Accelerating Automotive Software Safety with MISRA and Static AnalysisOctober 21, 2016 Tweet
The MISRA C/C++ coding guidelines were created based on concerns about the ability to safely use the C and C++ programming languages in critical automotive systems. Since its inception in 1998, MISRA has become one of the most-used coding standards in the automotive industry, and has even spread to use in safety-critical devices in other industries, such as medical and industrial control.
Static analysis tools are needed to properly use and enforce the standard, but it's important to understand that not all static analysis tools are created equal. Advanced static analysis tools that provide support for the complex development process and perform more than just simple syntax checking are more ideal than lightweight tools, providing more effectiveness in reducing risks, costs, and time-to-market.
Supporting the Development Process
Several previous posts have discussed the role of static analysis in safety-critical software development, including automotive systems. The recurring theme is that static analysis plays a critical role in improving software quality, by enforcing safe-coding standards such as MISRA, finding defects, and detecting security vulnerabilities that are difficult to find during testing.
MISRA plays an important role in C/C++ development when applied to safety-critical automotive software. Enforcement of the standard is difficult manually, so static analysis is used to enforce the standard. However, not all tools are created equally, as discussed in Paul's recent post. GrammaTech's CodeSonar is not only capable of supporting MISRA coding enforcement, but can also provide valuable error detection and security vulnerability analysis that goes above and beyond simple code-syntax checking.
CodeSonar is also integrated with many software development tools, such as Jira, Bugzilla, Lattix Architect, and Eclipse. These integrations allow seamless adoption of static analysis into an existing development process, including existing tools. Source code quality and standards compliance can be checked right at the developer’s desktop before checking into the build system. Defects and vulnerabilities can be automatically assigned for review and remediation. Audits can be done at any time and results distributed to the development team.
Improving Safety with MISRA and Static Analysis
The MISRA guidelines themselves acknowledge the importance of tools in successfully using the guidelines:
…in its favour as a language is the fact that C is very mature, and consequently well-analysed and tried in practice. Therefore its deficiencies are known and understood. Also there is a large amount of tool support available commercially which can be used to statically check the C source code and warn the developer of the presence of many of the problematic aspects of the language.
[MISRA-C:2004 Guidelines for the use of the C language in critical systems]
MISRA guidelines define a safer subset of C or C++ that should prevent many classes of errors, so following these guidelines does improve code quality. In combination with modern development tools, rigorous testing, and good software development practices, system safety should improve as well (assuming the level of rigor remains the same throughout hardware and system development). But no coding standard is perfect, and to ensure better software safety, enforcing the rules by itself isn’t enough.
Detecting Errors that Coding Standards and Testing Misses
A key contribution that advanced static analysis tools like CodeSonar provide to safety-critical software development is the ability to find defects that have slipped through the traditional development techniques. As evidenced by high-profile cases in the automotive industry, safety issues that make it to market and on the road are expensive to fix, by orders of magnitude more than issues found during development. Static analysis can detect these critical defects early -- even early enough to be caught during coding. Classes of defects that can be missed during development, even when using MISRA coding guidelines and good engineering practices, include the following.
- Concurrency defects often occur randomly and only after a system has been integrated completely on the final hardware platform. CodeSonar can reason about multithreaded/multitasking code behavior and detect dead locks and race conditions and other types of concurrency errors, during development.
- Security vulnerabilities are software defects that can be exploited to interfere with a system's behavior or expose critical data. Security is often overlooked in systems where safety is paramount. Using advanced static analysis techniques in CodeSonar, however, you can detect security vulnerabilities that arise from malformed or tainted data outside expected values.
- Assuming that system input data is well-formed is foolhardy in today’s hostile operating environment. Detecting these types of security issues is very difficult when data is passed across many functions. Tainted data analysis helps to trace input data in the system to its use in the application and warn of any potential security vulnerabilities that arise. This advanced automated analysis can provide the full control and data path for tainted data, which allows for rapid remediation.
- Complex inter-procedural defects are difficult to detect, especially with unit and subsystem testing. CodeSonar does advanced inter-function (procedure) analysis of control and data flow of the entire scope of the program. Deep analysis decreases the rate of false positives (errors that are false) but also increases the rate of true positives (errors that are verified true). CodeSonar’s analysis extends into executables, object files, and libraries.
- A unique capability of CodeSonar is binary analysis, which provides insight and error-detection of compiled code as object files, libraries, and even executables. Automated binary analysis performs the same detailed analysis on binary code as it does on source, including system and third-party libraries that are provided without source code. Developers can ensure that all code, including binary and source, is up to the quality standard required for the project.
Defect and vulnerability reduction in early stages of development is the obvious contribution that automated static analysis brings to time-reduction and risk-remediation. The costs savings in finding critical defects right away, as opposed to finding and fixing these bugs in system integration or worse, when products are in service, is signficant.
CodeSonar also provides automated documentation to support testing and quality/robustness evidence. Much of the manpower used in safety certifications is documentation and producing evidence. Static analysis automation reduces this burden significantly. As a TUV SUD certified ISO 26262 tool, CodeSonar provides assurance to developers that it can be integrated into a safety-critical development project without further certification requirements.
The tools needed to support successful safety-critical projects require more than simple source analysis and MISRA rule checking. Enterprise-level development projects require sophisticated tools that support and enhance the development lifecycle, and integrate with other development automation tools. The ability to go beyond MISRA enforcement and prevent critical defects and vulnerabilities from leaking through the development process pays big dividends in cost and risk reduction.