Looking for thoughts on embedded systems education
in [Embedded]
|
Prev: About Interrupt Problem in RHEL-5
Next: Need help on getting the original source code of eZ430 Chronos
From: address_is on 9 Jun 2010 19:35 Paul Keinanen <keinanen(a)sci.fi> wrote: > On Wed, 09 Jun 2010 19:21:49 GMT, <address_is(a)invalid.invalid> wrote: > > >Mark Brehob <brehob(a)gmail.com> wrote: > >> Hello all, > >> I've been teaching embedded systems for quite a few years now and > > > we > > > >Snip..... 8< > > > >Nobody seems to have mentioned watchdogs... > > > >Glyn > > Apart from high radiation environments, who needs watchdogs ? > > > You assume they are only there to protect from the elements. There are more external cases (and the odd bug that can slip through) which can throw a spanner in the works. Expect the unexpected, and you are less likely to be caught short. Glyn
From: John Devereux on 10 Jun 2010 10:10 D Yuniskis <not.going.to.be(a)seen.com> writes: > Hi John, > > John Devereux wrote: >> Paul Keinanen <keinanen(a)sci.fi> writes: >> >>> On Wed, 09 Jun 2010 19:21:49 GMT, <address_is(a)invalid.invalid> wrote: >>> >>>> Nobody seems to have mentioned watchdogs... >>>> >>> Apart from high radiation environments, who needs watchdogs ? >> >> Agreed. >> >> Starting out, a long time ago before I learned how to do EMC, I used >> watchdogs all the time. In desperation I even had one system with a >> free-running 555 connected to the reset pin. They still crashed >> occasionally, or worse! >> >> Now I know how to protect agains ESD and line tranients, I don't bother >> with watchdogs anymore. And they don't crash. > > As with most things, this depends entirely on the application > environment. > > When designing *gaming* systems, you have to contend with > malicious users deliberately *trying* to subvert your > system. > > It is almost impossible to protect a *running* system from > these kinds of threats. > > I have found the opposite tactic to be more effective: > *cause* the system to deliberately reset when attacked > (not so the code will safely restart but, rather, so > the attacker will forfeit any "winnings" he has acrued). > > Amazing how quickly they stop using this means of subversion. > > :> Hi Don, Perhaps there are special circumstances, like when lives or -- (gasp) -- actual *money* is at stake :) I suppose my point is basically, don't use a watchdog to cover up an inadequate hardware design. It will still be flaky. -- John Devereux
From: D Yuniskis on 10 Jun 2010 11:04 Hi John, John Devereux wrote: > D Yuniskis <not.going.to.be(a)seen.com> writes: > >> John Devereux wrote: >>> Paul Keinanen <keinanen(a)sci.fi> writes: >>> >>>> On Wed, 09 Jun 2010 19:21:49 GMT, <address_is(a)invalid.invalid> wrote: >>>> >>>>> Nobody seems to have mentioned watchdogs... >>>>> >>>> Apart from high radiation environments, who needs watchdogs ? >>> Agreed. >>> >>> Starting out, a long time ago before I learned how to do EMC, I used >>> watchdogs all the time. In desperation I even had one system with a >>> free-running 555 connected to the reset pin. They still crashed >>> occasionally, or worse! >>> >>> Now I know how to protect agains ESD and line tranients, I don't bother >>> with watchdogs anymore. And they don't crash. >> As with most things, this depends entirely on the application >> environment. >> >> When designing *gaming* systems, you have to contend with >> malicious users deliberately *trying* to subvert your >> system. >> >> It is almost impossible to protect a *running* system from >> these kinds of threats. >> >> I have found the opposite tactic to be more effective: >> *cause* the system to deliberately reset when attacked >> (not so the code will safely restart but, rather, so >> the attacker will forfeit any "winnings" he has acrued). >> >> Amazing how quickly they stop using this means of subversion. >> >> :> > > Hi Don, > > Perhaps there are special circumstances, like when lives or -- (gasp) -- > actual *money* is at stake :) <grin> IME, money trumps lives :-( > I suppose my point is basically, don't use a watchdog to cover up an > inadequate hardware design. It will still be flaky. Agreed. Though I would say "inadequate hardware *or* software design". I.e., it is equally likely that the watchdog catches some condition that was improperly tested in the software (e.g., attempting to resolve a NULL pointer).
From: Paul Keinanen on 10 Jun 2010 16:07 On Thu, 10 Jun 2010 15:10:14 +0100, John Devereux <john(a)devereux.me.uk> wrote: >D Yuniskis <not.going.to.be(a)seen.com> writes: > >> Hi John, >> >> John Devereux wrote: >>> Paul Keinanen <keinanen(a)sci.fi> writes: >>> >>>> On Wed, 09 Jun 2010 19:21:49 GMT, <address_is(a)invalid.invalid> wrote: >>>> >>>>> Nobody seems to have mentioned watchdogs... >>>>> >>>> Apart from high radiation environments, who needs watchdogs ? >>> >>> Agreed. >>> >>> Starting out, a long time ago before I learned how to do EMC, I used >>> watchdogs all the time. In desperation I even had one system with a >>> free-running 555 connected to the reset pin. They still crashed >>> occasionally, or worse! >>> >>> Now I know how to protect agains ESD and line tranients, I don't bother >>> with watchdogs anymore. And they don't crash. >> >> As with most things, this depends entirely on the application >> environment. >> >> When designing *gaming* systems, you have to contend with >> malicious users deliberately *trying* to subvert your >> system. >> >> It is almost impossible to protect a *running* system from >> these kinds of threats. >> >> I have found the opposite tactic to be more effective: >> *cause* the system to deliberately reset when attacked >> (not so the code will safely restart but, rather, so >> the attacker will forfeit any "winnings" he has acrued). >> >> Amazing how quickly they stop using this means of subversion. >> >> :> > >Hi Don, > >Perhaps there are special circumstances, like when lives or -- (gasp) -- >actual *money* is at stake :) In such situations, double or triple redundant systems are typically used, which allows much more sanity cross checks than a simple watchdog. >I suppose my point is basically, don't use a watchdog to cover up an >inadequate hardware design. It will still be flaky.
From: D Yuniskis on 10 Jun 2010 16:45
Hi Paul, Paul Keinanen wrote: [attributions elided] >>>> Now I know how to protect agains ESD and line tranients, I don't bother >>>> with watchdogs anymore. And they don't crash. >>> As with most things, this depends entirely on the application >>> environment. >>> >>> When designing *gaming* systems, you have to contend with >>> malicious users deliberately *trying* to subvert your >>> system. >>> >>> It is almost impossible to protect a *running* system from >>> these kinds of threats. >>> >>> I have found the opposite tactic to be more effective: >>> *cause* the system to deliberately reset when attacked >>> (not so the code will safely restart but, rather, so >>> the attacker will forfeit any "winnings" he has acrued). >>> >>> Amazing how quickly they stop using this means of subversion. >> >> Perhaps there are special circumstances, like when lives or -- (gasp) -- >> actual *money* is at stake :) > > In such situations, double or triple redundant systems are typically > used, which allows much more sanity cross checks than a simple > watchdog. For "safety", yes. But, the types of threats faced when money is involved are very different. In safety/health related systems, you don't usually have someone *deliberately* trying to subvert your system, its safeguards, etc. In the safety arena, if you can demonstrate due diligence, you're usually "off the hook". I.e., if a guy comes in with a carbide tipped chainsaw and cuts his way through the interlocked safety shields (so that the interlocks *don't* see this as a breach) and then manages to get his hand mangled by the now unprotected mechanism, he probably *won't* win a liability lawsuit against you. OTOH, if a guy sticks a spark coil up *inside* your coin dispensing mechanism and manages to completely foul the control logic so that it dispenses coins continuously, you probably are NOT going to have much recourse unless you can catch him in the act. (ever notice how many closed circuit cameras and "plain clothes" folks there are in gaming establishments? And that doesn't count the "detectors" that you *don't* see!) Redundancy only works if those redundant systems aren't vulnerable to the "attack". :-/ This is why gaming establishments require things to be done in teams, use lots of surveillance, "standards", etc. (and they still get "beat" for a healthy sum despite their precautions... thieves are more creative than idiots :> ) >> I suppose my point is basically, don't use a watchdog to cover up an >> inadequate hardware design. It will still be flaky. |