Minutes 15 May 2025

Host: Paul Albertella

Participants: Victor Lu, Igor Stoppa, Florian Wuehr, Daniel Krippner

Agenda

Achieving some level of confidence, certainty, trust in something requires that we have a way to measure things, and identify what is important.

Igor: Are there some examples of this that we can draw from the safety standards - some specific ways of measuring things or ‘margins or error’ ?

Paul: The SIL and ASIL ratings are an abstraction of this, but they express the risk to the user / innocent bystander of the “thing that needs to be safe”

Igor: Could we have a generic measure of confidence? This might make it easier to compare different risks - the relative risks of two dissimilar options. Particularly if this was something that you could use in combination.

Paul: Could you use something like fault tree analysis, where you have a logical expression of what can lead to a dangerous outcome, and what measure / mechanism exists to prevent it - or that also needs to fail in order for the dangerous outcome.

Igor: In order to talk about faults or failure modes, you first need to understand the system

Victor: Similar problems in security, but e.g. OpenSSF defines security baseline - set of risks that you must consider as a starting point

Igor: Difficult to advise about solutions, but we can at least define the problems that need to be considered. The memory model is one of the key distinguishing features of Linux, so it seemed to be an important starting point.

Victor: Some input on this https://memorysafety.openssf.org/memory-safety-continuum/

Igor: Some hardware ‘answers’ to this such as CHERI, and others by Arm - but these are expensive.

Idea of a digital twin: a simulation that is an accurate representation of e.g. a deployed vehicle model, which you can use to verify its behaviour in rare scenarios. At a simplistic level: know what goes into your car, or other product. OK with hardware, but software - especially software that is updated over the air - this problem becomes bigger.

Igor: Intent with analysis of problems is to be exhaustive - otherwise your solution may be defeated by a deeper aspect of the problem space.

Paul: Could we write this up as a basic set of principles.

Minutes 15 May 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!