Search

CN-122003666-A - Method and system for executing safety-critical application program

CN122003666ACN 122003666 ACN122003666 ACN 122003666ACN-122003666-A

Abstract

A method of executing a security critical application (130) on a hardware platform (100) is presented. The method comprises executing a virtual machine manager (115) on the hardware platform (100), instantiating an execution environment (120) by the virtual machine manager (115), executing an operating system with a kernel (125, 125 a) in the execution environment (120), executing the safety critical application (130) on the operating system at a privilege level lower than that of the kernel (125, 125 a) in the execution environment (120), executing system call instructions of the kernel (125, 125 a) by the safety critical application (130), the system call instructions transferring control flow to a primary handler (127) in the kernel (125, 125 a) for invoking functions provided by the kernel (125, 125 a) by a specific intended system call, further transferring the control flow to a secondary handler (119) in the virtual machine manager (115) by a processor core (112 a, 112 b), checking the intended system call to an intended system by the secondary handler (119), or allowing the set of supervision components to be checked against the execution rules (150).

Inventors

  • M. Ambrose
  • J. PETERSON
  • K. Lampka
  • M. Feng Chetritz and Neuhaus
  • R. MUELLER

Assignees

  • 伊必汽车有限公司

Dates

Publication Date
20260508
Application Date
20231108
Priority Date
20231024

Claims (18)

  1. 1. A method for executing a security critical application (130) on a hardware platform (100) comprising at least one processor core (112 a, 112 b), the method comprising the steps of: Executing a virtual machine hypervisor (115) on the hardware platform (100); instantiating, by the virtual machine manager (115), an execution environment (120); Executing an operating system having a kernel (125, 125 a) in the execution environment (120); executing, in the execution environment (120), the security-critical application (130) on the operating system at a privilege level lower than the privilege level of the kernel (125, 125 a); Executing system call instructions of the kernel (125, 125 a) by the safety critical application (130), the instructions transferring control flow to a primary handler (127) in the kernel (125, 125 a) for invoking functions provided by the kernel (125, 125 a) by a specific intended system call; -transferring said control flow further to a secondary handler (119) in said virtual machine handler (115) by said at least one processor core (112 a, 112 b); Passing the intended system call to a supervisory component (150) through the secondary handler (119); Checking, by the supervision component (150), against a predetermined set of rules, the operation to be performed by the intended system call, and Based on the result of this check, the function according to the intended system call is caused to be executed by the supervision component (150) or is suppressed.
  2. 2. The method of claim 1 wherein said further transferring said control flow to a secondary handler (119) in said virtual machine manager (115) comprises configuring said at least one processor core (112 a, 112 b) to transfer control flow to said secondary handler (119) in said virtual machine manager (115) upon attempting to execute said primary handler (127) in said kernel (125, 125 a).
  3. 3. The method of any one of claims 1 to 2, further comprising: marking a memory area storing the primary handler (127) as non-executable in memory management of the hardware platform (100), and Designating the secondary handler (119) in the virtual machine manager (115) as an exception handler for memory exceptions triggered by attempts to execute code in the memory region.
  4. 4. A method according to any one of claims 1 to 3, wherein a predetermined set of whitelist system calls is exempted from said transferring said control flow to said second handler in said virtual machine handler (115), thereby causing the intended function of said whitelist system call to be directly performed at said system call from said safety critical application (130).
  5. 5. The method of claims 3 and 4, wherein the primary handler (127) for whitelist system calls is entirely outside the memory region marked as non-executable.
  6. 6. The method of any of claims 4 to 5, wherein the whitelist system call invokes a function that functions as follows Does not change the process state and the security critical application (130) Either the memory areas dedicated to the security critical application (130) are not accessed or only read from these memory areas.
  7. 7. The method of any one of claims 1 to 6, further comprising designating a memory region to be shared by the security critical application (130) on the one hand and the kernel (125, 125 a) on the other hand.
  8. 8. The method according to any of claims 1 to 7, wherein the predetermined set of rules comprises at least one rule allowing a system call to be written to a specified memory area and/or register and/or at least one rule prohibiting the system call to be written to a specified memory area and/or register.
  9. 9. The method of any one of claims 1 to 8, further comprising, after performing the function according to the intended system call, checking by the supervision component (150) whether modifications performed by this function are consistent with the predetermined set of rules, and in response to determining that this is not the case, determining that the safety critical application (130) is not working properly.
  10. 10. The method of any of claims 1 to 9, wherein the further transferring the control flow to a secondary handler (119) in the virtual machine handler (115) comprises executing a virtual machine handler call, HVC, through the primary handler (127) in the kernel (125, 125 a).
  11. 11. The method of any of claims 1 to 10, wherein the causing the function according to the intended system call to be performed comprises handing over the control flow to a handler in the kernel (125, 125 a) for the intended system call.
  12. 12. The method of claim 11, further comprising: granting write access to at least one memory area used by the security critical application (130) to the supervisory component (150) through the virtual machine manager (115), and Writing, by the supervision component (150), the result of the intended system call into this at least one memory area.
  13. 13. The method of any one of claims 1 to 12, further comprising, in response to determining that the function according to the intended system call affects a state of the process stored in the supervisory component (150), Storing this state of the process prior to executing the intended system call, and After executing the expected system call, checking the updated state of the process against the stored state.
  14. 14. The method of any of claims 1 to 13, wherein at least one rule of the predetermined set of rules is based at least in part on whether a system call is invoked from the safety critical application (130) or from another application running in the same execution environment.
  15. 15. The method of any one of claims 1 to 14, further comprising: processing the measurement data acquired by the at least one sensor into a start signal by the safety-critical application (130), and Using the activation signal to activate at least one land, air or sea vehicle and/or at least one robot and/or any component thereof.
  16. 16. A computing system (500), comprising: a hardware platform (100) having one or more processor cores (112 a, 112 b), and A memory (114) for data storage; Wherein the computing system (500) is configured to perform the steps of the method according to any of the preceding claims.
  17. 17. One or more computer programs comprising machine-readable instructions, which when executed by a computing system, cause the computing system to perform the functions of any of claims 1-15 and/or to perform the functions of the supervision component in the context of the method.
  18. 18. A non-transitory machine readable data carrier and/or download product having one or more computer programs as claimed in claim 17.

Description

Method and system for executing safety-critical application program Technical Field The present invention relates generally to the field of security critical applications. More particularly, the present invention relates to a method for executing a security critical application on a hardware platform comprising at least one processor core. Furthermore, the invention relates to a computing system configured to perform the steps of the method, one or more computer programs for instructing a computing system to perform the steps of the method, and a machine readable data carrier and/or download product storing the one or more computer programs. Background Safety-critical applications are generally defined or understood as software applications or programs whose failure or malfunction can lead, at least in principle, to serious damage or injury, in particular to one or more of mechanical, equipment, human health and environmental health. In other words, a malfunction of a safety-critical application may lead to an increased safety risk for personnel, the machinery used and/or the relevant environment. For example, safety-critical applications may run or execute on so-called safety-critical systems, which may include computing systems running one or more software-based safety-critical applications, as well as more complex systems involving additional components such as one or more sensors, one or more actuators, and/or other hardware components. Safety-critical systems for controlling and/or monitoring one or more components and their corresponding applications exist in vehicles, power plant control systems, manufacturing or production control systems, chemical plant control systems, building or facility control systems, and many other control systems. Specialized, specially-accessible software for causing a processor of a hardware platform or computing system is typically packaged in a special program called an operating system kernel (also referred to herein as an OS kernel or kernel). In general, the kernel, OS kernel, and/or system kernel referred to herein may be considered a supervisor, whose privilege level may be increased compared to other software components, programs, or software executing on the kernel. The correctness of the hardware features used may require the operating system kernel to operate the hardware in the correct manner. Thus, proper operation of the security critical application may depend or depend on proper operation of the operating system kernel software. Furthermore, such dependencies may involve not only the software units or kernel software operating on the considered hardware features, but also all software code that may affect the considered software units, such as the entire OS kernel. Ensuring support for a single security-related function by executing security-critical applications has resulted in a general understanding that the entire operating system kernel should be qualified for use in a security context or should be monitored. Various standards and recommendations have been formulated for safety critical applications and systems to ensure proper or proper operation. Typically, such criteria or recommendations are related to the particular use case and/or device involved. For example, the international organization for standardization (ISO) recommended ISO 26262 standard relates to safety critical or safety related systems, including electrical and/or electronic systems, and is installed in passenger cars or road vehicles. Where standards and recommendations provide a set of guidelines and/or security measures that safety critical applications and corresponding systems should meet to ensure their proper operation. A standard or recommended security critical application or system may also be referred to as a security authenticated application or system. On the other hand, software applications or computing systems that do not meet such standards, for example, because they handle processes or functions that are not security critical or relevant, may be referred to herein as non-security critical applications. For open source software that employs a distributed and unspecified software development model, security authentication is both challenging and costly. However, for open source monolithic operating system kernels (consisting of millions of lines of code), such as Linux kernels, authentication according to the ISO 26262 standard may actually become infeasible, as security authentication typically requires that the entire software stack meet the same integrity level or Security Integrity Level (SIL) requirements as a security critical application. The term security integrity level or level of integrity (also referred to herein as "security level") may be defined as a discrete risk reduction level provided by a security meter function or a security critical application. To date, there has not been any method or technical solution to prove that Linux kernels, linux-based