Written by Red Hat’s Gabriele Paoloni, Alessandro Carminati & Maurizio Papini
One of the main challenges in using the Linux Kernel for safety-critical systems is conducting safety analyses in the absence of architectural documentation. As outlined in this article, within the ELISA (Enabling Linux in Safety Applications) Project, we are adopting the STPA approach at the system level. Accordingly, the Safety Architecture Working Group has been actively working on implementing and expanding this approach within the Kernel.
To conduct an STPA-inspired analysis, it is necessary to define “controller” entities, along with their corresponding control actions and feedback mechanisms. The Linux Kernel has already been divided into entities, which are maintained by different individuals based on the MAINTAINERS file.
Therefore, the Safety Architecture Working Group has made the decision to experiment with STPA analysis within the Kernel by treating the various subsystems or drivers (as defined in the MAINTAINERS file) as individual controllers. Within this context, the challenge has been to identify the control actions and feedback mechanisms between the drivers and subsystems.
The ks-nav tool set, comprising two complementary tools, is specifically designed to support the identification of such control actions.
To facilitate this, ks-nav offers subsystem call trees, which visually represent the interactions and dependencies among subsystems, starting from a given symbol. This feature allows users to identify potential interfaces between subsystems or drivers that support relevant control actions within the specific context of the symbol under analysis.
Another key feature of ks-nav is the identification of function call trees, which list functions potentially encountered starting from a given one . Such a feature could be useful to understand the subsystem or driver behavior following the invocation of a given function.
In summary, within the context of a specific symbol, ks-nav is capable of initially highlighting potential candidates for control actions between subsystems and drivers. Additionally, it allows users to “zoom in” on each subsystem as necessary to support expert judgment in semantically specifying the control actions.
To accommodate diverse analysis needs, the tool set supports multiple output formats, including dot, raster images (PNG or JPG), and vector images (SVG), facilitating effective visualization.
Flexibility is emphasized with compatibility across different database management systems (DBMS) like PostgreSQL, MySQL, MariaDB, or SQLite. This enables seamless integration with users’ preferred DBMS or existing infrastructure.
Moreover, ks-nav is able to identify indirect calls, including the x86 retpoline technique, within the kernel code, and deals with compiler code optimization.
By offering function call trees, subsystem call trees, versatile output formats, DBMS compatibility, and indirect call detection, the ks-nav tool set provides a comprehensive and efficient solution for ELISA activities in Linux kernel analysis. It provides users with the necessary tools to explore the kernel’s structure, and make informed decisions.
This initial commit of the ks-nav tool set also ensures fair test coverage, guaranteeing reliability and effectiveness in supporting ELISA activities. It marks a milestone, demonstrating the team’s commitment to continuous improvement and future advancements to refine the tool set and meet evolving needs in ELISA activities conducted by the working group.
All are welcome to try out the tools, send pull requests for improvements and bug fixes on the ELISA Safety Architecture Working Group’s GitHub here.
There will also be a dedicated session on how to apply this tool at the upcoming ELISA Berlin Workshop June 20-22. Learn more about the Workshop or register for it here.