Embedded Systems Solutions logo  
 
 
 
     
     
  Products  
     
   
     
 
 
     
  Events & Promos  
 
     
 
Axivion Logo
 
 
     
  A Simple Error: Safety, Security or both?  
     
   
     
 

Aside from safety properties, can static analysis tools be used to detect security issues? Yes, as we will show by discussing a programming error in uftpd, an ftp server implemented in C. In particular, we will show how the error influences both safety as well as security and under which conditions it can be exploited. Furthermore, we will give a quick glance at techniques used to minimize the issue’s impact or to avoid this and comparable errors from the get go.

 
     
 

Recap: Safety vs. Security

 
     
 

Safety (more precisely: functional safety, in the sense of ISO/IEC 61508, ISO 26262, and other derived standards) refers to the protection from errors or malfunctions, in particular with respect to dangers or risks of injury, loss of live or property or other undesired outcomes.

Several programming standards defining safety conditions and how to appropriately develop software and systems exist. An example prominently used in the automotive industry, the MISRA C software development guidelines were introduced in 1998 and have been updated several times since.

In contrast to functional safety, software security is more focused on deliberate actions explicitly targeted at providing harm. Rather than asking whether a system can cause harm due to a malfunction, security considerations deal with the question whether a system can be made to cause harm by an attacker. Again, different coding guidelines for the avoidance of security issues are available, e.g., the SEI CERT C Coding Standard, which is aimed at safety, reliability and security simultaneously. With the ISO/IEC TS 17961�2013 an international norm for the development of security critical software has been established.

As we will show with a simple example below, software flaws often have both a safety as well as a security aspect. Accordingly, the aforementioned standards link to each other in various places and are interconnected. For several of them, mappings from one to another are provided. Safety standards such as the MISRA guidelines have taken up security aspects as well and vice-versa.

 
     
 
Learn More Scroll Top