丰田美国车祸续：软件错误也可能杀人！

不良软件码可能杀人吗？答案是肯定的，而且悲剧显然已经发生。 最近丰田汽车(Toyota Motor)在美国卷进了一桩官司，原告律师指称丰田一款2005年份Camry车款在2007年于美国俄克拉荷马高速公路上发生的一场暴冲死亡车祸，主因就是该车款内的电子节流阀控制系统软件码发生错误(请点击这里参考《汽车电子缺陷酿车祸？丰田在美惹官司》)。 据了解，在上述案件审讯过程中，检视过丰田电子节流阀系统软件码的嵌入式系统专家作证指出，他们发现到丰田系统软件码的缺陷，而其内部的错误码就是造成车辆无预警暴冲的原因。参与该事故调查的Barr Group首席技术官暨共同创办人Michael Barr接受EETimes美国版独家专访时表示：“我们已经证实，只是一个小小的内存位翻转(bit flip)，就会造成驾驶人无法控制引擎速度，而这种软件故障是无法依赖任何一种故障安全(fail-safe)机制侦测出来。” 其实在这之前，不过丰田已经自认无罪──因为美国国家高速公路交通安全局(NHTSA)在 2011年2月结束了对丰田汽车的调查，该单位委托NASA的专家检视丰田的电子节流阀系统，在为期10个月的调查期间，并没有发现任何电子缺陷可能导致车辆暴冲。虽然NASA报告并没有排除软件导致车辆无预警加速暴冲的可能性，但嵌入式系统专家们并不认为NASA有足够时间进行完整的测试。 于 是包括Barr Group四位专家在内的一个七人小组接手NASA的调查任务，深入分析了发生事故的丰田汽车，并做成了一份长达800页的调查报告。“我们做了一些 NASA显然没有时间做的事情。”Barr表示，首先就是检视车用系统的实时操作系统，找出“未受保护的关键变量(unprotected critical variables)”，他们观察且检视了“子处理器(sub-CPU)”的软件原始码，而且“发现了电子节流阀故障安全机制中的漏洞与缺陷”。 该专家小组并采用Green Hills仿真器进行了仿真：“这进一步确认某些动作会在看门狗未重新设定处理器的情形下失效。”Barr的小组也独立检查了在最坏情况下的堆栈深度 (worst-case stack depth)：“我们发现NASA调查所依据的丰田分析报告有很多严重错误。”他指出，专家们证实：“透过车辆测试，那些我们所发现的缺陷确实与无预警暴冲有关；我们还观察检视了汽车黑盒子内的软件码，发现它会错误记录车辆意外前最后几秒的驾驶人动作信息。” 值得一提的是，Barr Group的证词，在去年12月让丰田面临数十亿美元损失的和解案；因为该和解案，专家们所做的详细技术性调查并没有被公开，直到俄克拉荷马事故审讯进行。该和解案虽平息了数百起丰田宣布因为车辆暴冲而召回检修所导致的车辆折价诉讼，该公司仍须面对数起因为车辆故障所导致的人员受伤或死亡官司。 因为俄克拉荷马高速公路事故审讯，专家证词与发现得以公开；到底丰田的电子节流阀控制系统出现了甚么样的缺陷？ 本文授权编译自EE Times，版权所有，谢绝转载 本文下一页：问题关键在于内存崩溃，就像是“擦qiang走火”

相关阅读：
• 谁将主导未来的车联网？
• 汽车电子缺陷酿车祸？丰田在美惹官司
• “白帽黑客”公布如何远程入侵汽车Kcoesmc

{pagination} Barr 表示，专家针对2005年份的Camry L4车款原始码以及车内测试，证实其中有部分关键变量并未受软件崩溃(corruption)保护，内存崩溃的原始码也显现；他相信丰田的工程师应该会保护大量的变量抵抗软件与硬件导致的崩溃，但却未能成功映像(mirror)数个关键变量，也没有建立任何可以抵抗位翻转的硬件保护机制。他指出，堆栈溢位(Stack overflow)与软件错误导致内存崩溃，而问题的关键就在于那些内存崩溃，就像是“擦qiang走火”。 “就算小至一个位翻转的内存崩溃，也能导致程序(task)当机；只要藉由单一硬件事件的扰乱(例如位翻转)，或是众多软件错误中的一个就能发生，例如 我们在软件码中看到的缓冲区溢位(buffer overflow)以及竞态条件(race condition)。”Barr表示：“未经测试的任务失败可能有上千万种组合，每一种都可能在任何一种车辆/软件状态下发生，它们多到来不及测试。” 不 过Barr指出：“我们在2005年与2008年份Camry车款所做的测试显示，甚至就是某个当机程序的本身，都可能造成驾驶失去对节流阀控制系统的控 制权──而此时内燃机仍持续作动引擎。简而言之，丰田确实安装了故障安全机制，但其中有漏洞，也无法以UA透过软件的所有方式来进行检测。” 在此特别说明，以上所说的“程序”与智能手机或PC上执行的应用程序是一样的，当软件偶尔出现当机状况，我们通常会重新开机；而2005年份的Camry L4有安装一系列程序，但因为这些程序都意味着永远执行，其中一项若当机就可能造成恐怖的后果。 在被问到是否能将丰田汽车暴冲事件原因与某个软件程序的当机直接连结时，Barr的回答是：“应该是某应用程序的当机与其它程序当机的组合造成，”他说，该系统有数十种程序以及至少1,600万种不同的当机方式，专家小组虽然能证实某一种软件故障方式可能造成车辆暴冲，但还有其它许多种故障形式也可能造成同样的结果。 Barr 表示，专家们在实验中只研究了那数十种程序当机的模式的一半，但：“那些都无法被任何故障安全机制所侦测到。” 在 俄克拉荷马高速公路事故审讯后，Barr建议NHTSA应该要求丰田确保现有所有车款的安全性，并有需要加强针对软件方面的管理与监督；举例来说，美国联邦航空局(FAA)与联邦食品药物管理局(FDA)都有一些针对负责监管之系统的安全关键软件设计准则(如DO-178)，但NHTSA则缺乏这样的规 范。 此外Barr也指出，最近NHTSA规定所有美国车辆需安装配备特定功能的黑盒子，但相关规定还是不充足；而他们也发现 到丰田车辆的黑盒子会在车辆暴冲时故障，这使得黑盒子根本无法发生作用或是错误纪录。NHTSA应该注意这一点，并针对黑盒子如何收集资料的方式有更详细的规范，不要让黑盒子与引擎控制的计算机有共同故障点。 本文授权编译自EE Times，版权所有，谢绝转载 编译：Judith Cheng 参考英文原文：Toyota Case: Single Bit Flip That Killed，by Junko Yoshida

相关阅读：
• 谁将主导未来的车联网？
• 汽车电子缺陷酿车祸？丰田在美惹官司
• “白帽黑客”公布如何远程入侵汽车Kcoesmc

{pagination} Toyota Case: Single Bit Flip That Killed Junko Yoshida MADISON, Wis. — Could bad code kill a person? It could, and it apparently did. The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly. This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code. The plaintiffs' attorneys closed their argument by saying that the electronics throttle control system caused the sudden acceleration of a 2005 Camry in a September 2007 accident that killed one woman and seriously injured another on an Oklahoma highway off-ramp. It wasn't loose floor mats, a sticky pedal, or driver error. An Oklahoma judge announced that a settlement to avoid punitive damages had been reached Thursday evening. This was announced shortly after an Oklahoma County jury found Toyota liable for the crash and awarded $1.5 million of compensation to Jean Bookout, the driver, who was injured in the crash, and $1.5 million to the family of Barbara Schwarz, who died. During the trial, embedded systems experts who reviewed Toyota's electronic throttle source code testified that they found Toyota's source code defective, and that it contains bugs -- including bugs that can cause unintended acceleration. "We've demonstrated how as little as a single bit flip can cause the driver to lose control of the engine speed in real cars due to software malfunction that is not reliably detected by any fail-safe," Michael Barr, CTO and co-founder of Barr Group, told us in an exclusive interview. Barr served as an expert witness in this case. A core group of seven experts, including four from Barr Group, analyzed the Toyota case. Their analysis ultimately resulted in Barr's 800-plus-page report. In Toyota's own view, though, the automaker had been already exonerated when the National Highway Traffic Safety Administration closed its probe of Toyota models in February 2011. The NHTSA decision came after NASA investigated Toyota's electronic throttle control system and found no electronic causes of unintended acceleration during a 10-month review. But not everyone in the embedded systems industry thinks NASA had enough time to come up with a complete report. Perhaps more significantly, in its report, NASA itself did not rule out the possibility of software having caused unintended acceleration. The group of seven experts was given the task of picking up where the NASA investigation left off. "We did a few things that NASA apparently did not have time to do," Barr said. For one thing, by looking within the real-time operating system, the experts identified "unprotected critical variables." They obtained and reviewed the source code for the "sub-CPU," and they "uncovered gaps and defects in the throttle fail safes." Further, the team ran simulations in the Green Hills Simulator. "This confirmed tasks can die without the watchdog resetting the processor." His group also independently checked worst-case stack depth. "We found many big mistakes in the Toyota analysis that NASA relied on." The experts demonstrated that "the defects we found were linked to unintended acceleration through vehicle testing," Barr said. "We also obtained and reviewed the source code for the black box and found that it can record false information about the driver's actions in the final seconds before a crash." It's important to note Barr Group testimony led to a billion-dollar economic-loss settlement by Toyota last December. Because of that settlement, details of the technical discoveries made back then by the experts were not made public until the Oklahoma trial. The economic-loss settlement resolved hundreds of lawsuits claiming vehicles depreciated after the company issued recalls related to faulty acceleration. Toyota still faces lawsuits claiming injury or death related to the recalls. Task X death Now that the experts' testimony and findings have been made public through the Oklahoma trial, let's get into details. What defects were found in Toyota's electronic throttle control systems? Barr said that the 2005 Camry L4 source code and in-vehicle tests by the experts confirmed that some critical variables are not protected from corruption, and sources of memory corruption are present. He believes that Toyota's engineers sought to protect numerous variables against software- and hardware-cause corruptions, but they failed to mirror several key critical variables, and they made no hardware protection available against bit flips. Stack overflow and software bugs led to memory corruption, he said. And it turns out that the crux of the issue was these memory corruptions, which acted "like ricocheting bullets." Barr explains the issue this way: Memory corruption as little as one bit flip can cause a task to die. This can happen by hardware single-event upsets -- i.e., bit flip -- or via one of the many software bugs, such as buffer overflows and race conditions, we identified in the code. There are tens of millions of combinations of untested task death, any of which could happen in any possible vehicle/software state. Too many to test them all. But vehicle tests we have done in 2005 and 2008 Camrys show that even just the death of Task X by itself can cause loss of throttle control by the driver -- even as combustion continues to power the engine. In a nutshell, the fail safes Toyota did install have gaps in them and are inadequate to detect all of the ways UA can occur via software. Just to clarify, the "tasks" are equivalent to apps running on smartphones or PCs. All software malfunctions from time to time -- we often have to reboot our machines. The 2005 Camry L4 has a set of dozens of apps (or tasks). Because they are all meant to be running always, the death of one could have dire consequences. When asked if the whole case for unintended acceleration could be pinned on the task X death, Barr replied, "The task X death in combination with other task deaths." There are dozens of tasks and 16 million different ways those tasks can die. The experts group was able to demonstrate at least one way for the software to cause unintended acceleration, but there are so many other ways that could have happened. Barr also said more than half the dozens of tasks' deaths studied by the experts in their experiments "were not detected by any fail safe." What's next for NHTSA After the Oklahoma trial, what steps should the NHTSA be taking? Barr made some suggestions: NHTSA needs to get Toyota to make its existing cars safe and also needs to step up on software regulation and oversight. For example, FAA and FDA both have guidelines for safety-critical software design (e.g., DO-178) within the systems they oversee. NHTSA has nothing. Also, NHTSA recently mandated the presence and certain features of black boxes in all US cars, but that rule does not go far enough. We observed that Toyota's black box can malfunction during unintended acceleration specifically, and this will cause the black box to falsely report no braking. NHTSA's rules need to address this, e.g., by being more specific about where and how the black box gets its data, so that it does not have a common failure point with the engine computer.