Linux Foundation Launches ELISA, an Open Source Project For Building Safety-Critical Systems (venturebeat.com)

← Back to Stories (view on slashdot.org)

Linux Foundation Launches ELISA, an Open Source Project For Building Safety-Critical Systems (venturebeat.com)

Posted by msmash on Thursday February 21, 2019 @04:05AM from the tightening-security dept.

The Linux Foundation today launched Enabling Linux in Safety Applications (ELISA), an open source project comprising tools intended to help companies build and certify Linux-based systems whose failure could result in loss of human life, significant property damage, or environmental damage. From a report: In partnership with British chip designer Arm, BMW, autonomous platforms company Kuka, Linutronix, and Toyota, ELISA will work with certification and standardization bodies in "multiple industries" to establish ways Linux can form the foundation of safety-critical systems across industries.

36 comments

Min score:

Reason:

Sort:

How do you feel about that? by goombah99 · 2019-02-21 04:11 · Score: 4, Funny

Why would you say that?
Obscure joke, lets see who gets it.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:How do you feel about that? by goombah99 · 2019-02-21 04:13 · Score: 2, Funny
  
  Is it important to you to "see who gets it"?
  https://en.wikipedia.org/wiki/...
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
2. Re:How do you feel about that? by ContextSwitch · 2019-02-21 04:15 · Score: 1
  
  Do you think you are unique?
3. Re:How do you feel about that? by KlomDark · 2019-02-21 04:44 · Score: 2
  
  Please elucidate
4. Re:How do you feel about that? by 93+Escort+Wagon · 2019-02-21 05:12 · Score: 2
  
  Obscure joke, lets see who gets it.
  On this forum? Probably any of us who are over 40, and a not-insignificant percentage of the younger participants as well. ;-)
  
  --
  #DeleteChrome
5. Re:How do you feel about that? by amacbride · 2019-02-21 06:31 · Score: 1
  
  > Hello, I am Eliza.
  * I'd like to build a safety-critical system.
  > Don't you ever say Hello?
  * Hello, I'd like to build a safety-critical system.
  > How are you today.. What would you like to discuss?
  Seems legit.
6. Re:How do you feel about that? by K.+S.+Kyosuke · 2019-02-21 07:20 · Score: 1
  
  Psychoanalysis?? I thought this was a nude rap session!!!
  
  --
  Ezekiel 23:20
7. Re:How do you feel about that? by Anonymous Coward · 2019-02-21 08:16 · Score: 0
  
  This is the first thing I thought of.
8. Re:How do you feel about that? by Anonymous Coward · 2019-02-21 13:56 · Score: 0
  
  Why do you ask?
9. Re: How do you feel about that? by Anonymous Coward · 2019-03-04 09:26 · Score: 0
  
  I see.
Why? QNX is unix-y by ElitistWhiner · 2019-02-21 04:18 · Score: 1

OSS is safer?
1. Re:Why? QNX is unix-y by arglebargle_xiv · 2019-02-21 11:59 · Score: 1
  
  Not just QNX, there are a whole pile of kernels designed for safety-critical systems. Creating one of these requires a massive amount of work, look at the AUTOSAR or ARINC 653 requirements for example. You need to design, engineer, and build this from the start, you can't just decide to take an existing generic kernel and change a few lines of code to make it suitable for safety-critical applications.
Formal Verification by JBMcB · 2019-02-21 04:22 · Score: 4, Interesting

Why not start with a formally verified kernel instead of the relative chaos that is Linux kernel development?
https://en.wikipedia.org/wiki/...
The kernel and proofs are licensed under GPLv2, and tools are BSD 2-clause.

--
My Other Computer Is A Data General Nova III.
1. Re:Formal Verification by Anonymous Coward · 2019-02-21 05:08 · Score: 0
  
  Because their effort isn't serious, just marketing.
2. Re:Formal Verification by AmiMoJo · 2019-02-21 05:18 · Score: 2
  
  Formal verification like that isn't that useful for these kinds of systems.
  So you have a GPL formally verified microkernel. You need to build it into a usable system. You need an SoC that it supports, and you need to provide a lot of services to the microkernel to make it do anything useful. And if you touch any of the kernel code, it's not formally verified any more.
  It's a bit like how we tried to build secure systems by writing perfect, verifiable secure code. It turned into a complete nightmare, and didn't even work very well. On automotive you have the additional problem of unreliable hardware, e.g. you need to be able to recover from power supply glitches or cosmic rays flipping random bits in RAM, so your format verification only covered half he problem.
  The solution is the same as for secure code - defence in depth. Make sure that one failure won't literally crash the system. The kernel and OS can provide a lot of services to enable that in a way that is testable and doesn't result in every developer trying to do their own thing, which as we know is always a bad idea for crypto and the same applies to a lot of safety critical stuff.
  I actually write life critical code for a living, BTW.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Formal Verification by JBMcB · 2019-02-21 05:34 · Score: 1
  
  So you have a GPL formally verified microkernel. You need to build it into a usable system. You need an SoC that it supports, and you need to provide a lot of services to the microkernel to make it do anything useful.
  That's the whole point of L4. It's currently in use in production systems. The "usable system" bits are the libraries that are BSD 2-Clause.
  
  The solution is the same as for secure code - defence in depth. Make sure that one failure won't literally crash the system. The kernel and OS can provide a lot of services to enable that in a way that is testable and doesn't result in every developer trying to do their own thing, which as we know is always a bad idea for crypto and the same applies to a lot of safety critical stuff.
  This is also the point of L4. Strict separation of even low-level components so that if a network driver crashes it doesn't take down the rest of the OS.
  My point is that there is going to be a lot of work done on the Linux side of things just verifying the kernel stays in a sane state during any of these types of random, corner-case hardware events. L4 is designed from the ground up to handle this stuff. The formal verification stuff just means it's already been proven to work as-is.
  
  --
  My Other Computer Is A Data General Nova III.
4. Re:Formal Verification by Anonymous Coward · 2019-02-21 05:37 · Score: 1
  
  That's utter horseshit. "And if you touch any of the kernel code, it's not formally verified any more." You have a known base starting point and you know your commits. You can still verify your own code, right kiddo?
  The point of standardizing is so you get a predictable result every time that isn't based on random changes you have no knowledge or control over the design of. So Kernel standardizing is a key starting point for any real system.
  "I actually write life critical code for a living, BTW" - Well you've still got some serious misconceptions or at least mischaracterizations about how that is done...
5. Re: Formal Verification by Anonymous Coward · 2019-02-21 07:14 · Score: 0
  
  There's a lot more linux developers than sel4 developers.
Damn... by gwolf · 2019-02-21 04:33 · Score: 1

You beat me to the nerdy joke :-|
Obligatory XKCD by Anonymous Coward · 2019-02-21 04:59 · Score: 1

Another standard... Good luck with that!
What is "safety critical"? by ctilsie242 · 2019-02-21 05:19 · Score: 3, Insightful

I am not sure what this will do. To me, a "safety critical" OS like QNX, LynxOS, or INTEGRITY from Green Hills software. These are all operating systems designed from the ground up to be secure, and have defense in depth through every part of the OS, some of which even support physically unclonable functions (PUFs) on chips ensuring that there is no need for a secure enclave that can be read. All of which are also real time operating systems, which ensure that if you need to get a packet at "x" time, you will get that packet. Even Kaspersky has their own RTOS.
The problem is that people want to use the same commodity development tools in the embedded arena as they use for their web pages. This can be done, but there will be a ton of code that is possibly insecure. Developing for platforms that actually need security and reliability with a secure RTOS will take a lot more time and trouble, and today's environment of "it builds, ship it", I don't think many companies really will care to go the extra mile to actually do much about safety critical functions.
1. Re:What is "safety critical"? by arth1 · 2019-02-21 08:31 · Score: 2, Insightful
  
  As far as I know, BMW has been using QNX for quite a while, and with fairly good results. I can only guess at why they want to embrace Linux more, and my two top guesses are availability of developers, and to prevent QNX from squeezing too much blood from them by helping create a viable alternative, whether they choose to use it or not.
2. Re:What is "safety critical"? by Anonymous Coward · 2019-02-21 08:45 · Score: 0
  
  a - Normal software: "If it fails it's annoying."
  b - Business Critical: "If it fails we lose a lot of money." Example: bank financial transaction processing engine
  c - Mission Critical: "If it fails it's a disaster. People may die." Example: rocket engine control systems
  d - Life Critical: "If it fails people die." Examples: electronic drive-by-wire controller; nuclear power station control systems
  These are the 4 I'm aware of as having actual meaning (business- and mission-critical being often conflated)... presumably "safety critical" is another way of saying life critical.
3. Re:What is "safety critical"? by Anonymous Coward · 2019-02-21 18:32 · Score: 0
  
  You basically hit the nail. Something I've seen happening over the years as more companies layoff employess is their IP goes with them. It could be something simple like using a particular brand of servers to not so so obvious domain specific knowledge. The software they use internally, contacts at those companies, etc. are all confidential. The mere mention of a vendors supplier can be enough to undermine them.
Re:that would include creimer's office chair by Anonymous Coward · 2019-02-21 05:22 · Score: 0

Creimer is too busy making YouTube videos and taking on The Verge for copy striking the tech community.
Then it wouldn't be Linux, would it? by Anonymous Coward · 2019-02-21 05:31 · Score: 0

It's as if the Beef Council launched "Enabling Tenderness in All Cuts of Beef", an open source research project, and some idiot at the back of the room stood up and said, "I know, why don't we start with chicken."
RTOS fork of Linux? by Anonymous Coward · 2019-02-21 05:48 · Score: 0

Color me skeptical.
It would be nice if Linux was self repairing by old_dirty_unidef · 2019-02-21 06:22 · Score: 1

Kind of like RAID5. Mitigation, clouds. UNIX is afraid of Apple. We're afraid to use ALL technology possible for our machines
Public Saftey ? a well occupied space. by Anonymous Coward · 2019-02-21 06:29 · Score: 0

Since, the partial gobbling of Motorola, by google and lenovo, the publie safety part became Motorola solution, they had all of this tech developed. Fire and police plus public transport, and other companies like Honeywell occupied the corporate spaces.
This seems like a solution that is looking for a problem, in a well occupied space.
Safety Critical and SJWs feelings do not mix by themusicgod1 · 2019-02-21 06:32 · Score: 0

The Linux Foundation is compromised, and is willing to subject technical decisions to the whims of politically motivated parties, especially Microsoft. If your system is safety critical, it's time to move to a fork of linux that is not subject to such whims and is updated only as safety requirements dictate.

--
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Microsoft has this techonology patented by Anonymous Coward · 2019-02-21 07:45 · Score: 0

"systems whose failure could result in loss of human life, significant property damage, or environmental damage."
That's exactly the point by Anonymous Coward · 2019-02-21 08:07 · Score: 0

Without formal verification, you have only strong opinions and maybe some statistically relevant hopes. Yes, you also need to formally verify the portions of hardware that are life safety critical. We didn't validate the floating point hardware, because we don't really care. Malloc can fail, so memory allocation wasn't validated; memory management was validated only to the extent that it stayed in real memory mode.
Linux is an unacceptably poor choice for life safety critical systems, as it is inseparably dependent on virtual memory. But, BMW, Toyota and Kiku have already demonstrated that they are not willing to write to the well written standards we have in the aviation industry. Of course, if your 20th century Toyota segfaults, that's not a big deal. However, if your self driving computer has a fault, it can (and will) kill uninvolved people.
Re:VERY BAD IDEA!!! by Anonymous Coward · 2019-02-21 09:46 · Score: 0

OSS isn't the problem. But I agree it's a very bad idea. Who wants a 1960's AI psychotherapist in charge of their safety critical systems?