Embedded Systems Solutions


Compilers and IDE Data Acquisition Systems Debuggers and Emulators Embedded PCs and Add On Cards EtherCAT Diagnostic Tools Evaluation Board and Development Kits Protocol Analyzers and Storage Emulators Programmers and Flashers		PCB Diagnostic Tools RTOS and Middleware Semiconductor Components Simulation Driven System Modeling Tools Software Quality Tools Test and Measuring Instruments Vehicle Networking tools


	Products

	Advanced Driver Assistant Systems Hexagon Jungo Ltd Compilers and IDE Cosmic Software Freescale HighTec Intel Software MikroElektronika Paradigm Systems Raisonance Segger Debuggers and Emulators Lauterbach GmbH MikroElektronika OCDemon Phyton Segger Device Driver Development Tools Jungo Ltd Device Programmers DediProg Electro Systems Associates Manta Systems Phyton Segger Production Tools Embedded PCs and Add On Cards Artila Addi-Data Gmbh FASTCOM Connecttech Inc CP-Tech Systems Diamond Systems Corp. Peak Systems, Inc Relyum Soc-e Sealevel Systems, Inc Enterprise software and tools NVIDIA DGX Station Evaluation Board and Development Kits Electro Systems Associates Embedded Artists Freescale FTDI MikroElektronika Relyum Soc-e Segger System on Modules TQ Group Intel Software Protocol Analyzers and Storage Emulators Aukua Systems Quarch Technology Relyum SanBlaze SerialCables SerialTek Soc-e Technica Engineering RTOS and Middleware HighTec Hybrid EdgeCloud Platform MapuSoft QNX Segger Semiconductor Components FTDI Wiznet Simulation Driven System Modelling Tool Altair Flux Altair Embed Altair PollEx E Mobility Solution ESS Mechatronics Solutions Hexagon Software Quality Tools Model Engineering Solutions Axivion QNX Test and Measuring Instruments EA Elektro-Automatik GwInstek JBC Monsoon PDR Quarch Technology Toellner XJTAG



	Events & Promos

A Simple Error: Safety, Security or both?

Aside from safety properties, can static analysis tools be used to detect security issues? Yes, as we will show by discussing a programming error in uftpd, an ftp server implemented in C. In particular, we will show how the error influences both safety as well as security and under which conditions it can be exploited. Furthermore, we will give a quick glance at techniques used to minimize the issue’s impact or to avoid this and comparable errors from the get go.

Recap: Safety vs. Security

Safety (more precisely: functional safety, in the sense of ISO/IEC 61508, ISO 26262, and other derived standards) refers to the protection from errors or malfunctions, in particular with respect to dangers or risks of injury, loss of live or property or other undesired outcomes.

Several programming standards defining safety conditions and how to appropriately develop software and systems exist. An example prominently used in the automotive industry, the MISRA C software development guidelines were introduced in 1998 and have been updated several times since.

In contrast to functional safety, software security is more focused on deliberate actions explicitly targeted at providing harm. Rather than asking whether a system can cause harm due to a malfunction, security considerations deal with the question whether a system can be made to cause harm by an attacker. Again, different coding guidelines for the avoidance of security issues are available, e.g., the SEI CERT C Coding Standard, which is aimed at safety, reliability and security simultaneously. With the ISO/IEC TS 17961�2013 an international norm for the development of security critical software has been established.

As we will show with a simple example below, software flaws often have both a safety as well as a security aspect. Accordingly, the aforementioned standards link to each other in various places and are interconnected. For several of them, mappings from one to another are provided. Safety standards such as the MISRA guidelines have taken up security aspects as well and vice-versa.