Safety critical Rust (finally) qualified

Rust is one of the prime candidates for safety-critical systems.

And it looks like it is finally coming of age 🙂

After long and arduous work, Ferrous systems have released open source safety-critical qualified Rust compiler.
Check below announcement for more information:

https://ferrous-systems.com/blog/ferrocene-open-source/

But what is qualified tool

Those who are involved in safety critical work — and I claim no expertise here — know that one of the bigger ‘pains’ is to have qualified safety-critical tools to use.

For a ‘regular’ developer most of the tools are taken for granted like compilers, operating systems, frameworks, etc. Bugs and undefined behaviors1 are expected to exist and even used as ‘optimizations’2.

While determinism, quality, and reliability are desired, they often take a back seat to features, speed of delivery, and user experience.

But if you work on safety critical systems, it is vice-versa.
One of your biggest needs is a proof of deterministic behavior.

And there is a simple analogy.
If a house— or even more critically, a skyscraper — lacks a stable foundation, it’s only a matter of time before something catastrophic occurs.
You need and want proof (as much as feasible) that your foundations are stable. And you generally want that reputable company with reputable build process makes your foundations.

That is what qualification means in practice.
You want a tool that you can rely on where you will not be nasty surprised in a worst possible moment3.

And now Rust got its ‘reputable’ badge for use in safety critical systems.

Speed-up move to modern languages

There is also another reason why I’m Optimistic on Rust and new modern languages.

C and C++ are great languages for their uses, performance and low-level. C is a glorified assembly, and C++ gives you million ways to write bad or wrong code and only few good ones.

To use C and C++ in safety critical environment, you are severely restricted how you can apply those languages. Just check MISRA or AUTOSAR4 rules for writing automotive-grade quality code.

And even then you must use different set of tools (static and dynamic analyzers, linters, etc) just to make sure that you haven’t done offset +1 in memory access, or to implicitly do wrong typecast.

Long time ago I considered myself as a ‘quite good’ at C++, but then the more I learned, the less I knew 5 😀

If you need to put so many restrictions and constantly invent different ways how to stop people making almost invisible mistakes in a language, that means that you need to reconsider do you really need to step into that mine-field6.

And all of the hoops significantly slow the actual development time.

So lets see what future will bring7 🙂

  1. https://en.cppreference.com/w/c/language/behavior ↩︎
  2. https://alexpolt.github.io/undefined.html ↩︎
  3. https://www.motortrend.com/news/nhtsa-tesla-autopilot-investigation-shutoff-crash/ ↩︎
  4. https://www.autosar.org/news-events/detail?tx_news_pi1%5Baction%5D=detail&tx_news_pi1%5Bcontroller%5D=News&tx_news_pi1%5Bnews%5D=39&cHash=e4f521f7b674bdfd7c1fade308cf2ea8 ↩︎
  5. “Within C++, there is a much smaller and cleaner language struggling to get out” – Bjarne Stroustrup ↩︎
  6. Of course, C and C++ are highly used languages and have a great applications (just look in CERN or Linux kernel). But they should be not and are not applicable everywhere as the learning curve is high and space for errors even higher ↩︎
  7. Greetings to team Trust at VCC doing great work for production grade Rust in actual car 🙂 ↩︎

Weekly breakdown – 22w37d3

Security

https://darknetdiaries.com/episode/115/

Listen to the podcast episode and replace mentions of games with i.e. cars.
It should raise a lot of eyebrows.

It is really not hard to image black market for all kinds of:

  • Standard: Enabling features
    Example with BMW’s subscription for more smart headlights, or Tesla’s back seat warmers.
  • Scarier: Disabling features
    Usual theft protection, but also removing any safety limitations, like speed limit, alcohol checks, hands-off-steer check, etc.
    Even now you can buy speed limit disabling feature for even most expensive electric bikes with top-of-line security features that allows you to go from limit of 25 km/h to over 40 km/h where only limit is the battery capacity.

All of this already exists, but at the moment, is not the most scalable business.
To ‘pimp-up’ your current generation cars, you would need to go to a ‘guy’ or a shady shop to make changes.

But the cars are becoming ‘smarter’. Over-the-air updates and all new fancy features allows you to make changes remotely from any part of the world.

And there lies huge black-market opportunity for finding bugs and loopholes, as no software and protection is perfect.
Just check yearly Android bug-list and their severity, even if it is owned developed by all-mighty Google.

If there is a sprawling market for cheats for 50$ games, imagine an opportunity for ‘cheats’ in 50000$+ car.

It is not hard to imagine a 100% online subscription service that will allow you to receive all kinds of un-official ’improvements’ applied automatically to your car.

Thanks goes to Patrik Thunström for sharing this podcast gem and fun discussion 🙂

Programming

https://calebhearth.com/fan-out-vs-fan-in

Another way how to look at code complexity and how to prevent it during design or in refactor.

As with everything, it should not be followed blindly, as the original complexity could end up moving into ever-evolving wrapper classes.
Check Law of Demeter for more information.

Big tech monopoly

https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

One more take on how big tech companies have taken over internet from original intent.
If you have ever found legitimate mail ending up in spam folder of your free mail service out of sudden, or not delivered, this is primary reason.

Old but gold: When the product is free, you are the product.

Fun

https://github.com/IdreesInc/Minecraft-Font

For the ones with kids or feel like one 🙂

Fragile Manifesto

Go-to manifest, more often than not 🙂

Weekly breakdown – 22w32d1

Programming

https://nnethercote.github.io/2022/07/27/twenty-years-of-valgrind.html

For the ones writing low-level and/or in ‘unsafe’ languages, Valgrind is one of the tool suites to use regularly.

Linked text from one of the creators of Valgrind provides brief of its interesting history, and more importantly, links to high quality papers describing how Valgrind actually works under the hood and is able to to what it does.

Note that Valgrind is not the only good tool that Nicholas and Julian have made.

Security

https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls/

This is expected development since obfuscation-as-a-security method failed spectacularly in hack of Intel Management Engine in the motherboard chip-sets.

News

https://www.bloomberg.com/news/articles/2022-07-25/porsches-postponed-by-buggy-software-cost-vw-s-ceo-his-job

One of the first big names in car industry to be ‘eaten’ by software.

As all modern car manufacturers are moving to become software first company, they are also learning hard lessons that:

Current state of software engineering is less engineering and more craftsmanship, with all its implications on quality, planning, timelines and ‘manufacturing’.

The software craftsmanship is a separate topic for another day 🙂

Weekly breakdown – 22w24d3

Automotive

https://fortune.com/2022/06/10/elon-musk-tesla-nhtsa-investigation-traffic-safety-autonomous-fsd-fatal-probe

The more cars Tesla sells, the more issues will be found, and not just technical ones.

It is hard to escape law of large numbers and Gaussian bell curve, especially the more organization grows.

And the below quote paints potentially damning decision how ‘Autopilot’ functionality handles itself in accident situations.

(really short rant ahead)

In general terms I consider Elon Musk as a quite smart guy with extremely good sales and marketing talent.

But sales is usually selling features that are not (yet) there and/or overblown capability of existing functionality.

Just look at the naming of ‘Autopilot’ feature of Tesla cars with actual level 2 autonomy.
If you check the meaning of level 2 autonomy, ‘Autopilot’ is in no way autonomous and ‘auto’ as the name strongly suggest.

Heck, Tesla has been already surpassed by Mercedes and Honda with limited, but legally approved level 3 automation mode, where the car manufacturer is actually responsible in case of accident when it is enabled and running in command.

Old-school car manufacturer juggernauts are slow (some will crash and burn), but will eventually catch-up and overwhelm Tesla unless it comes up with something radical, and so far nothing is announced.
And if it we’re, Musk is famous for over-promising and under-delivering on those, for those who follow.

And the famous Tesla bots will not be able to help it.

But I have been wrong, and it will be fun to watch 🙂

Fun

https://www.tomshardware.com/news/working-lego-computer-brick

Make your own fully functioning Lego computer block 🙂