Prof. Phil Koopman, Carnegie Mellon University
This is a unified listing my lecture materials on a variety of topics from my Carnege Mellon University courses, keynote lectures, and other talks I've given. Please see the copyright notice at the end of this page before e-mailing about use.
Also see my other content distribution sites:
Code quality, safety, security. (Last update Fall 2021.)
Alternate sources:
Archive.org
18642
Embedded software quality, safety, security
| Slides | YouTube Video Full Lecture |
YouTube Play List (To access single slides) |
Topics | |
| 1 | Course Overview | Embedded Software Code Quality, Safety, Security (44 min) |
Embedded
Software Code Quality, Safety, Security (44 min) |
Challenges of embedded code; it only takes one line of bad
code; problems with large scale production; your products live or die by their
software; considering the worst case; designing for safety; security matters;
industrial controls as targets; designing for security; testing isn't
enough Fiat Chrysler jeep hack; Ford Mytouch update; Toyota UA code quality; Heartbleed; Nest thermostats; Honda UA recall; Samsung keyboard bug; hospital infusion pumps; LIFX smart lightbulbs; German steel mill hack; Ukraine power hack; SCADA attack data; Shodan; traffic light control vulnerability; hydroelectric plant vulnerability; zero-day shopping list |
| 2 | Course administration | No video | ||
| 3 | Software Development Processes | SW Process (49 min) |
SW
Process (49 min) |
Waterfall; swiss cheese model; lessons learned in software; V model; design vs. code; agile methods; agile for embedded |
| 4 | Code Style for Humans | Code Style for
Humans (15 min) |
Code
Style for Humans (15 min) |
Making code easy to read; good code hygiene; avoiding premature optimization; coding style |
| 5 | Code Style for Compilers | Code Style for
Compilers (21 min) |
Code
Style for Compilers (21 min) |
Pitfalls and problems with C; language use guidelines and analysis tools; using language wisely (strong typing); Mars Climate Orbiter; deviations & legacy code |
| 6 | Peer Reviews | Peer Reviews (33 min) |
Peer
Reviews (33 min) |
Effective code quality practices, peer review efficiency and effectiveness; Fagan inspections; rules for peer review; review report; perspective-based reviews; review checklist; case study; economics of peer review. Peer Review Checklist |
| 7 | Requirements | Requirements (24 min) |
Requirements (24 min) |
Ariane 5 flight 501; rules for good requirements; problematic requirements; extra-functional requirements; requirements approaches; ambiguity |
| 8 | Global Variables | Globals (13 min) |
Globals (13 min) |
Global vs. static variables; avoiding and removing globals |
| 9 | Spaghetti Code | Spaghetti Code (18 min) |
Spaghetti
Code (18 min) |
McCabe Cyclomatic Complexity (MCC); SCC; Spaghetti Factor (SF) |
| 10 | Toyota UA Case Study | Toyota UA (60 min) |
Toyota UA (60 min) |
Case study of Toyota UA |
| 11 | Stack Overflow | Stack
Overflow (8 min) |
Stack
Overflow (8 min) |
Stack overflow mechanics; memory corruption; stack sentinels; static analysis; memory protection; avoid recursion |
| 12 | SW Architecture & HLD | Software Architecture
and HLD (15 min) |
Software
Architecture and HLD (15 min) |
High Level Design (HLD); boxes and arrows; sequence diagrams (SD); statechart to SD relationship; 2011 Health Plan chart |
| 13 | Statecharts | Statecharts (19 min) |
Statecharts (19 min) |
Statechart elements; statechart example; statechart implementation |
| 14 | Traceability | Traceability (11 min) |
Traceability (11 min) |
Traceability across the V; examples; best practices |
| 15 | Software Testing Overview | Testing
Overview (20 min) |
Software
Testing Overview (20 min) |
Smoke testing, exploratory testing; methodical test coverage; types of testing; testing philosophy; coverage; testing resources |
| 16 | Unit Testing | Unit Testing (18 min) |
Unit
Testing (18 min) |
Black box testing; white box testing; unit testing strategies; MCDC coverage; unit testing frameworks (cunit) |
| 17 | Integration Testing | Integration Testing
(15 min) |
Integration
Testing (11 min) |
Integration test approaches; tracing integration tests to SDs; network message testing; using SDs to generate unit tests |
| 18 | System-Level Test | System Level
Test (18 min) |
System
Level Test (18 min) |
First bug story; effective test plans; testing won't find all bugs; F-22 Raptor date line bug; bug farms; risks of bad software |
| 19 | Concurrency & Race Conditions | Concurrency & Race
Conditions (21 min) |
Concurrency
& Race Conditions (21 min) |
Therac 25; race condition example; disabling interrupts; mutex; blocking time; priority inversion; priority inheritance; Mars Pathfinder |
| 20 | SQA isn't testing | SQA Isn't
Testing (13 min) |
SQA
Isn't Testing (13 min) |
SQA elements; audits; SQA as coaching staff; cost of defect fixes over project cycle |
| 21 | Lifecycle CM | Lifecycle CM (19 min) |
Lifecycle
CM (19 min) |
A400M crash; version control; configuration management; long lifecycles |
| 22 | Maintenance | Software
Maintenance (15 min) |
Maintenance (15 min) |
Bug fix cycle; bug prioritization; maintenance as a large cost driver; technical debt |
| 23 | Key Metrics | Key Metrics (13 min) |
Key
Metrics (13 min) |
Tester to developer ratio; code productivity; peer review effectiveness |
| 24 | Date/Time | Date Time (26 min) |
Date/Time (26 min) |
Keeping time; time terminology; clock synchronization; time zones; DST; local time; sunrise/sunset; mobility and time; date line; GMT/UTC; leap years; leap seconds; time rollovers; Zune leap year bug; internationalization. |
| 25 | Floating Point Pitfalls | Floating Point
Pitfalls (17 min) |
Floating
Point Pitfalls (17 min) |
Floating point formats; special values; NaN and robots; roundoff errors; Patriot Missile mishap |
| 26 | Safety Overview | Software Safety
Overview (16 min) |
Software
Safety Overview (16 min) |
Defense in depth; safety principles; safety culture; Challenger mishap; Therac 25 |
| 27 | Dependability | Dependability (19 min) |
Dependability
(20 min) |
Dependability; availability; Windows 2000 server crash; reliability; serial and parallel reliability; example reliability calculation; other aspects of dependability |
| 28 | Critical Systems | Critical
Systems (21 min) |
Critical
Systems (21 min) |
Safety critical vs. mission critical; worst case and safety; HVAC malfunction hazard; Safety Integrity Levels (SIL); Bhopal; IEC 61508; fleet exposure |
| 29 | Safety Plan | Safety Plan (26 min) |
Safety
Plan (26 min) |
Safety plan elements; functional safety approaches; hazards & risks; safety goals & safety requirements; FMEA; FTA; safety case (GSN) |
| 30 | Single Points of Failure | Single Points of
Failure (17 min) |
Single
Points of Failure (17 min) |
Fault containment regions (FCR); Toyota UA single point failure; multi-channel pattern; monitor pattern; safety gate pattern; correlated & accumulated faults |
| 31 | Safety Requirements | Safety
Requirements (17 min) |
Safety
Requirements (17 min) |
Identifying safety-related requirements; safety envelope; Doer/Checker pattern |
| 32 | Critical System Isolation | Critical System
Isolation (17 min) |
Critical
System Isolation (17 min) |
Isolating different SILs, mixed-SIL interference sources; mitigating cross-SIL interference; isolation and security; CarShark hack |
| 33 | Redundancy Management | Redundancy
Management (20 min) |
Redundancy
Management (20 min) |
Bellingham WA gasoline pipeline mishap; redundancy for availability; redundancy for fault detection; Ariane 5 Flight 501; fail operational; triplex modular redundancy (TMR) 2-of-3 pattern; dual 2-of-2 pattern; high-SIL Doer/Checker pattern; diagnostic effectiveness and proof tests |
| 34 | Safety Architecture Patterns | Safety Architecture
Patterns (42 min) |
Safety
Architecture Patterns (42 min) |
Supplemental lecture with more detail on patterns: low SIL; self-diagnosis; partitioning; fail operational; voting; fail silent; dual 2-of-2; Ariane 5 Flight 501; fail silent patterns (low, high, mixed SIL); high availability mixed SIL pattern |
| 35 | Data Integrity | Data Integrity (29 min) |
Data
Integrity (29 min) |
Sources of faults; soft errors; Hamming distance; parity; mirroring; SECDED; checksum; CRC |
| 36 | Cryptography | Cryptography (33 min) |
Cryptography
(33 min) |
Confusion & diffusion; Caesar cipher; frequency analysis; Enigma; Lorenz & Colossus; DES; AES; public key cryptography; secure hashing; digital signatures; certificates; PKI; encrypting vs. signing for firmware update |
| 37 | Security Plans | Security Plan (29 min) |
Security
Plan (29 min) |
Security plan elements; Target Attack; security requirements; threats; vulnerabilities; mitigation; validation |
| 38 | Security Threats | Security
Threats (24 min) |
Security
Threats (24 min) |
Stuxnet; attack motivation; attacker threat levels; DirectTV piracy; operational environment; porous firewalls; Davis Besse incident; BlueSniper rifle; integrity; authentication; secrecy; privacy; LG Smart TV privacy; DoS/DDos; feature activation; St. Jude pacemaker recall |
| 39 | Security Vulnerabilities | Security
Vulnerabilities (29 min) |
Security
Vulnerabilities (29 min) |
Exploit vs. attack; Kettle spambot; weak passwords; master passwords; crypto key length; Mirai botnet attack; crypto mistakes; LIFX revisited; CarShark revisited; chip peels; hidden functionality; counterfeit systems; cloud connected devices; embedded-specific attacks |
| 40 | Security Mitigation Validation | Security Mitigation
Validation (34 min) |
Security
Mitigation Validation (34 min) |
Password strength; storing passwords & salt/pepper/key stretching; Adobe password hack; least privilege; Jeep firewall hack; secure update; secure boot; encryption vs. signing revisited; penetration testing; code analysis; other security approaches; rubber hose attack |
| 41 | Security Pitfalls | Security
Pitfalls (24 min) |
Security
Pitfalls (24 min) |
Konami code; security via obscurity; hotel lock USB hack; Kerckhoff's principle; hospital WPA setup hack; DECSS; Lodz tram attack; proper use of cryptography; zero day exploits; security snake oil; realities of in-system firewalls; aircraft infotainment and firewalls; zombie road sign hack |
| Slides | YouTube Video Full Lecture |
YouTube Play List (To access single slides) |
Topics | |
| 100 | Look Who's Driving | AV:
Look Who's
Driving (54 min) (PBS Nova) |
PBS Nova episode featuring experts on autonomous vehicle development: how AVs work; how close are we to large-scale deployment; will we ever be able to trust AI with our lives? (Released: Oct 23, 2019) | |
| 101 | AV: Software Safety for Vehicle Automation -- Intro | AV: Software Safety for
Vehicle Automation -- Intro (10 min) |
AV:
Software Safety for Vehicle Automation -- Intro (10 min) |
Automated Driving System needs; AVs sold on safety; sensors to control; machien learning; race to autonomy; integration and validation issues; true winner must be safe; overall challenges |
| 102 | AV: Validating Machine Learning-Based Systems | AV: Validating Machine
Learning-Based Systems (30 min) |
AV:
Validating Machine Learning-Based Systems (30 min) |
Human driver test comparison; machine learning challenges; machine learning meets the Vee model; public road testing; brute force testing; closed course testing; simulation; scenarios; simulation components; simulation validity; passing a test |
| 103 | AV: SOTIF and Edge Cases | AV: SOTIF and Edge
Cases (31 min) |
AV:
SOTIF and Edge Cases (31 min) |
SOTIF concept; six sigma isn't enough; it's all about the edge cases; why edge cases matter; heavy tail distribution; driver assistance vs. automation; unusual situations; mistaken stop sign; human intuition isn't enough |
| 104 | AV: Implications of Removing the Human Driver | AV: Implications of
Removing the Human Driver (32 min) |
AV:
Implications of Removing the Human Driver (32 min) |
Examples of blaming drivers; can humans supervise autonomy; 94% human error narrative; humans mitigate faults; automotive software defect trends; example software defects; ADS fault handling; controllability without a humand driver; no human to blame; vehicle automation modes; human interactions; lifecycle issues |
| 105 | AV: Safety Architectures | AV: Safety
Architectures (28 min) |
AV:
Safety Architectures (28 min) |
Safety envelopes; doer/checker; shuttle incidents; physics-based rule checking; uncertainty in world model; validating an AV pipeline; importance of behavior prediction; fail silent to fail operational; example architecture; redundancy & decomposition; move to centralized architecture |
| 106 | AV: How Safe Is Safe Enough? | AV: How Safe Is Safe
Enough? (21 min) |
AV:
How Safe Is Safe Enough? (21 min) |
AV trust issues; is a supervised "autopilot" actually safer; safety expectations; regulatory strategy; how safe is safe enough; which driver are we better than; ODD affects safe enough value; approaches to measuring safe; standards-based approach |
| 107 | AV: Building Trust | AV: Building
Trust (14 min) |
AV:
Building Trust (14 min) |
Stakeholder trust; hypothetical validation campaign; how much do you trust validation; engineering rigor; field engineering feedback; safety culture; positive trust balance |
| 108 | AV: Getting to Deployed + Safe | AV: Getting to Deployed
+ Safe (14 min) |
AV:
Getting to Deployed + Safe (14 min) |
System engineering; computer-based system safety engineering; staffing profile; technical safety challenges; organizational safety challenges. |
| 109 | AV: UL 4600 | AV: UL 4600 (23 min) |
AV: UL 4600 (23 min) |
ANSI/UL 4600 summary |
| 120 | AV: Overview of Automated Vehicle Terminology and J3016 Levels | AV: Overview of Automated Vehicle Terminology and J3016 Levels | AV: Overview of Automated Vehicle Terminology and J3016 Levels | J3016 terminology, SAE J3016 Levels, Vehicle Automation Modes, Myths |
Supplemental materials:
NOTES:
Live course site http://www.ece.cmu.edu/~ece642/ might have some more recent lectures. Please see the permissive copyright notice
Microcontroller hardware, software, I/O, coding techniques, with coverage of 9S12 microcontroller. (Last taught Spring 2016.)
Software process, distributed systems, embedded networks, critical systems. (Last taught Fall 2015.)
Additional reading list. (Note that "local" links are probably non-functional.)
Memory hiearchy from cache out to virtual memory. (Last taught Fall 1998.)
Copyright notice: These materials are copyrighted by Philip Koopman in the year indicated on the materials. Downloading and viewing materials for personal use is acceptable with no further permission. Use in academic settings, informal lunch-and-learn study groups, and so on is acceptable with no further permission provided attribution is made to me as author of the material. For-profit training use (i.e., someone is getting paid specifically to deliver the training, which is a higher bar than a volunteer presenting a lunch-and-learn informally at a company) requires permission and a fee, except for small snippets (e.g., no more than one slide from a lecture) that fall under Fair Use copyright doctrine. Posting on public web sites, including slide sharing services, video services, and course note sites is strictly prohibited unless I, the author, personally do the upload myself. Linking to material I post, including embedded display of a link to my material, is acceptable and does not require permission. These are historical lecture slides and might not represent my current opinions on various topics due to newly available research and experience. Due to lack of time and resources I do not attempt to keep the technical content of historical lectures up to date, but pointing out any substantive errors for future correction on a time-available basis is appreciated.
Some files may have less restrictive copyright permissions either noted on the materials themselves or in metadata in my accounts (e.g., on archive.org). So long as materials are accessed via my personal account (e.g., https://archive.org/details/@pkoopman) those less restrictive copyright permissions prevail on files accessed from those sources.
If you plan to make substantive use of this material in your teaching I'd be happy to hear about it, but non-profit teaching, including use in university courses, use does not require additional permission. In general I don't have time to respond to queries already handled by this copyright notice. This information is provided as-is, and proper use, safety, and other outcomes despite any potential errors or omissions are entirely your responsibility. For other queries please contact: koopman@cmu.edu