AFDX Library Update Project
The project page will track all necessary activity associated with protecting SNMP processing from an erroneous/malicious senders of out-of-bounds length fields within the SNMP packet.
Description
After completion of Verification activities in Q2 of 2006 Airbus discovered that erroneous/malicious senders of out-of-bounds length fields within the SNMP packet could cause SNMP processing by the AFDX Library component to hang, and is therefore requiring a change. This component is used on the following programs: ADIRU_Program, IHAS_Program, and SEPDS_Program.
This update has been identified as a must fix for A-380 entry into service.
News
- 2007-03-01: Albert Mitchell added to the project team.
- 2007-02-06: Mike Horagn and Harish Jayaraj have been assigned (per the below) and have started work.
- 2007-02-01: Effort estimates, based upon the assumption that experienced resources will be assigned, are now available.
- 2007-01-31: Project Kick-off.
Searchable Mail List
- AFDX Users Mail List: Click to subscribe or change your subscription options
- Search the AFDX Users Mail List: Click to search the list for specific messages/topics
Tasks
Initial Budget: $39,116
YTD: $62,865
Current ETC: $14,669
Current EAC: $77,534
| Milestones | Due Date | Estimated Delivery | Delivered | Percentage Complete |
|---|---|---|---|---|
| Certification Candidate: Version 4.4.0 | 12-FEB-2007 | 12-FEB-2007 | 9-FEB-2007 | 100% |
| Verification Complete | 27-MAR-2007 | 26-APR-2007 | 26-APR-2007 | 100% |
| Analysis Complete | 27-MAR-2007 | Never* | Never* | 8% |
*This analysis was not deemed necessary to meet any DO-178B objectives. Therefore, it was not/will not be performed.
Note: Unless noted otherwise, all estimates below are in terms of effort hours.
Certification Candidate
| Task | Dependency | Assignee | Risk | Original Estimate | Current Estimate | Elapsed | Remaining |
|---|---|---|---|---|---|---|---|
| 2.1 Requirements development | Requirements Capture & Agreement | Harish | None | 4 | 3 | 3 | 0 |
| 2.2 Code development | 2.1 | Harish | None | 4 | 3 | 3 | 0 |
| 2.3 Ad-hoc Test development | 2.1 | Harish | None | 24 | 24 | 24 | 0 |
| 2.4 Certification Candidate - Release | 2.3 | Harish | None | 8 | 8 | 8 | 0 |
| Totals | 40 | 38 | 38 | 0 | |||
Verification
| Task | Dependency | Assignee | Risk | Original Estimate | Current Estimate | Elapsed | Remaining |
|---|---|---|---|---|---|---|---|
| 3.1 Energize Review Status Files | 2.4 | Mitchell/Riedman | None | 13 | 15.5 | 15.5 | 0 |
| 3.2 Requirements review | 2.1, 3.1 | Horgan | None | 8 | 8 | 8 | 0 |
| 3.3 Test Case Development | 2.1 | Horgan | None | 8 | 12 | 12 | 0 |
| 3.4 Test Procedure Development | 2.1, 2.3 | Mitchell | None | 8 | 231 | 231 | 0 |
| 3.6 Code review | 3.2 | Horgan | None | 8 | 8 | 8 | 0 |
| 3.7 Test Case Review | 3.2, 3.3 | Mitchell | None | 8 | 40 | 40 | 0 |
| 3.8 Test Procedure Review | 3.4, 3.7 | Smith | None | 8 | 20 | 20 | 0 |
| 3.9 Software life cycle audit | 3.8 | Larson | None | 16 | 12 | 12 | 0 |
| 3.10 Requirements coverage analysis | 3.6, 3.7 | Cronk | None | 4 | 4 | 4 | 0 |
| 3.11 Conformity inspection - SQA build Witness | 3.8, 3.10 | Brunk/Cronk/Mitchell | None | 8 | 9 | 9 | 0 |
| 3.12 SCAT/ABC qualification | 3.8 | Cronk | None | 8 | 8 | 8 | 0 |
| 3.13 Integration review | 3.11, 3.12 | Cronk/Diethelm | None | 8 | 4 | 4 | 0 |
| 3.14 Run for score, including SQA witnessing, and test results review | 3.13 | Cronk/Diethelm | None | 8 | 8 | 8 | 0 |
| 3.15 Structural coverage analysis | 3.14 | Mitchell | None | 8 | 34 | 34 | 0 |
| 3.16 Verification audit | 3.15 | Kelly Leonard | None | 8 | 12 | 12 | 0 |
| 3.17 Certification documents: SAS, SLCECI, SCI | 3.15 | Cronk/Mitchell | None | 40 | 36 | 36 | 0 |
| 3.18 Population of certification archive (PCA) | 3.17 | Mitchell | None | 8 | 30.5 | 30.5 | 0 |
| 3.19 Software conformity audit | 3.18 | Kelly Leonard | None | 8 | 8 | 8 | 0 |
| Totals | 185 | 500 | 500 | 0 | |||
Analysis
This project arose from the discovery of an incorrect assumption by the AFDX Library requirements and code. That assumption was that an SNMP packet, with a valid checksum, would not contain erroneous/malicious data (such as incorrect length fields) and therefore no special checks were warranted when processing SNMP packets to protect against such errors. Since the aforementioned assumption has proven incorrect, it seems prudent to perform an analysis to ensure that no other assumptions of this type (i.e., one that would lead to the cessation of AFDX processing) exist.
Therefore, this analysis will consider all external interfaces and check to ensure that no implicit trust, with regards to the correctness of the data passed through that interface, exists. In other words, that the AFDX Library properly protects itself from senders of erroneous/malicious data. Checklist items are in place to ensure that all API data is validated before use, so for the purpose of this analysis, "interface" means hardware interface. Furthermore, since recieved packets are not "active" (non executable) hardware configuration and status registers cannot be affected, and hardware validated header information can be trusted. In other words, only payload ("packet data") that is actually processed within the AFDX Library needs to be reviewed.
Note: This does not imply that the AFDX Library will prevent erroneous/malicious data from being passed through to applications, rather the AFDX Library will not cease operation (e.g., hang) in the face of erroneous/malicious data.
| Task | Dependency | Assignee | Risk | Original Estimate | Current Estimate | Elapsed | Remaining |
|---|---|---|---|---|---|---|---|
| 4.1 Analyze Implementation (per the above) | 2.2 | Larson | 80 | 80 | 8 | 72 | |
| 4.2 Document Discoveries | 4.1 | Larson | 16 | 16 | 0 | 16 | |
| Totals | 96 | 96 | 8 | 88 | |||
Risks
None currently.
