Ferrocene released as open source
Ferrocene is the main Rust compiler - rustc - but quality managed and qualified for use in automotive and industrial environments (currently by ISO 26262 and IEC 61508) by Ferrous Systems. It operates as a downstream to the Rust project, further increasing its testing and quality on specific platforms.
The license is free, but this is not being run as an open-source project;
specifically, contributions from the "general public" are not accepted.
Posted Oct 5, 2023 21:24 UTC (Thu)
by gmgod (guest, #143864)
[Link] (26 responses)
Posted Oct 5, 2023 21:30 UTC (Thu)
by pbonzini (subscriber, #60935)
[Link] (1 responses)
Posted Oct 6, 2023 8:00 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Cheers,
Posted Oct 6, 2023 11:36 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (23 responses)
In regulated fields, all software must meet certain certification requirements, or it can't be used. This is what acts as a wallet-opening trigger; I have the choice between "no software" or "pay to prove I meet the certification requirements".
In turn, for any piece of software that affects certification, I have two routes to prove I meet the certification requirements:
So, for example, I can run a C compiler that's bit-for-bit identical to a compiler that you sell with IEC 61508 certification. But, even though it's identical, because I can't demonstrate that I'm paying someone else to provide software that meets requirements, I've got to audit it myself. This is a lot of work - and it's usually cheaper to pay someone to provide that certification than to do it myself. And the companies that offer certified software usually don't let you transitively certify other people's software without paying a higher fee; bear in mind that they get told what is being certified each time a certification authority asks them to stand up and state that they've met the requirements for me, so it's trivial for them to say "I sold you this for use in your nuclear power plant control room; I'm not going to certify it for an automotive application".
Posted Oct 6, 2023 12:23 UTC (Fri)
by eharris (guest, #144549)
[Link] (22 responses)
Posted Oct 6, 2023 13:05 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (6 responses)
Checking on the end-to-end development process is, funnily enough, not obligatory. Strong checks on the development process simplify the audit of the version you're certifying, so most places that want to certify code do have those checks in place, but there's no reason why you couldn't simply audit the final version, and develop it with an army of random typists on an infinite supply of keyboards, beyond the expense of getting the final version into a state where it'll pass audit.
Having processes that enforce some of the audit requirements during development helps make it cheaper and easier - like code review, CI, linting and fixes of lints. This allows you to finish that part of the audit quickly, because you can simply point to the fact that this part of the audit was dealt with during development. And note, of course, that you can't deploy software until this build has been certified externally.
And SolarWinds code was not certified in this sense, at all. Certification tends to only be required in cases where someone could be killed or seriously injured if the code does not perform as intended; think avionics in a plane, or a brake controller in a car, signalling in railways etc.
Posted Oct 13, 2023 10:05 UTC (Fri)
by NRArnot (subscriber, #3033)
[Link] (5 responses)
Recently it was reported that a Chinese-developed EV in the UK decided that it was going to continue driving at 30mph while ignoring all inputs from the driver such as the brake pedal. The driver had to call the police on his mobile for help. They placed a moving van in front of the uncontrollable car and braked to cause a gentle collision and then finally brought the deranged vehicle to a stop.
I wonder whether the compiler for the EV control code was certified?
Also, how long before a car decides on maximum acceleration and speed until it hits something. Also who OK'ed cars which don't have an emergency stop button which completely bypasses all computer control. Nuke plants have a scram button that directly cuts power to the electromagnets holding the control rods up. Gravity cannot fail.
Posted Oct 13, 2023 11:47 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
Note that the compiler will never be certified - the certification says "this component meets these safety requirements", and that's meaningless for the compiler (the compiler should never be running in the safety critical area of the system). Instead, the compiler is qualified; a qualified toolchain comes with a set of rules that you use when auditing the source code of your safety critical components, and a promise that if your audit confirms that you don't breach those rules plus the rules from a listed safety standard (e.g. ISO 26262, IEC 61508), then the resulting binary does not breach any of the safety rules from that listed standard.
The certification applies to the final component, and says that you've audited the mechanical, electrical, electronic and software parts of the component, and your audit confirms that you meet the rules in the safety standards you're claiming to meet.
In the case of the car, many components will be required to be certified to ISO 26262 or an equivalent standard for the car to be legal to sell in the UK; if the certification cannot be found, or if it's shown that that the audit was incomplete, erroneous, or fraudulent, then the importers and manufacturers are on the hook to recall all cars with those components, and either fully refund the owners, or pay to replace the components with ones that meet standards.
Posted Oct 13, 2023 12:03 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
I pulled off the dual carriageway, dialled cruise control down to 50mph. Even before the car finished slowing, it had reset itself back to 60mph!!!
This is a design failure, not an implementation failure, but whoever did it clearly did not think the implementation through. If the Adaptive Cruise Control detects a change of speed limit, it will set the cruise speed to the new limit. Great (mostly) for main roads, a disaster if you come out of a little village (where you used the cruise to stop you speeding), and it spots a derestricted sign just as your village main road becomes a windy sunken lane!
The car should NEVER EVER EVER select a speed faster than the driver selected. As the signs often say, it's a speed LIMIT, not a TARGET.
Nor should it ever think about increasing the speed if the current set speed does not match the old limit.
I'm happy I can cope with this. There's no way I want my wife using it. And if the little old Sunday Driver uses it to do 40 on the motorway (yes, I know he shouldn't) this is a disaster waiting to happen.
Cheers,
Posted Oct 13, 2023 21:50 UTC (Fri)
by kleptog (subscriber, #1183)
[Link]
Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth
Certification isn't going to prevent all software bugs, that's impossible. All it can do is (a) minimise the risk to the extent possible, and (b) make it totally clear who was liable for any failure. It immediately short-circuits all the finger-pointing: whoever declared the product met all the safety requirements is on the hook, it doesn't matter what the ultimate cause was. As a consumer this is what you want: the car-maker can't shift the blame to the brake-pedal maker. If your house catches fire because a dryer caught fire, you don't want to have to figure out which component caused the failure to know who to sue.
Posted Oct 14, 2023 4:13 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
This car would be illegal in the US. The brake pedal has to be physically connected to the braking system. A computer malfunction can cause the loss of power assist, but the brake pedal will still work.
Posted Oct 16, 2023 10:54 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
The reports are unclear, but it sounds like the EV did have a mechanical connection between the brakes and the brake pedal. If the unclear reports are accurate, then two things combined to make the situation bad:
Combining the two gives you a really bad situation - the driver presses the brakes like normal, and nothing happens. So they press a bit harder, and the physical connection allows them to apply the brakes hard enough to damage the brakes, but not hard enough to slow the car. They then panic, and ram the brake pedal into the floor hoping to get a reaction from the car - but the mechanical brakes are no longer effective, and we get the situation where the car won't stop, because by braking "normally", the driver damaged the brakes via the physical connection, and then was unable to stop the car.
Posted Oct 6, 2023 22:15 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (14 responses)
For the users of SolarWinds, any certifications they might have had are only relevant to the customers in the sense that they could demonstrate to any potential auditors that they don't buy some random product. It would basically be a badge for SolarWinds saying "the buck stops here". It doesn't mean the product is necessarily safer, just that someone is willing to put their balls on the line. What should have happened is that SolarWinds got sued by their customers for delivering a dodgy product, but that didn't happen (AFAICT). So there's no incentive to SolarWinds to improve their product either.
SolarWinds being sued by shareholders but not customers is pretty weird if you think about it.
With respect to Ferrocene, I wonder if this has anything to do with the discussions about the CRA that are happening. They appear to be setting themselves up so they can act as a certified manufacturer of a Rust compiler and it seems that might be a viable business model if the automotive industry is betting big on Rust. It's an interesting idea: on the one hand you have people developing the product open-source (Rust), and then a group (Ferrocene) which takes that product and certifies it and gets paid for it. Ferrocene assumes all the risk for managing security issues for their customers, and gets all the reward (money) for that. The open-source project gets less reward, but has no risk either.
Posted Oct 7, 2023 18:30 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (13 responses)
Automotive, rail, medical, and a few other fields already require safety certification of the end product, which requires you to either use a qualified compiler (like Ferrocene, or the Green Hills Optimizing Compilers) for the parts of the system that impact on safety. Before Ferrocene, there wasn't a suitable compiler if you wanted to write Rust, so at least the safety-relevant parts of your code had to be in C, C++, or Ada. Ferrocene allows you to use Rust in that situation, since there's now a qualified compiler that allows you to certify your product as safe.
The CRA may expand the interest in qualification and certification, but there's a product niche for Ferrocene without it.
Posted Oct 8, 2023 11:11 UTC (Sun)
by kleptog (subscriber, #1183)
[Link] (12 responses)
I was thinking about this some more and was wondering what it meant to have a certified C compiler. After all, with Rust you could certify that a compiler given an input without any "unsafe" it would be impossible to have buffer overflows for example. But such a standard for C would be impossible because the input program could do anything.
It turns out what they care about is reproducibility, and that the compiler does not add any extra bugs, that it converts the source to binary accurately in a traceable way, etc. So the things we get complaints about GCC doing when a new version of the compiler suddenly causes a security issue because stuff gets compiled differently. And apparently you can even build the Linux kernel under such a certified compiler which is probably attractive for some groups. TIL
So while the whole certification thing is not new for a lot of areas, it's not something open-source really had much to do with because open source developers don't often care about industrial settings. What's changing now I guess is the issue of cyber-security is making it more relevant to larger groups of people, since a bad industrial device might kill a person, a hacked utility could kill thousands. And there's a lot of open-source and commercial products used in those places and we need to work to how to deal with that.
Posted Oct 8, 2023 12:22 UTC (Sun)
by epa (subscriber, #39769)
[Link] (11 responses)
With all of this it might be easier in the end to write assembly language. Certifying that your assembler produces the corresponding executable code is a much simpler problem. And you could pick some restricted dialect with a whole bunch of static checkers and rules to eliminate basic programmer errors like not handling the stack correctly. Perhaps I am groping towards the reason Forth exists…
Posted Oct 8, 2023 13:51 UTC (Sun)
by Wol (subscriber, #4433)
[Link]
Forth is just a completely different way of thinking (like Lisp, etc). Changing the way you think can be very tricky (I won't mention databases ...).
Forth is considered to be a language in which a good programmer can write code that is both smaller, and faster, than a similar assembler program.
The nice thing about it here, is it's structured programming all the way down, and while it might be a big job on a big program, certifying EVERYTHING isn't that hard compared to some modern programs written in C++, Gtk, etc etc etc. Certainly writing all the automotive security-critical stuff in Forth wouldn't be a problem for a decent Forth programmer who could think in RPN.
I don't know what you'd do about fancy modern guis though - my Forth experience comes from my first computer being a Jupiter Ace.
Cheers,
Posted Oct 8, 2023 14:18 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
It is completely OK for a qualified compiler to have unspecified behaviour on some input code, as long as the certified product does not depend on that code to meet its certified safety requirements.
Remember that you're not certifying that the product behaves as specified in all circumstances; you're merely certifying that in the cases where your product's behaviour has safety implications, it'll do whatever the relevant specification says. The point of a qualified compiler in this process is that it guarantees that if your input code meets certain obligations (usually machine-checked, and you need to justify all cases where the linter says it's possibly broken), then the output code will meet certain obligations.
So, for example, we care deeply that anti-lock brake controllers don't ever completely disable the brakes - it should always be possible to brake, even if the controller is in a fault condition. But it's not safety-relevant if your controller erroneously reports a faulty brake when nothing is wrong. If you don't have safety-relevant software, then you don't need a qualified compiler; for example, if all safety-relevant parts are in hardware, or machine code (noting that if you use assembly, you need a qualified assembler). And, of course, you can take the machine code from an unqualified compiler (like FSF GCC), and certify that; it's just harder to do this than to certify the combination of source code and qualified compiler.
Posted Oct 8, 2023 15:40 UTC (Sun)
by atnot (subscriber, #124910)
[Link] (8 responses)
That's not totally true, because things are not certified in a vacuum. They are certified along with a set of documentation that specifies not just what the product does does, but what processes are required to use it in a certified way.
So for C, that's going to imply adhering to something like MISRA C, for Ferroscene it's going to involve documents like https://public-docs.ferrocene.dev/main/safety-manual/index.html.
Then when you want to certify your product, you hand those documents to your auditor, they check that you've followed all of the rules in there and if so, they'll move on to other things. So it doesn't really matter that certain things are undefined, because relying on undefined behavior is not a certified way to use the compiler.
Posted Oct 9, 2023 9:52 UTC (Mon)
by farnz (subscriber, #17727)
[Link] (7 responses)
And just to make the point absolutely clear; the purpose of a qualified compiler is not to make arbitrary C code certifiable. It's to let you do the certification audit at the source code level, not at the object code level.
This means that you can, and do, put restrictions on the source code that's acceptable in your certified product, since the qualified compiler does not guarantee good results on arbitrary source, only that if the source code meets certain criteria, then the object code will meet a (slightly different) set of criteria that are useful to getting the product certified.
Posted Oct 10, 2023 14:31 UTC (Tue)
by atnot (subscriber, #124910)
[Link]
I hadn't thought about it that way, but that's so much mode concicely and better put than my big paragraphs, thank you.
Posted Oct 11, 2023 11:48 UTC (Wed)
by epa (subscriber, #39769)
[Link] (5 responses)
And if the compiler does enforce that, then you're no longer programming in C itself, but in a restricted dialect or subset of C which eliminates some constructs and more fully specifies the semantics of others. Which is what I was getting at.
Posted Oct 11, 2023 14:50 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (3 responses)
You don't need to audit all your code to certify it. Your certification is for some aspects of the final product, and your qualified compiler's job is to allow you to verify, at source level, that the parts of the software that affect the certification do what you want. Implementation defined results are absolutely OK here, because you're not certifying everything the software does, just a subset of it.
So, for example, one qualified toolchain I've used says that code after an entry point (CPU interrupt vector) but before the program invokes UB has defined behaviour; it's only code after the first invocation of UB whose behaviour can be modified by the later UB. This is fine for certification purposes; if all the certification-relevant code is audited as OK, then it doesn't matter if later code would fail the audit. It's also fine if we have to rework code to change compiler - the certification is for a final product, with known code, compiler etc, and not for an arbitrary build. And there's not necessarily a need for a tool to tell us when we leave the guarantees from the qualified compiler, since the code will be audited by someone with the guarantees in hand, who will ask questions like "where is the code that proves that this signed arithmetic cannot overflow?"
To give you a concrete example, take a car brake controller. It has braking force applied to each wheel as an input, requested total braking force as an input, movement speed of each wheel as an input, steering direction requested as an input and outputs requested braking force for each wheel. There's a mechanical linkage to the brakes separately to the brake controller, which guarantees that the applied braking force total across all wheels is at least 50% of the requested total. The controller's job is to let up the brakes on wheels whose speed is outside a physically plausible range, so that you can't lock your wheels up while trying to stop.
As a safety matter, we need to be confident that when braking force is requested, the controller asks for brakes to be applied to all wheels that are turning; we also need to be confident that if the brakes are released on a wheel, they will be reapplied as soon as the wheel resumes turning. More interestingly, if a driven wheel stops turning, we need to brake the other side of the car so that the stopped wheel restarts spinning. These are things that certification covers, and we need to convince audit that the software side of the brake controller does this.
However, the brake controller has other tasks, too; for example, if the braking force applied to a wheel is sufficiently higher than the braking force requested by the brake controller, we know that the mechanical linkage is applying braking force, too, and need to flag this as an alert. If no braking force is requested or being applied, but a wheel stops, we need to flag this as an alert. Similarly, if we ask for braking force, and the wheel doesn't slow, this is an alert. But none of this is safety-critical, so it's all outside certification.
From the point of view of code audit, as soon as I can confirm that all the safety matters are going to work given the promises the qualified compiler makes, I'm done and can put the certification on the module. If the alerts don't happen because I've got UB in the alerting code, and the compiler optimizes it out, well, so bad, so sad, just like any other C code. I may have used a qualified compiler, and I've got my shiny certification, but it only promises that the safety-relevant parts are working, and not the rest of the code.
Posted Oct 11, 2023 18:33 UTC (Wed)
by DemiMarie (subscriber, #164188)
[Link] (2 responses)
Posted Oct 12, 2023 0:03 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
Posted Oct 12, 2023 10:27 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
And for the qualified constructs, you're already in a subset of C where certain rules must be followed, ensuring that the UB has to be outside the part of code that's certified. From the compiler's point of view, there's a clear boundary between certifiable C and plain standards C - the first code it encounters that's not following the qualification rules is the boundary between the two.
A compiler could therefore choose to split the program into two at that point; indeed, some qualified toolchains require code that's going to be certified to be in separate translation units (TUs) to general code, and require you to tell it which TUs are going to be certified; it can then avoid cross-TU optimization between code that's going to be certified (and hence will have any UB caught by code audit) and code that's just going to be compiled and linked into the program.
Posted Oct 13, 2023 3:42 UTC (Fri)
by gmatht (subscriber, #58961)
[Link]
Posted Oct 6, 2023 12:50 UTC (Fri)
by sam.thursfield (subscriber, #94496)
[Link] (1 responses)
> The license is free, but this is not being run as an open-source project; specifically, contributions from the "general public" are not accepted.
I would say it is open-source, in that the license is fully free, but it's not *community developed*. I think that's a useful distinction.
Posted Oct 6, 2023 13:07 UTC (Fri)
by MarcB (guest, #101804)
[Link]
There are a lot of "technically open source" projects with a CLA that are absolutely dominated by a single organization. At best, the community contributes fixes for trivial bugs (in most cases, it just provides bug reports), but there is no meaningful knowledge about the project outside the main organization.
In this respect, this is actually "more open source" than most of those projects: a lot of people outside Ferrocene understand the code and the design. It is just that the channel for contributions is the upstream project.
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Wol
Ferrocene released as open source
Ferrocene released as open source
So.....what certifications did SolarWinds claim to possess?
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Wol
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Wol
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Ferrocene released as open source
Checking that code still meets the certification is something outside the scope of a normal compiler. For example, even Rust wouldn't catch the following:
Checking that code meets certification is outside the scope of compiler
You'd need a full formal proof system, and a fully formally specified certification.
fn main() {
// This if statement gave an error, so I commented it out
// if (orders_given) {
Nuke.launch()
}Ferrocene released as open source
Ferrocene released as open source