Paul Parkinson

Case study: Ultra Datel safety-critical avionics upgrade using COTS

2009-12-21T01:00:00-08:00

I recently had the privilege of working with one of our partners, LDRA, and one of our customers, Ultra Datel, on writing a case study of their experiences of a mid-life upgrade of an existing avionics system.

What caught my attention was the fact that the existing system was uncertified, and the upgrade involved migrating the existing system to a commercial-off-the-shelf (COTS) and undertaking DO-178B Level B safety certification.

As a result, the project faced a number of development challenges because the pre-existing software and device drivers were not developed with safety certification in mind, and the code needed to be re-engineered and modified to meet safety certification requirements.

In the case study, we discuss the following development challenges and how they were overcome using the LDRA Tool Suite during the development of the safety-critical VxWorks application running on a GE Intelligent Platforms ruggedised PowerPC platform:

Porting to the VxWorks DO-178B safety-critical subset
Reduction of high cyclomatic complexity
Programming language subset compliance
Code coverage to meet DO-178B Level B objectives

The case study has now been published on the Wind River website on the Aerospace & Defence customers page (and the PDF file can be accessed directly here).

First flight of the Boeing 787

2009-12-15T14:53:00-08:00

Today, the Boeing 787 Dreamliner made its first flight from Everett, Washington. One of our Wind River colleagues, Chip Downing, was able to attend this historic event in person, and shot the following video:

This is the culmination of years of development of a completely new aircraft which uses many state-of-the-art technologies to significantly improve efficiency, operating range and passenger comfort.

For instance, the 787 employs an Integrated Modular Avionics (IMA) architecture using VxWorks 653, Wind River's world-class ARINC 653 compliant RTOS. This approach which drastically reduces the amount of space, weight and power (SWaP) required for the aircraft's on-board avionics systems. The reduction in weight of avionics systems and cabling results in a reduced fuel load requirement, or increased range for the same fuel load, and of course reduced CO₂ emissions. Similarly, the reduction in the space required for the avionics systems can increase the space available for passengers, luggage and cargo.

(If you want to know more about the 787 development and DO-178B safety certification approach, read Alex Wilson's recent blog, and for details of VxWorks 653, there's a white paper available for download here).

In addition, the composite fuselage not only helps to make the aircraft lighter (improving fuel consumption further), but also enables higher cabin pressures to be used, which will result in passengers feeling more relaxed and less fatigued. When coupled with the advanced air-conditioning systems and state-of-the-art Rolls-Royce Trent 1000 jet engines and noise-reductions technologies, this provides the promise of greater passenger comfort on long haul flights.

This is of course, just the start, as the 787 will continue to evolve through its operational lifetime, just as the 747 has done over the last forty years. So, I wonder what other technologies will appear in the future?

In the meantime, I'm looking forward to seeing the 787 grace the skies above the Farnborough Air Show and taking a flight on one with British Airways in the near future. Congratulations, Boeing!

A&D Regional Conferences

2009-11-03T02:32:32-08:00

I've recently finished updating presentations on The Essentials of Multicore Software and Challenges of Security Software Development for our forthcoming Aerospace & Defence Conferences which we are holding across Europe in November.

It's been interesting to think about how multicore can be used in technology refreshes and applied to new programmes. I'm looking forward to discussing these issues with customers, as well as understanding their security requirements, particularly as the need for interoperability continues to grow. We also recently demonstrated some of the capabilities to meet these security requirements in a cross-domain system and Gigabit Ethernet demo running on VxWorks MILS at MILCOM in the US, and the videos are available on YouTube.

If you've not received an invitation to one of the European conferences yet or had a chance to register, why not visit our conference portal? I hope to see you there.

Ada & C mixed language development

2009-10-08T16:40:00-07:00

Last week, I downloaded AdaCore's GNAT Pro 6.2.2 and the latest GNATbench 2.3.1 release (which was announced yesterday), as I wanted to port an Ada & C mixed-language application to VxWorks 6.7.

I wanted to do this to show a customer how they can develop new Ada applications (as well as reusing existing intellectual property) and integrate them with network protocol stacks, graphics libraries and other middleware which are often implemented in C or C++.

Whilst the Ada 95 and Ada 2005 language standards provide inter-language compatibility with C and C++ respectively, close integration between the development tools is needed in order to really exploit these capabilities fully, for example being able to debug communication modules and/or tasks implemented in different languages.

My mixed language application consists of two VxWorks tasks (written in C), and two Ada tasks. One of the VxWorks tasks sends messages to an Ada task via a VxWorks message queue, and I wanted to step through the sending and receiving of the messages in a debugger to confirm that individual messages were sent and received correctly. This would not be a very user-friendly activity if I had to use two different debuggers to debug the Ada and C code separately. In addition, I also wanted to check that the inter-language calls that I had made (C function calling an Ada procedure and vice versa) had passed parameters using the correct language types and the data values were interpreted correctly.

Workbench provides an open and extensible framework based on Eclipse, so this has enabled AdaCore to integrate capabilities of GNAT Pro seamlessly through the GNATbench plugin. This enabled me to develop and run my mixed language application in Workbench. I was able concurrently debug multiple tasks in mixed languages (see below), and set task specific breakpoints on the Ada and C tasks individually and step over the calls to msgQSend() and msgQReceive() respectively, and confirm that the messages were passed correctly; and I was able to walk up and down the stackframes in the Workbench Debug View and confirm that parameters had been passed correctly between C function and Ada procedure and vice versa.

I also used Workbench's analysis tools System Viewer, Memory Analyser and Performance Profiler to verify the behaviour of Ada & C tasks at system level, and monitor memory & CPU utilisation of each of the Ada procedures and C functions in the mixed language application.

Even after many years working with these technologies, I am still excited by advances in capabilities which make the complex tasks of embedded software development easier. I just wish I was able to spend more time in Workbench and less time in PowerPoint!

Tornado GR4 goes extreme

2009-09-30T09:23:14-07:00

In case you missed the news, our partner McObject has just announced that BAE SYSTEMS has selected the eXtremeDB running on VxWorks for the Tornado Advanced Radar Display Information System (TARDIS) on the Tornado GR4 military jet.

This avionics upgrade further extends the capabilities of TARDIS (which I discussed in a previous blog, and also in a customer case study (PDF)), by using the McObject eXtremeDB embedded database to manage tactical information such as aircraft, ship, and vehicle positions provided from real-time sources and overlay it onto a digital map and radar display.

It's interesting to see how using in-memory database instead of a traditional file system provides greater flexibility for data access and interrogation which can be exploited by the end application.

VxWorks MILS 2.0 at DSEi 2009

2009-08-28T06:58:37-07:00

I am looking forward to Defence Systems and Equipment International (DSEi), the world's largest fully integrated international defence exhibition, which is being held in London from 8-11th September 2009. In preparation for the event, I've been setting up some Wind River VxWorks MILS 2.0 demos on a Curtiss-Wright VPX6-185 board.

VxWorks MILS is Wind River's implementation of the Multiple Independent Levels of Security (MILS) security architecture, which can host applications running at different security classifications, including multilevel secure (MLS), on the same platform. VxWorks MILS is able to do this by implementing information flow control, data isolation, periods processing and damage limitation, whilst ensuring that data does not leak from one partition to another through either overt or covert channels. The demos also show how Wind River Workbench can perform concurrent debugging of multiple partitions, which is invaluable when developing multi-partition systems.

I've also been working on some modifications to a Wind River VxWorks MILS demo which is representative of a real-world application, a Cross Domain Solution (CDS). This filters packets of data between different networks based on the security classification of the data, and uses multiple partitions to implement sender and receiver on different interfaces.

The demo currently uses a simple encryption algorithm for data passed over the black network (which wouldn't present much of a challenge to GCHQ/CESG or NSA). So I am intending to replace this with a stronger encryption algorithm which is more appropriate to the application.

However, I've been presented with a challenge as most of the encryption algorithms in the public domain are available as C language source code, but my colleague has implemented the black host application in Java. Ironically, after some thought, I decided (as a C programmer) it would be easier for me to port the host Java application to C rather than to port the encryption algorithm to Java.

Now, as I've done that, I just need to decide which encryption algorithm to use. I have the C source code for the encrypt algorithm for the German Enigma cipher machine (which I have seen working), but unfortunately not the decrypt algorithm. However, I have also found a nice crypto algorithm with encrypt and decrypt routines in C, but when I looked through the source code I noticed that it assumed that it was running on a little-endian processor, and I want to run the encrypt on little-endian and decrypt on big-endian, so it looks like I have some more work to do!

Anyway, if you would like to see the VxWorks MILS demo running and discuss how it works, or would like to discuss your security requirements, you'll be able to find me on the Curtiss-Wright stand (724). See you there!

Airbus A330 MRTT refuelling progress

2009-06-03T11:00:47-07:00

I was pleased to read in today's news (Aerospace Testing International) that the Airbus A330 Multi-Role Tanker Transport (MRTT) has completed more flight testing milestones, including extended testing of its refuelling systems.

The A330 MRTT is an interesting design, as it has a centreline refuelling boom and two underwing refuelling pods, and although these perform similar functions, the electronic systems have quite different operating environments, which is reflected in their system architecture. The refuelling boom runs VxWorks 653 on an Integrated Modular Avionics (IMA) platform, whereas the underwing refuelling pods run VxWorks Cert on a federated avionics architecture in the harsh under wing environment, which can experience extremes of temperature. This is an excellent case of how a hybrid architecture can be used to achieve diverse mission requirements.

There's a photo of the view of the underwing refueling pods in the news story, and there's also a great photo of an A330 MRTT being refueled by a French Air Force tanker on the EADS website (click on the image to view a larger version).

The A330 MRT will enter service Royal Australian Air Force (RAAF) in the near future, and I am looking forward to see them enter service with the UK Royal Air Force (RAF).

Active Driver Restraint

2009-05-12T08:17:35-07:00

I blogged last year on Active Driver Assistance and noted my concerns about the potential for adaptive cruise control to make an incorrect decision and increase the risk of an accident rather than reduce it.

So I was interested to hear a BBC news report earlier this week about a device which automatically stops acceleration when a vehicle exceeds the speed limit going on test in London. Intelligent Speed Adaptation (ISA) is being developed by Transport for London (TfL) and uses a newly-introduced digital speed limit map of the city. On the Radio4 Today programme, journalist Quentin Wilson said that anything that takes away driver control has to be looked at carefully.

The levels of interventions are reported as:

Advisory ISA: the driver is informed of the limit and of violations but there is no direct link between this information and the vehicle controls.

Voluntary ISA: the system is linked to the vehicle controls but the driver can choose when to have the system enabled.

Mandatory ISA: no override of the system is possible.

I can appreciate the potential benefit of an Advisory ISA, but this capability has been available for quite some time in proven systems such as Road Angel (which has an interesting heritage); however, as I mentioned in my earlier blog, I still don't think the arguments for voluntary/mandatory ISA are convincing...but if the Mandatory ISA scheme were to be introduced in London, I'm sure that my brother's BMW M5 would be in need of a new home.

VxWorks MILS 2.0 EAL6+ Evaluation

2009-04-20T09:41:09-07:00

In case you missed the news, VxWorks MILS 2.0 has officially entered formal security evaluation at Common Criteria EAL 6+ (NIAP website).

So what does this mean for Wind River's customers? Well, VxWorks MILS 2.0 will enable them to develop applications to what the US National Security Agency (NSA) defines as "High Robustness".

Many people are familiar with Communications Security (ComSec), which involves the secure transmission and reception of information across networks, using technologies such as encryption and firewalls. However, what is less well known is Information Security (InfoSec), which involves the secure transformation of information between applications, subsystems, or networks. This is becoming an increasingly important requirement in systems, where there is the need for applications to handle data of different security classifications and to ensure that only that the authorized data flows are allowed and no unauthorized information disclosure can occur.

In the defence sector, the application of VxWorks MILS 2.0's high robustness technology is obvious, providing the means to host Top Secret (TS), Secret (S) and even Unclassified (U) on the same platform. This could be used for example in a military UAV mission system which needs to communicate with a civilian Air Traffic Control (ATC) system as it flies through unsegregated airspace (my colleague Chris Constantinides & I discussed this scenario in detail in the case of a UAV system architecture in the paper "Security Challenges in UAV System Development", at the 27th Digital Avionics Systems Conference, IEEE Proceedings).

In the commercial sector, VxWorks MILS 2.0's high robustness could be used to protect critical national infrastructure, which is a growing concern given the increasing threat of cyber warfare - see my previous post 'Cyber warfare and déjà vu' and the recent news story 'Electricity Grid in U.S. Penetrated By Spies' (Wall Street Journal) for details. This technology could also provide a secure platform many other types of application that needs to enforce strict separation based on data classification and access controls, including banking and commerce, to name a few.

So, even if our customers are working projects which don't have an explicit InfoSec requirement today (perhaps because the systems aren't even networked), it is reassuring to know that they have a route to Common Criteria security certification with VxWorks MILS 2.0.

Now, I must get back to learning a crypto demo which one of my colleagues has created for VxWorks MILS 2.0...

Cyber warfare and déjà vu

2009-03-31T05:02:03-07:00

Yesterday, I had strong sense of déjà vu as I read the news story 'Major cyber spy network uncovered' (BBC News), which reports on a 10-month investigation by the Information Warfare Monitor (IWM) into a cyber espionage network, which they called GhostNet. This has a number of similarities with the plot within the novel 'The Edge of Madness' which I discussed in a previous blog.

The IWM report ''Tracking Ghostnet: Investigating a Cyber Espionage Network' is comprehensive to say the least, and I expect that people will find it either fascinating or terrifying, depending on their disposition. The IWM report is available to view online at the IWM website, but I found it more convenient to download the PDF version from the F-Secure mirror site to read offline.

The report contains lots of fascinating detail about the IWM investigation, but what really struck me was that the infection methods (p 39) were all based on contamination of data with executable code (web pages, PDF documents and Word documents), and relied on the application processing the data to execute the code. Once these trojans had opened a back door into a system, this provided access to the attacker for control and further exploitation.

This security vulnerability is due to the principle of allowing applications to run commands and/or code from an external source.

Q. Do I trust my web browser not to run malicious code?
Well no, I don't. I could disable all Javascript and Flash in my web browser and restrict other behaviour as well, but that would mean that many websites would become unusable.

Q. Do I rely on the host operating system to limit their actions?
Again, no, as the host operating system that I have to use has a relatively weak file system and security architecture.

So, because I don't trust either the web browser or the host operating system on which it executes, I instead use an secure containment approach. I do this by running the web browser in a virtualized environment. This means that the web browser has only the resources it needs to operate, but runs in a restricted environment, isolated from the rest of the system and is unable to perform priviledged operations, and most importantly it cannot access or corrupt my documents.

I decided to use this approach a while ago, after learning about the secure separation kernel and virtualization approaches used in VxWorks MILS 2.0, and after reading the IWM report my actions no longer seem as paranoid to me as they did at the time...