[trustable-software] Fwd: Notes from the call with Robert Seacord

Andrew Banks andrew at andrewbanks.com
Mon Nov 7 13:10:16 UTC 2016


> However, the control
> algorithms for our autonomous control systems are coded in C++.   That
> statement logically leads to the question, are there standards similar 
> to CERT-C or MISRA for C++?

There are both MISRA C++ and CERT C++



-----Original Message-----
From: trustable-software [mailto:trustable-software-bounces at lists.veristac.io] On Behalf Of Paul Sherwood
Sent: 07 November 2016 12:03
To: Discussion about trustable software engineering
Cc: McCall, Gavin (G.F.)
Subject: Re: [trustable-software] Fwd: Notes from the call with Robert Seacord

Hi Alison,
On 2016-11-07 06:24, Chaiken, Alison wrote:
> The whole discussion has centered on C.   Works for me, as I label on
> kernel and gstreamer and systemd in C.

Well, this particular discussion is around C, but folks here are thinking more broadly also. As you know, the way to eat an elephant is one bite at a time, and our elephant definitely includes C.

> However, the control
> algorithms for our autonomous control systems are coded in C++.   That
> statement logically leads to the question, are there standards similar 
> to CERT-C or MISRA for C++?

Others can answer this better than me, I think.

> Our organization follows many generally accepted best practices, such 
> as coding to a functional specification, running in continuous 
> integration, replaying logged data in simulation and testing with the 
> various sanitizers (ASAN, MSAN, UBSAN), but that doesn't mean that we 
> couldn't do better.

I think the general situation is we all need to do better :), and as you know, sharing knowledge is a key part of how folks improve.

> It strikes me that the way that a new standard organization avoids 
> becoming a tax-collecting, rubber-stamping body is by providing a 
> GPL'ed or CCBYSA-licensed static analysis tool.

Agreed

> Of course, a static
> analysis tool only makes sense once a set of best practices is agreed,
> so the problem is that the tool perhaps never gets started.   Do
> CERT-C and MISRA have publicly available static analysis tools 
> already?  Why are these earlier standards in need of augmentation, 
> anyway?

AIUI CERT focused on security, but did not consider safety, and vice-versa for MISRA.

Also ISTM that neither group really attempted to stimulate wider input from (or adoption by) FOSS communities, and I'm wondering if we can do better now that FOSS is increasingly the de-facto approach for many classes of hard software.

> I find that the kernel itself curls up and dies when run under UBSAN.
> That fact alone sours me a bit on the practicality of the whole 
> program, I'm afraid.

Eek. All endeavours can fail, for sure.

In any case I really appreciate the healthy skepticism that you and others are expressing here. I'm going to keep cheerleading in the hope that solutions will emerge as we share our frustrations and attempt to break down the barriers :)

br
Paul





_______________________________________________
trustable-software mailing list
trustable-software at lists.veristac.io
https://lists.veristac.io/cgi-bin/mailman/listinfo/trustable-software




More information about the trustable-software mailing list