Path: EDN Asia >> News Centre >> Industrial/Mil/Aero >> MISRA updates guidelines for secure C programmes
Industrial/Mil/Aero Share print

MISRA updates guidelines for secure C programmes

06 May 2016  | Rich Quinell

Share this page with your friends

The Moto Industry Software Reliability Association, or MISRA has just updated its guidelines to ensure safe and secure use of the C programming language in critical applications.

The MISRA C:2012 Amendment 1, announced April 22, adds fourteen new rules focused specifically on security in response to the needs of connected systems. New rules in the amendment help developers following the MISRA standard to avoid coding practices that can introduce security vulnerabilities.

The MISRA C guidelines are an internationally accepted subset of C for use in the design of safety-critical systems. However, the guidelines are equally appropriate for secure systems, according to Andrew Banks, chairman of the MISRA C Committee. "Anyone using the C language for system development, particularly for systems that have to be safe and/or secure should be using the MISRA C Guidelines," said Banks in the press release announcing the amendment.

"The fact is, safety and security are not separate things," said Andrew Girson, CEO of embedded design, consulting, and training firm Barr Group in an interview with EE Times. "They're different concepts, but have a lot of overlap." Girson gave as an example the situation of buffer overflow. In a safety-critical system a buffer overflow could result in unreliable system behaviour. But the potential for buffer overflows is also common cyber attack vulnerabilities, even if an overflow didn't compromise safety. So, designing for higher reliability also the code is more secure, Girson noted.

According to MISRA, the amendment arose partly in response to the C Language Security Guidelines (ISO/IEC 17961:2013) published by the ISO/IEC JTC1/SC22/WG14 (the committee responsible for maintaining the C Standard). The MISRA committee carried out a comprehensive comparison between MISRA C:2012 and the ISO/IEC guidelines and added the new rules to improve MISRA C's coverage of the security concerns the guidelines raised. In addition to the rules in Amendment 1, MISRA has published as Amendment 2 a coverage matrix showing the relationship of MISRA C to ISO/IEC 17961:2013.

Because the MISRA committee recognised that circumstances arise that make it impractical or unreasonable to follow all the requirements, MISRA C allows for the approval of deviations from the standard. However, the industry's approach to approving such deviations has varied considerably, prompting the committee to also issue MISRA Compliance 2016 to clarify what it means to have deviations and still be compliant. Compliance can be achieved and proven by checking code against this matrix.

Given that many systems now have millions of lines of code, proving compliance to the new MISRA C guidelines can be daunting. Fortunately, automated tools for checking compliance have already arisen. According to Jim McElroy, vice president of marketing at LDRA, the latest version of LDRA's MISRA Compliance Tools includes comprehensive coverage of Amendment 1 rules, in part because of the company's close association with MISRA. LDRA employees hold four of the 11 positions on the MISRA C committee, McElroy told EE Times in a phone briefing.

In addition, training on the newly-enhanced MISRA C standards should be rapidly forthcoming. According to McElroy, LDRA plans on offering free webinars later this month providing an overview of the new rules (register on the company website). More comprehensive training on MISRA from companies such as Barr Group are sure to soon include the new rules as well. "Like anything with fast-moving technology, our training is being updated all the time," said Girson.

Developers can also explore the new rules on their own. The MISRA C:2012 standard along with the amendments and compliance guidelines are available at the MISRA website.

Want to more of this to be delivered to you for FREE?

Subscribe to EDN Asia alerts and receive the latest design ideas and product news in your inbox.

Got to make sure you're not a robot. Please enter the code displayed on the right.

Time to activate your subscription - it's easy!

We have sent an activate request to your registerd e-email. Simply click on the link to activate your subscription.

We're doing this to protect your privacy and ensure you successfully receive your e-mail alerts.

Add New Comment
Visitor (To avoid code verification, simply login or register with us. It is fast and free!)
*Verify code:
Tech Impact

Regional Roundup
Control this smart glass with the blink of an eye
K-Glass 2 detects users' eye movements to point the cursor to recognise computer icons or objects in the Internet, and uses winks for commands. The researchers call this interface the "i-Mouse."

GlobalFoundries extends grants to Singapore students
ARM, Tencent Games team up to improve mobile gaming

News | Products | Design Features | Regional Roundup | Tech Impact