safety architecture).
  • Misbehaviors of Toyota’s ETCS are a cause of UA.

 

토요타의 주장과 Barr 그룹의 주장. Evidence를 들여다보고 싶다.

Category Toyota Barr Group
Hardware 2005 Camry’s CPU had error detecting and correcting(EDAC) RAM It didn’t. EDAC or at least parity RAM is relatively easy and low-cost insurance for safety-critical systems
Software Mirroring(where key data is written to redundant variables) was not always done.
This gains extra significance in light of stack overflow
only 41% of the allocated stack space was being used 94% was closer to the truth
stack-killing, MISRA-C rule-violating recursion was found in the code
 the CPU doesn’t incorporate memory protection to guard against stack overflow
Two key items were not mirrored: The RTOS’ critical internal data structures; and—the most important bytes of all, the final result of all this firmware—the TargetThrottleAngle global variable.
Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.
Toyota’s ETCS used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor-supplied version was not certified compliant.
Unintentional RTOS task shutdown was heavily investigated as a potential source of the UA
As single bits in memory control each task, corruption due to HW or SW faults will suspend needed tasks or start unwanted ones
Vehicle tests confirmed that one particular dead task would result in loss of throttle control, and that the driver might have to fully remove their foot from the brake during an unintended acceleration event before being able to end the unwanted acceleration
A litany of other faults were found in the code, including buffer overflow, unsafe casting, and race conditions between tasks
Advertisements

“Toyota’s killer firmware: Bad design and its consequences”에 대한 2개의 생각

  1. I solve agree with all the ideas you have presented in your post. They’re especially influential and will without doubt composition. Still, the posts are fantastically short representing newbies. Could you entertain extend them a bit from next time? Thanks for the post.

    좋아하기

답글 남기기

아래 항목을 채우거나 오른쪽 아이콘 중 하나를 클릭하여 로그 인 하세요:

WordPress.com 로고

WordPress.com의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

Twitter 사진

Twitter의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

Facebook 사진

Facebook의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

Google+ photo

Google+의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

%s에 연결하는 중