Information Technology Reference
In-Depth Information
TOPCASED seams to be a reasonable candidate for a future openETCS
reference tools platform, since it is a highly flexible open framework, adapt-
able in various ways for meeting a wide range of requirements.
Today manufacturers in the rail segment are using a mix of proprietary
and open source tools, since some software development tools like ADA and
other Products from the GNU Compiler Collection (GCC) [24] have already
been used in several railway projects. Even FLOSS tools, not specifically
designed for safety applications, like BugZilla for bug tracing and record
keeping, have already been found its way into SIL 4 R&D programs for railway
signaling [30].
The importance of qualified and certified tools is rising, since it became
obvious, that poor quality tools or even malware infected tools can have a
devastating effect on the quality of the final software product. §6.6 of proposed
prEN 50128:2009 norm [31], “modification and change control”, requires to
take care of the software development tools chain and processes, which in the
future formally have to comply with requirements for the respective SIL level
of the final product.
Recent news about the STUXNET attack, a type of malware (worm)
specifically designed to target industrial process control computers via its
tools chain (maintenance PCs with closed source operating system) has made
pretty clear, that no one can be lulled into security even not with control and
monitoring systems designed for safety critical embedded applications [7].
Ken Thompson, one of the pioneers of the B Language, a predecessor
of C, and UNIX operating system design has demonstrated in his “Reflec-
tions on Trusting Trust” [2] that compilers can be infected with malicious
software parts in a way that the resulting executable software (e.g. an op-
erating system) generated by this compiler out of a given “clean” (means:
free of malware) source code, can be infected with a backdoor, almost in-
visible for the programmer. It took several years of research until David A.
Wheeler suggested in his dissertation thesis (2009) a method called “Diverse
Double-Compiling” [32], based on open source tools for countering the so
called “Thomson' Hack”. Therefore Wheeler suggests on his personal website:
“'Normal' mathematicians publish their proofs, and then depend on world-
wide peer review to find the errors and weaknesses in their proofs. And for
good reason; it turns out that many formally published math articles (which
went through expert peer review before publication) have had flaws discovered
later, and had to be corrected later or withdrawn. Only through lengthy, pub-
lic worldwide review have these problems surfaced. If those who dedicate their
lives to mathematics often make mistakes, it's only reasonable to suspect that
software developers who hide their code and proofs from others are far more
likely to get it wrong.” . . . “At least for safety-critical work making FLOSS (or
at least world-readable) code and proofs would make sense. Why should we
accept safety software that cannot undergo worldwide review? Are mathemat-
ical proofs really more important than software that protects people's lives?”
[3]
