CN-122029518-A - Method and system for executing safety critical applications

Abstract

A method of executing a safety critical application (150) on a hardware platform (100) is presented. The method includes executing a virtual machine monitor (120) having a monitoring component (130) for a safety critical application (150) on a hardware platform (100), instantiating at least one virtual machine (140) by the virtual machine monitor (120) hardware platform at a lower privilege level than the privilege level of the virtual machine monitor (120), providing a list of one or more predefined actions that have relevance to the integrity and/or operation of the safety critical application (150) when executed by a processor core (112 a,112 b). The method further includes instructing, by the virtual machine monitor (120), the processor cores (112 a,112 b) to divert control flow toward respective handlers (132) in the monitoring component (130) for actions to be performed when actions to be performed on the list are about to be performed, and executing at least the security critical application (150) in the at least one virtual machine (140) on top of the guest operating system (142). Further, a check of whether the action is allowed or not allowed may be performed and/or at least one preparation for the action to be performed may be performed.

Inventors

• K. Lampka
• M. A.J. Bart
• U. HILDEBRAND
• H. HUGHES

Assignees

• 伊必汽车有限公司

Dates

Publication Date

20260512

Application Date

20231108

Priority Date

20231024

Claims (16)

1. 1. A method for executing a security critical application (150) on a hardware platform (100) comprising at least one processor core (112 a, 112 b), the method comprising the steps of: Executing a virtual machine monitor (120) on a hardware platform (100), the virtual machine monitor (120) comprising a monitoring component (130) for the safety critical application (150); Instantiating, by the virtual machine monitor (120), at least one virtual machine (140) at a lower privilege level of the hardware platform than the privilege level of the virtual machine monitor (120); Providing a list of one or more predefined actions, which when executed by the processor cores (112 a, 112 b) have a correlation to the integrity and/or the running of the safety critical application (150); -instructing, by the virtual machine monitor (120), the processor cores (112 a, 112 b) to divert control flow towards respective handlers (132) in the monitoring component (130) for actions to be performed when the actions to be performed are about to be performed on the list; executing at least the security critical application (150) on top of a guest operating system (142) in the at least one virtual machine (140), and When the control flow is diverted to a handler (132) for an action to be performed: checking by the handler (132) whether the action to be performed is allowed or not allowed according to a predetermined rule set and causing the action to be performed when the action to be performed is to be allowed, and/or -Performing, by the handler (132), at least one preparation for the action to be performed, and then causing the action to be performed.
2. 2. The method of claim 1, wherein the action to be performed comprises a transition of the control flow between the security critical application (150) and the guest operating system (142).
3. 3. The method of claim 1 or 2, wherein the preparation for the transition of the control flow between the security critical application (150) and the guest operating system (142) as the action to be performed comprises altering access permissions to at least one resource used by the security critical application.
4. 4. A method according to any one of claims 1 to 3, wherein: Preparation for the conversion of the control flow from the safety critical application (150) to the guest operating system (142) as the action to be performed includes disabling or disabling write access to memory pages used by the safety critical application (150), and Preparation for the conversion of the control flow from the guest operating system (142) to the security critical application (150) includes allowing or enabling write access to memory pages used by the security critical application (150).
5. 5. The method of claim 4, further comprising maintaining at least one memory region writable when access to a memory page is prohibited, the memory region designated for data transfer between the security critical application (150) and the guest operating system (142).
6. 6. The method of claim 4 to 5, wherein in addition to prohibiting write access to memory pages, access to a phase 1 page table tree PTT maintained in the virtual machine (140) is prohibited and/or Wherein in addition to allowing write access to memory pages, access to a phase 1 page table tree PTT maintained in the virtual machine (140) is also allowed.
7. 7. The method of any of claims 1 to 6, wherein the instructing the processor core to divert the control flow and/or the disabling or enabling access to memory pages comprises modifying a phase 2 page table tree, PTT, maintained by the virtual machine monitor (120) for the virtual machine (140).
8. 8. The method of claim 7, further comprising flushing a translation lookaside buffer TLB of the other core (112 a, 112 b) after modifying the stage 2 PTT on one of the plurality of cores of the processor core.
9. 9. The method of any one of claims 1 to 8, wherein The actions to be performed include setting up a new security critical application (150) by the guest operating system (142), and The preparation comprises allowing write access to a memory page to be used by the new security critical application (150).
10. 10. The method of claim 9, wherein: in addition to allowing write access to memory pages for the new safety critical application (150), code is not allowed to be executed in these memory pages, and After completion of the setting of the new security critical application (150), code is allowed to execute in the memory page.
11. 11. The method of any of claims 1 to 10, wherein determining that the control flow is transitioning to the guest operating systems (142) respectively to the security critical application (150) is responsive to an attempt by the control flow to be diverted to a handler for the guest operating systems (142) to execute code in non-executable memory pages of the security critical application (150) respectively.
12. 12. The method of any of claims 1-11, further comprising executing at least one other application (160) in the at least one virtual machine (140) on top of the guest operating system (142).
13. 13. The method of any one of claims 1 to 12, further comprising: processing, by the safety critical application (150), measurement data acquired by at least one sensor (522) into an actuation signal, and Actuating at least one land, air or marine vehicle and/or at least one robot, and/or any component thereof, with said actuation signal.
14. 14. A computing system (500), comprising: A hardware platform (100) having one or more processor cores (112 a, 112 b), and A memory (114) for data storage; wherein the computing system is configured to perform the steps of the method according to any of the preceding claims.
15. 15. One or more computer programs comprising machine-readable instructions, which when executed by a computing system (500) cause the computing system to perform the method of any of claims 1-13 and/or perform the role of the monitoring component (130) in the context of the method of any of claims 1-13.
16. 16. A non-transitory machine readable data carrier and/or download product having one or more computer programs as claimed in the preceding claims.

Description

Method and system for executing safety critical applications Technical Field The present invention relates generally to the field of safety critical applications. More particularly, the present invention relates to a method for executing a safety critical application on a hardware platform comprising at least one processor and/or processor core. Further, the present invention relates to a computing system configured to perform the steps of such a method, one or more computer programs for instructing a computing system to perform the steps of such a method, and a machine readable data carrier and/or download product storing such one or more computer programs. Background Safety critical applications are generally defined or understood as software applications or programs whose failure or malfunction may at least in principle lead to serious damage or injury, in particular to one or more of mechanical, equipment, human health and environmental health. In other words, a malfunction of a safety critical application may lead to an increased safety risk for humans, the machinery used and/or the environment involved. For example, a safety critical application may run or execute on a so-called safety critical system, which may include a computing system running one or more software-based safety critical applications, as well as more complex systems involving additional components such as one or more sensors, one or more actuators, and/or other hardware components. Exemplary safety critical systems and corresponding applications for controlling and/or monitoring one or more components may be found in vehicles, power plant control systems, manufacturing or production control systems, chemical plant control systems, building or facility control systems, and many other systems. Various standards and recommendations have been defined for safety critical applications and systems to ensure proper or adequate operation of the safety critical applications and systems. Typically, such criteria or recommendations are related to specific use cases and/or devices involved. For example, ISO standard 26262 recommended by the international organization for standardization ISO relates to safety-critical or safety-related systems, which include electrical and/or electronic systems and are installed in passenger cars or road vehicles. Where the standards and recommendations provide a set of guidelines and/or security measures that should be met by the safety-critical applications and corresponding systems to ensure proper operation of the safety-critical applications and corresponding systems. A standard or recommended safety critical application or system may also be referred to as a safety-eligible application or system. On the other hand, software applications or computing systems that do not meet such standards (e.g., because their handling is not a safety critical or related process or function) may be referred to herein as non-safety critical applications. In many software applications and corresponding computing systems or environments, a safety critical application may also run or execute in parallel, sequentially or alternately with a non-safety critical application, or more generally, may coexist with an application that does not conform to the safety level of the safety critical application. Alternatively or additionally, the security critical application may be executed on top of a non-security-eligible OS or OS kernel. Such systems are often referred to as hybrid critical systems or hybrid critical software systems. The hybrid critical system may be a complex software-based system in which software applications or software components of different criticality (including software of the OS, such as the OS kernel) may run on common hardware (e.g., one or more common processors), and different applications come from different quality or security levels, including at least one security critical application. This means that not all applications in a hybrid critical system adhere to the highest level of security quality assurance measures required or recommended by standards like ISO 26262 and that any application should conform to. To ensure proper operation of one or more safety critical applications in such hybrid critical systems, interference should be ensured between software components with different quality and/or security levels associated therewith. Protection from interference in general, and from fault propagation between software components of different security levels in particular, is typically achieved by ensuring application isolation in one or both of space and time, where isolation may be achieved or monitored through the use of dedicated features of the underlying hardware. For example, isolation of private memory of an application may be protected by a memory protection or Memory Management Unit (MMU), which may be implemented in a processor, and which may deliver information about obvious access violations.