不良軟件碼可能殺人嗎？答案是肯定的，而且悲劇顯然已經(jīng)發(fā)生。 最近豐田汽車(Toyota Motor)在美國卷進了一樁官司，原告律師指稱豐田一款2005年份Camry車款在2007年于美國俄克拉荷馬高速公路上發(fā)生的一場暴沖死亡車禍，主因就是該車款內(nèi)的電子節(jié)流閥控制系統(tǒng)軟件碼發(fā)生錯誤(請點擊這里參考《汽車電子缺陷釀車禍？豐田在美惹官司》)。 據(jù)了解，在上述案件審訊過程中，檢視過豐田電子節(jié)流閥系統(tǒng)軟件碼的嵌入式系統(tǒng)專家作證指出，他們發(fā)現(xiàn)到豐田系統(tǒng)軟件碼的缺陷，而其內(nèi)部的錯誤碼就是造成車輛無預(yù)警暴沖的原因。參與該事故調(diào)查的Barr Group首席技術(shù)官暨共同創(chuàng)辦人Michael Barr接受EETimes美國版獨家專訪時表示：“我們已經(jīng)證實，只是一個小小的內(nèi)存位翻轉(zhuǎn)(bit flip)，就會造成駕駛?cè)藷o法控制引擎速度，而這種軟件故障是無法依賴任何一種故障安全(fail-safe)機制偵測出來。” 其實在這之前，不過豐田已經(jīng)自認無罪──因為美國國家高速公路交通安全局(NHTSA)在 2011年2月結(jié)束了對豐田汽車的調(diào)查，該單位委托NASA的專家檢視豐田的電子節(jié)流閥系統(tǒng)，在為期10個月的調(diào)查期間，并沒有發(fā)現(xiàn)任何電子缺陷可能導(dǎo)致車輛暴沖。雖然NASA報告并沒有排除軟件導(dǎo)致車輛無預(yù)警加速暴沖的可能性，但嵌入式系統(tǒng)專家們并不認為NASA有足夠時間進行完整的測試。 于 是包括Barr Group四位專家在內(nèi)的一個七人小組接手NASA的調(diào)查任務(wù)，深入分析了發(fā)生事故的豐田汽車，并做成了一份長達800頁的調(diào)查報告?！拔覀冏隽艘恍?NASA顯然沒有時間做的事情。”Barr表示，首先就是檢視車用系統(tǒng)的實時操作系統(tǒng)，找出“未受保護的關(guān)鍵變量(unprotected critical variables)”，他們觀察且檢視了“子處理器(sub-CPU)”的軟件原始碼，而且“發(fā)現(xiàn)了電子節(jié)流閥故障安全機制中的漏洞與缺陷”。 該專家小組并采用Green Hills仿真器進行了仿真：“這進一步確認某些動作會在看門狗未重新設(shè)定處理器的情形下失效?！盉arr的小組也獨立檢查了在最壞情況下的堆棧深度 (worst-case stack depth)：“我們發(fā)現(xiàn)NASA調(diào)查所依據(jù)的豐田分析報告有很多嚴重錯誤。”他指出，專家們證實：“透過車輛測試，那些我們所發(fā)現(xiàn)的缺陷確實與無預(yù)警暴沖有關(guān)；我們還觀察檢視了汽車黑盒子內(nèi)的軟件碼，發(fā)現(xiàn)它會錯誤記錄車輛意外前最后幾秒的駕駛?cè)藙幼餍畔?。? 值得一提的是，Barr Group的證詞，在去年12月讓豐田面臨數(shù)十億美元損失的和解案；因為該和解案，專家們所做的詳細技術(shù)性調(diào)查并沒有被公開，直到俄克拉荷馬事故審訊進行。該和解案雖平息了數(shù)百起豐田宣布因為車輛暴沖而召回檢修所導(dǎo)致的車輛折價訴訟，該公司仍須面對數(shù)起因為車輛故障所導(dǎo)致的人員受傷或死亡官司。 因為俄克拉荷馬高速公路事故審訊，專家證詞與發(fā)現(xiàn)得以公開；到底豐田的電子節(jié)流閥控制系統(tǒng)出現(xiàn)了甚么樣的缺陷？ 本文授權(quán)編譯自EE Times，版權(quán)所有，謝絕轉(zhuǎn)載 本文下一頁：問題關(guān)鍵在于內(nèi)存崩潰，就像是“擦qiang走火”

相關(guān)閱讀：
• 誰將主導(dǎo)未來的車聯(lián)網(wǎng)？
• 汽車電子缺陷釀車禍？豐田在美惹官司
• “白帽黑客”公布如何遠程入侵汽車lOresmc

{pagination} Barr 表示，專家針對2005年份的Camry L4車款原始碼以及車內(nèi)測試，證實其中有部分關(guān)鍵變量并未受軟件崩潰(corruption)保護，內(nèi)存崩潰的原始碼也顯現(xiàn)；他相信豐田的工程師應(yīng)該會保護大量的變量抵抗軟件與硬件導(dǎo)致的崩潰，但卻未能成功映像(mirror)數(shù)個關(guān)鍵變量，也沒有建立任何可以抵抗位翻轉(zhuǎn)的硬件保護機制。他指出，堆棧溢位(Stack overflow)與軟件錯誤導(dǎo)致內(nèi)存崩潰，而問題的關(guān)鍵就在于那些內(nèi)存崩潰，就像是“擦qiang走火”。 “就算小至一個位翻轉(zhuǎn)的內(nèi)存崩潰，也能導(dǎo)致程序(task)當機；只要藉由單一硬件事件的擾亂(例如位翻轉(zhuǎn))，或是眾多軟件錯誤中的一個就能發(fā)生，例如 我們在軟件碼中看到的緩沖區(qū)溢位(buffer overflow)以及競態(tài)條件(race condition)?！盉arr表示：“未經(jīng)測試的任務(wù)失敗可能有上千萬種組合，每一種都可能在任何一種車輛/軟件狀態(tài)下發(fā)生，它們多到來不及測試?！? 不 過Barr指出：“我們在2005年與2008年份Camry車款所做的測試顯示，甚至就是某個當機程序的本身，都可能造成駕駛失去對節(jié)流閥控制系統(tǒng)的控 制權(quán)──而此時內(nèi)燃機仍持續(xù)作動引擎。簡而言之，豐田確實安裝了故障安全機制，但其中有漏洞，也無法以UA透過軟件的所有方式來進行檢測?！? 在此特別說明，以上所說的“程序”與智能手機或PC上執(zhí)行的應(yīng)用程序是一樣的，當軟件偶爾出現(xiàn)當機狀況，我們通常會重新開機；而2005年份的Camry L4有安裝一系列程序，但因為這些程序都意味著永遠執(zhí)行，其中一項若當機就可能造成恐怖的后果。 在被問到是否能將豐田汽車暴沖事件原因與某個軟件程序的當機直接連結(jié)時，Barr的回答是：“應(yīng)該是某應(yīng)用程序的當機與其它程序當機的組合造成，”他說，該系統(tǒng)有數(shù)十種程序以及至少1,600萬種不同的當機方式，專家小組雖然能證實某一種軟件故障方式可能造成車輛暴沖，但還有其它許多種故障形式也可能造成同樣的結(jié)果。 Barr 表示，專家們在實驗中只研究了那數(shù)十種程序當機的模式的一半，但：“那些都無法被任何故障安全機制所偵測到?！? 在 俄克拉荷馬高速公路事故審訊后，Barr建議NHTSA應(yīng)該要求豐田確?，F(xiàn)有所有車款的安全性，并有需要加強針對軟件方面的管理與監(jiān)督；舉例來說，美國聯(lián)邦航空局(FAA)與聯(lián)邦食品藥物管理局(FDA)都有一些針對負責(zé)監(jiān)管之系統(tǒng)的安全關(guān)鍵軟件設(shè)計準則(如DO-178)，但NHTSA則缺乏這樣的規(guī) 范。 此外Barr也指出，最近NHTSA規(guī)定所有美國車輛需安裝配備特定功能的黑盒子，但相關(guān)規(guī)定還是不充足；而他們也發(fā)現(xiàn) 到豐田車輛的黑盒子會在車輛暴沖時故障，這使得黑盒子根本無法發(fā)生作用或是錯誤紀錄。NHTSA應(yīng)該注意這一點，并針對黑盒子如何收集資料的方式有更詳細的規(guī)范，不要讓黑盒子與引擎控制的計算機有共同故障點。 本文授權(quán)編譯自EE Times，版權(quán)所有，謝絕轉(zhuǎn)載 編譯：Judith Cheng 參考英文原文：Toyota Case: Single Bit Flip That Killed，by Junko Yoshida

相關(guān)閱讀：
• 誰將主導(dǎo)未來的車聯(lián)網(wǎng)？
• 汽車電子缺陷釀車禍？豐田在美惹官司
• “白帽黑客”公布如何遠程入侵汽車lOresmc

{pagination} Toyota Case: Single Bit Flip That Killed Junko Yoshida MADISON, Wis. — Could bad code kill a person? It could, and it apparently did. The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly. This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code. The plaintiffs' attorneys closed their argument by saying that the electronics throttle control system caused the sudden acceleration of a 2005 Camry in a September 2007 accident that killed one woman and seriously injured another on an Oklahoma highway off-ramp. It wasn't loose floor mats, a sticky pedal, or driver error. An Oklahoma judge announced that a settlement to avoid punitive damages had been reached Thursday evening. This was announced shortly after an Oklahoma County jury found Toyota liable for the crash and awarded $1.5 million of compensation to Jean Bookout, the driver, who was injured in the crash, and $1.5 million to the family of Barbara Schwarz, who died. During the trial, embedded systems experts who reviewed Toyota's electronic throttle source code testified that they found Toyota's source code defective, and that it contains bugs -- including bugs that can cause unintended acceleration. "We've demonstrated how as little as a single bit flip can cause the driver to lose control of the engine speed in real cars due to software malfunction that is not reliably detected by any fail-safe," Michael Barr, CTO and co-founder of Barr Group, told us in an exclusive interview. Barr served as an expert witness in this case. A core group of seven experts, including four from Barr Group, analyzed the Toyota case. Their analysis ultimately resulted in Barr's 800-plus-page report. In Toyota's own view, though, the automaker had been already exonerated when the National Highway Traffic Safety Administration closed its probe of Toyota models in February 2011. The NHTSA decision came after NASA investigated Toyota's electronic throttle control system and found no electronic causes of unintended acceleration during a 10-month review. But not everyone in the embedded systems industry thinks NASA had enough time to come up with a complete report. Perhaps more significantly, in its report, NASA itself did not rule out the possibility of software having caused unintended acceleration. The group of seven experts was given the task of picking up where the NASA investigation left off. "We did a few things that NASA apparently did not have time to do," Barr said. For one thing, by looking within the real-time operating system, the experts identified "unprotected critical variables." They obtained and reviewed the source code for the "sub-CPU," and they "uncovered gaps and defects in the throttle fail safes." Further, the team ran simulations in the Green Hills Simulator. "This confirmed tasks can die without the watchdog resetting the processor." His group also independently checked worst-case stack depth. "We found many big mistakes in the Toyota analysis that NASA relied on." The experts demonstrated that "the defects we found were linked to unintended acceleration through vehicle testing," Barr said. "We also obtained and reviewed the source code for the black box and found that it can record false information about the driver's actions in the final seconds before a crash." It's important to note Barr Group testimony led to a billion-dollar economic-loss settlement by Toyota last December. Because of that settlement, details of the technical discoveries made back then by the experts were not made public until the Oklahoma trial. The economic-loss settlement resolved hundreds of lawsuits claiming vehicles depreciated after the company issued recalls related to faulty acceleration. Toyota still faces lawsuits claiming injury or death related to the recalls. Task X death Now that the experts' testimony and findings have been made public through the Oklahoma trial, let's get into details. What defects were found in Toyota's electronic throttle control systems? Barr said that the 2005 Camry L4 source code and in-vehicle tests by the experts confirmed that some critical variables are not protected from corruption, and sources of memory corruption are present. He believes that Toyota's engineers sought to protect numerous variables against software- and hardware-cause corruptions, but they failed to mirror several key critical variables, and they made no hardware protection available against bit flips. Stack overflow and software bugs led to memory corruption, he said. And it turns out that the crux of the issue was these memory corruptions, which acted "like ricocheting bullets." Barr explains the issue this way: Memory corruption as little as one bit flip can cause a task to die. This can happen by hardware single-event upsets -- i.e., bit flip -- or via one of the many software bugs, such as buffer overflows and race conditions, we identified in the code. There are tens of millions of combinations of untested task death, any of which could happen in any possible vehicle/software state. Too many to test them all. But vehicle tests we have done in 2005 and 2008 Camrys show that even just the death of Task X by itself can cause loss of throttle control by the driver -- even as combustion continues to power the engine. In a nutshell, the fail safes Toyota did install have gaps in them and are inadequate to detect all of the ways UA can occur via software. Just to clarify, the "tasks" are equivalent to apps running on smartphones or PCs. All software malfunctions from time to time -- we often have to reboot our machines. The 2005 Camry L4 has a set of dozens of apps (or tasks). Because they are all meant to be running always, the death of one could have dire consequences. When asked if the whole case for unintended acceleration could be pinned on the task X death, Barr replied, "The task X death in combination with other task deaths." There are dozens of tasks and 16 million different ways those tasks can die. The experts group was able to demonstrate at least one way for the software to cause unintended acceleration, but there are so many other ways that could have happened. Barr also said more than half the dozens of tasks' deaths studied by the experts in their experiments "were not detected by any fail safe." What's next for NHTSA After the Oklahoma trial, what steps should the NHTSA be taking? Barr made some suggestions: NHTSA needs to get Toyota to make its existing cars safe and also needs to step up on software regulation and oversight. For example, FAA and FDA both have guidelines for safety-critical software design (e.g., DO-178) within the systems they oversee. NHTSA has nothing. Also, NHTSA recently mandated the presence and certain features of black boxes in all US cars, but that rule does not go far enough. We observed that Toyota's black box can malfunction during unintended acceleration specifically, and this will cause the black box to falsely report no braking. NHTSA's rules need to address this, e.g., by being more specific about where and how the black box gets its data, so that it does not have a common failure point with the engine computer.