Patent Application
20250199927
The present invention relates to a method for monitoring an application for providing at least one safety-critical function for a vehicle. The present invention furthermore relates to a computer program, a device, and a storage medium for this purpose.
Safety-critical software-controlled systems such as vehicles, especially software-defined vehicles (SdVs), require comprehensive application monitoring to ensure reliable and trustworthy operation. More specifically, software applications must be monitored to quickly detect any behavior that deviates from the expected behavior, whether as a result of a random error or an intentional cyber attack.
However, implementing comprehensive application monitoring for systems such as vehicles is challenging and cannot be adequately realized with established solutions, since the applications in such systems are written by different software companies or independent developers and an integrator, e.g. an OEM, does not know the exact expected behavior of these applications.
As a result, existing techniques only allow for progress monitoring but not detailed monitoring. More importantly, existing techniques require detailed knowledge of the internal structure and functionality of the corresponding software application. However, this is challenging in multi-tier systems such as vehicles, where applications are created by numerous third parties and then are run on the platform of the integrator, e.g. an OEM, who has no control over these third parties.
Existing monitoring techniques are based for example on hardware or software-based monitoring, usually through a watchdog. These techniques can be used for progress monitoring. For example, a watchdog can be configured to interrupt an application if it does not terminate after a certain period of time. However, such techniques are very restricted and therefore limited in their effectiveness. For example, these techniques cannot detect an erroneous calculation result or a change in control currents. The procedures known according to the prior art are also limited with regard to the required internal knowledge of each application. For example, configuring a watchdog to interrupt an application after a certain period of time requires detailed knowledge of the internals of the application, i.e. the implementation details.
The present invention includes a method, a computer program, a device, and a computer-readable storage medium. Features of and details relating to the present invention are disclosed herein. Features and details which are described in connection with the method according to the present invention of course also apply in connection with the computer program according to the present invention, the device according to the present invention, and the computer-readable storage medium according to the present invention, and respectively vice versa, so that, with respect to the disclosure, mutual reference is or can be made to the individual aspects of the present invention at all times.
The present invention includes a method for monitoring an application for providing at least one safety-critical function for a vehicle. According to an example embodiment of the present invention, the method includes the following steps, it being possible for the steps to be carried out repeatedly and/or successively. In the context of the present invention, an application is in particular a software application. The safety-critical function is in particular critical for the safety of the vehicle with regard to system damage and/or personal injury. The method can be particularly advantageous for vehicles, since in this case the vehicle-specific applications are important for the correct functioning of the vehicle. In particular for safety-critical applications, it can therefore be important to provide monitoring of each application.
In a first step, preferably at least one monitoring function of the application is provided. The at least one monitoring function generates a defined signal, in particular on the basis of at least one runtime characteristic of the application, in order to specify the at least one runtime characteristic via the defined signal. The runtime characteristic preferably describes at least a course of one or more runtime events. The defined signal is in particular a specific message containing relevant information on the at least one runtime characteristic, such as a current value or an average value of the last hundred values. A structure or a data schema of such a message or the defined signal can be described in corresponding documentation. Once generated, the monitoring function can write the defined signal to a specific destination or resource such as a file, socket, or RESTful API. In the context of the present invention, the monitoring function may also be referred to and understood as a signaling function.
In a further step, the generated defined signal is preferably read out by means of a monitoring component. Reading out can be performed via a corresponding connection to the above-mentioned destination or the resource, i.e. the monitoring component can, for example, read the file into which the defined signal was written. The monitoring component may be a software module and may be implemented in the technical system, preferably as an application-independent software module. Alternatively, the monitoring component may also be implemented on an external data processing device such as a server.
In a further step, the application is preferably monitored by means of the monitoring component on the basis of an analysis of the read-out generated defined signal. As a result, the method according to the present invention can advantageously monitor the application of the technical system without knowledge of internal functioning and without, for example, having access to a source code of the application. Monitoring includes in particular the analysis of values or information of the read-out generated defined signal with regard to specific specifications or requirements of each application.
The defined signal is preferably a standardized message which comprises relevant current information about the at least one runtime characteristic. The standardized message can be standardized in the sense that a structure of the message can be specified depending on a relevant runtime characteristic in order to standardize it. This allows the method to be used advantageously in different applications and vehicles without knowledge of how each application works.
The at least one monitoring function can record the one or more runtime events and reproduce them by the at least one runtime characteristic through the defined signal. The one or more runtime events are in particular specific to a current functionality of the application. The runtime events can be, for example, a runtime of functions, calculation results of functions, and/or specific memory accesses.
According to an example embodiment of the present invention, in a further possibility, the method may further comprise the following step:
The additional analysis can, for example, be a calculation of an average value or a determination of a minimum or maximum value. Furthermore, during the additional analysis, the monitoring function of the application can already evaluate whether a value of at least one runtime characteristic exceeds a certain threshold value. A result of the steps described above can then be communicated using the defined signal.
According to a further advantage, the method may further comprise the following step:
The result may indicate, for example, that the read-out generated defined signal deviates from an expected value or an expected pattern. If this is the case, at least one measure may be implemented. The at least one measure can be, for example, terminating at least one process of the application, terminating the application, adapting at least one access restriction of the application to the technical system, closing at least one port of the technical system, and/or adapting at least one filter rule with regard to data exchange of the application, or can comprise at least one of these steps.
Furthermore, according to an example embodiment of the present invention, the monitoring function is optionally executed at a defined periodicity. This makes it possible to determine when and how often the monitoring function is executed, individually and depending on the specific application case. Executing the monitoring function includes in particular generating the defined signal.
Furthermore, according to an example embodiment of the present invention, within the scope of the present invention it is optionally possible for the at least one runtime characteristic to be an execution time of at least one function of the application and/or an execution time of the entire application. Thus, on the basis of the execution time of the at least one function and/or the application, it is advantageously possible to conclude faulty behavior of the application or behavior of the application that has been altered by external influences. The external influence can, for example, be a hacking attack on the technical system.
In addition, it is possible within the scope of the present invention that the at least one runtime characteristic is an access pattern of the application to at least one system resource of the technical system, the method further comprising the following steps:
The access pattern may, for example, comprise a number of accesses and/or a sequence of accesses to the at least one system resource of the technical system. A system resource can be, for example, a peripheral, a bus or a bus system, a network such as Ethernet, a register or a comparable software and/or hardware resource of the technical system.
According to an example embodiment of the present invention, it may furthermore be possible for the method to further comprise the following step:
This is a good way to ensure that both the application and the monitoring component behave as expected. In this case, for example a valid response from the application may depend on a previous message from the monitoring component. The bidirectional interaction is preferably performed using the monitoring function of the application. As an example, a monitoring function and the monitoring component could implement a finite state machine that accepts a language L. Proceeding from previous messages, the monitoring function and the monitoring component could alternately generate a next message, producing the resulting word in the language L.
Advantageously, in the context of an example embodiment of the present invention, the method may further comprise the following steps:
This advantageously makes it possible to determine whether the application is safe for use in the technical system, since monitoring is possible using the monitoring function provided. The application can be adapted on the basis of the existing monitoring function in that it is configured to generate the defined signal. In this case, an alternative suitable monitoring function can also be modified accordingly.
According to an example embodiment of the present invention, in a further possibility, the vehicle may be a software-defined vehicle and the application may be a vehicle-specific application. A software-defined vehicle (SdV) is in particular a concept that refers to vehicles in which software and digital technologies play a central role in the functioning and functions of the vehicle. In a software-defined vehicle, the software is in particular a key driver for innovation, performance improvements, and new functions. The monitoring component can, for example, be part of the vehicle or part of an external data processing device. If at least two monitoring components are provided, it is also possible, for example, for one of them to be part of the vehicle and the other to be part of the external data processing device. The external data processing device may, for example, be a server such as a cloud server.
It is thus possible for the method according to the present invention to be used in a vehicle. The vehicle may be configured for example as a motor vehicle and/or passenger vehicle and/or autonomous or at least partially autonomous vehicle. The vehicle may comprise a vehicle mechanism, for example for providing an autonomous driving function and/or a driver assistance system. The vehicle mechanism may be designed to at least partially automatically control and/or accelerate and/or brake and/or steer the vehicle.
The present invention also relates to a computer program, in particular a computer program product, comprising commands which, when the computer program is executed by a computer, cause the computer to carry out the method according to the present invention. The computer program according to the present invention thus delivers the same advantages as have been described in detail with reference to a method according to the present invention.
The present invention also relates to a device for processing data that is configured to carry out the method according to the present invention. For example, a computer which executes the computer program according to the present invention can be provided as the device. The computer can have at least one processor for executing the computer program. A non-volatile data memory can also be provided, in which the computer program is stored and from which the computer program can be read by the processor for execution.
The present invention can also relate to a computer-readable storage medium which comprises the computer program according to the present invention and/or commands which, when executed by a computer, cause the computer to carry out the method according to the present invention. The storage medium is formed, for example, as a data memory such as a hard drive and/or a non-volatile memory and/or a memory card. The storage medium can be integrated into the computer, for example.
Furthermore, the method according to the present invention can also be carried out as a computer-implemented method.
Further advantages, features and details of the present invention can be found in the following description, in which exemplary embodiments of the present invention are described in detail with reference to the figures. The features mentioned in herein can be essential to the present invention, individually or in any combination.
In the context of the present invention, in particular monitoring functions 2 are used which can be added to applications 1, i.e. in particular software applications. These monitoring functions 2 can then be configured and designed by application developers, in particular third parties, to send a standardized signal, e.g. a message described in a technical specification, to a specific standardized endpoint such as a file, a socket or a port. A monitoring component 5 can then be used to collect these signals and respond to them, e.g. on the basis of a previously defined set of rules.
The monitoring functions 2 preferably determine one or more runtime characteristics 4 of the application 1, optionally pre-process them, and report the runtime characteristics 4 to a predetermined destination 3 or resource, such as a file, a socket or a RESTful API.
A monitoring component 5 preferably reads out the destination 3, in particular regularly, in order to monitor the application 1. The monitoring component 5 according to exemplary embodiments advantageously does not require any knowledge about the application 1. According to exemplary embodiments, the runtime characteristics 4 can be calculated and/or determined by the application 1 itself. The monitoring component 5 then in particular only has to read the destination 3. If the runtime characteristics 4 originate from a standard set of application monitoring features, the monitoring component 5 may also apply a predefined or dynamic set of rules, although this last step is not shown in
The monitoring function 2 can signal various events of the runtime characteristics 4, including but not limited to the following. An access or access time and/or access frequency to peripheral devices, buses such as CAN, networks such as Ethernet, CPU registers, or other operating system or CPU resources. One or more network messages, such as CAN messages, or a pattern or structure of network messages such as CAN messages, transmitted on the bus or over the network. A specific message or a specific pattern or a specific structure of messages received or sent by the application 1.
Alternatively or additionally, the monitoring function 2 may generate the defined signal in a reverse mode if such an event does not occur. In other words, the monitoring function 2 can observe the behavior of the application 1 on the basis of one of the above or similar metrics and issue a signal if the observed behavior does not match the expected behavior.
According to a possible alternative, the monitoring functions 2 are provided in the form of a library, so that an app store or a runtime environment, e.g. in an SdV, checks whether an application 1 uses a certain set of monitoring functions 2 before allowing downloading or execution of that application 1.
According to another alternative, the monitoring functions comprise 2 probes triggered every n microseconds or at a certain periodicity.
According to a further alternative, the monitoring functions 2 write the execution times of one or more functions, comprised by the application 1, to the destination 3. In this way, the monitoring component 5 can detect deviations from the expected behavior of application 1, even if the output of application 1 is correct. For example, if a sophisticated malware were to change the control flow of the application 1, such monitoring functions 2 could detect this event even if the malware were careful not to change the output of the application 1. Conventional techniques such as comparing the output with a given threshold or checking an invariant of the output would not detect the malware.
According to a further alternative, the monitoring functions 2 observe the access of the application 1 to the system resources, e.g. memory locations or lines, and compare it with a certain, previously defined pattern. A certain monitoring function 2 then preferably writes to the destination 3 whether the previously defined pattern was observed or not. This advantageously makes it possible to determine whether selected functions of the application 1 were called up in a specific order.
The present invention according to exemplary embodiments advantageously does not require any knowledge of the internal functioning of applications 1. While existing techniques monitor the application 1, the present invention according to exemplary embodiments describes a concept for semi-self-monitoring applications 1 in the sense that the monitoring logic is integrated into the applications 1, but an external, system-wide monitoring component 5 can be used to collect the data and react to these data.
The above description of the embodiments describes the present invention exclusively in the context of examples. Of course, individual features of the embodiments, provided they make technical sense, can be freely combined with one another without departing from the scope of the present invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2023 212 765.2 | Dec 2023 | DE | national |
