Crashing an In-Flight Entertainment System 322
rabblerouzer writes "Hugh Thompson, who was interviewed by Slashdot on the dangers of e-voting, now has a cool blog entry on how he was able to bring down the gaming/movie console on an airplane. He calls it one of the most interesting examples of a software 'abuse case' he has ever seen." Fortunately the IFE system is totally disjoint from the avionics.
Re:Err (Score:5, Informative)
There is a NAME for the bug... (Score:5, Informative)
Dam lazy programmers not using Assert() these days...
(And yes, I am one, programmer that is, not lazy
Re:Err (Score:5, Informative)
Avionics programmers (Score:5, Informative)
FAA regulations categorize software in 5 different levels of criticality, depending on how a failure of the software would affect the safety of the plane. Level "A" software is reserved for things like the "low fuel" alarm, which could potentially knock the plane out of the air on failure, to level "C" for things like the cabin pressurization system where the pilots can take emergency actions to compensate, to level "E" for things like the microwave in the kitchen.
(Beware: I gloss over a few details for clarity.)
The higher levels of software criticality have progressively higher levels of standards for testing. In the case of level-A software, each individual line of code must be examined for correctness in the context of the rest of the code. Each line of code must be executed as part of testing and actively shown to be correct, and each line of code must be individually code reviewed by another engineer.
At the higher levels of software, limit testing is required for all function arguments and if-statements. Multiple-clause if statements such as "if A and B but not C" must be tested for all combinations of the subject clauses, and so on.
In addition to this, all avionics software I've worked on makes a distinction between showing erroneous information and showing *no* information (or, working incorrectly versus not working at all). If the digital altimeter goes blank, the pilots will notice and can take corrective action. If the altimeter is reading the wrong information, then that's a critical failure which could cause an accident.
Thus, avionics software innards are heavily checked throughout execution to ensure proper operation, and any failure causes the system to immediately go offline. All function arguments are ASSERT'ed for correct range, all calculations are checked for range and accuracy, &c.
The entertainment system, and in particular a game within the entertainment system, is almost certainly a level-E software component, and so is not required to go through such rigorous testing. The hardware has to be shown to not interfere with the avionics and that's about it.
As a side note... (Score:4, Informative)
Mirrordot to the rescue (Score:5, Informative)
Re:Err (Score:4, Informative)
One of the most interesting examples of a software "abuse case" came to me rather abruptly on an airplane flight from Las Vegas to Orlando in mid 2005.
Each seat in the airplane had a small touch screen monitor built into the head rest of the chair in front, and on this particular airline, passengers could watch a variety of television channels and play a few simple games. One such game looked remarkably similar to the classic strategy game Tetris, where players use their skills to manipulate falling blocks on a screen to try and form horizontal lines. I'm a big fan of Tetris; for a few months in 1998 I was borderline obsessed with it. I would start looking at everyday objects and start mentally fitting them together with other tings in the room to form weird line configurations. One of the options on this particular airborne version of Tetris was to alter the number of blocks one could see in advance on the screen before they started falling.
To give myself the biggest advantage in the game, I pressed the + control as many times as it would allow and got to the maximum value of 4. I then put on my "bad guy" hat on and asked: How *else* can I change the value in this field? Near my armrest was a small phone console; you know, the one where you can make very important calls for a mere $22 per minute. I noticed that the phone had a numeric keypad and that it also controlled this television monitor embedded in the seat in front of me.
I then touched the screen in front of me to highlight the number "4" in the options configuration shown in Figure 1. I tried to enter the number 10 into that field through the phone keypad with no luck: it first changed to the number "1" followed by the number "0". Frustrated, I then made the assumption that it would only accept single digit values. My next test case was the number "8"; no luck there either, the number didn't change at all. I then tried the number 5: success! '5' is an interesting test case, it's a "boundary value" just beyond the maximum allowed value of the field which was '4'. A classic programming mistake is to be off by 1 when coding constraints. For example, the programmer may have intended to code the statements:
0 value 5
When what actually got coded was
0 value = 5
I now had the software exactly where I wanted it, in an unintended state; the illegal value 5 was now in my target field. I then turn my attention back to the screen and hit the + button which, to my complete surprise, incremented the value to 6! Again, an implementation problem, the increment constrain probably said something like "if value = 4 do not increment." In this case, the value wasn't 4 but 5 so it happily incremented it to 6! I then continue to increment the value by pressing the + button until I get to 127 and then I pause for a moment of reflection. 127 is a very special number; it is the upper bound of a 1 byte signed integer. Strange things can happen when we add 1 to this value, namely that 127 + 1 = -128! I considered this for a moment as I kicked back a small bag of peanuts and in the interest of science I boldly pressed the + button once more. Suddenly, the display now flashes -128 just for an instant and then poof...screen goes black.
Poof...screen of the person next to me goes black.
Screens in front of me and behind me go black.
The entire plane entertainment system goes down (and thankfully the cascading system failure didn't spill over to the plane navigation system)!
After a few minutes of mumbling from some of the passengers, a fairly emotionless flight attendant reset the system and all was well. I landed with a new-found respect for the game of Tetris and consider this to be the most entertaining version of it I have ever played.
.
Abuse case (Score:4, Informative)
I think it's more of a case of bad quality control. If the testing environment of the developers had contained a single "lets throw an exception" or maybe a "lets try to lock up a process at 100%" test, they would have see that they needed to at a bit of exception handling (in the first case).
But writing good test cases can be hard.
Anyway. I've seen code like this tons of times. Some people apparently have issues with (how hard can it be), so they use equal instead, but one day, the step value is changed from 1 to 2 (make it go directly from 99 to 101), or some routine fails and returns a default value of -1. And suddenly the code is in the twilight zone.
Anyway^2, I actually did find this rather un-interesting.
Way too much effort (Score:3, Informative)
--Paul
The word wasn't "fortune" (Score:4, Informative)
Another example...if I give you "a murderous look" it does not mean (or even imply) that I killed you, attempted to kill you, or even contemplated a violent act toward you. "Murder" and "murderous" are not as close in definition as they are in derivation.
The Airline and Aircraft (Score:4, Informative)
Re:You can tell it's Linux when it crashes. (Score:4, Informative)
Re:Err (Score:5, Informative)
IQ scores are a standard distribution with a standard deviation of 10 and a mean of 100. Therefore,
IQs +/- 1 standard deviation from the mean, that is, 90-110, account for approximately 68% of all scores.
The 80-120 range will account for roughly 95% of the scores.
And 70-130 will include over 99%.
Obviously, an IQ of 180 is astoundingly high. An IQ of 55-60 is, I believe, in the mentally retarded range. Since there's not really a good way to quantify "half as smart" and "twice as smart," you could consider that accurate if you wanted, I suppose. Personally, when I think of somebody who is "half as smart as average," I don't think it's that bad.
From Wikipedia: [wikipedia.org]
* mild mental disability: IQ 50-55 to 70; children require mild support; formally called "Educable Mentally Retarded".
* moderate disability: IQ 35-40 to 50-55; children require moderate supervision and assistance; formally called "Trainable Mentally Retarded".
* severe mental disability: IQ 20-25 to 35-40; can be taught basic life skills and simple tasks with supervision.
* profound mental disability: IQ below 20-25; usually caused by a neurological condition; require constant care.
There are also a bunch of debates as to bias and whether IQs really measure anything worthwhile which I'm sure you can find on the same Wikipedia page if you're interested.
Re:You can tell it's Linux when it crashes. (Score:2, Informative)
The ldd call would make sense for debug output, but interestingly it doesn't print anything like what ldd would. In fact, it likely isn't the usual ldd(1) [tin.org], but another binary that happens to have the same name; especially since the debug output stops there, suggesting that it didn't return and the following output was generated by that ldd process, or its children.
The Debug output could have been deactivated with a 'set +x', but before the deactivation went through that command itself would have been printed, so that's out. What is possible, though, is that the ldd was in fact the last command executed in a subshell, and the parent (which wasn't even necessarily a shell), wasn't set up to produce that kind of debug output.
A search for "seatapps" [google.com] brings up very few results, those apparently being first-hand accounts of people who have seen similar screens during a flight, suggesting that the whole setup, as you suggested, highly specific and non-standard.
Re:Err (Score:5, Informative)
Re:I've done this (Score:3, Informative)
http://www.shelleytherepublican.com/2006/12/01/li
Level of Safety (Score:4, Informative)
There was/is no danger of this happening. I develop software for major airline Flight Management Systems (FMS) and the entertainment system is physically separated from the FMS as well as other "flight critical" systems. Also, Software on an aircraft needs to be developed according to the guidelines of RTCA's DO-178B, which classifies the fallout of software into "levels". The most critical, Level A, like autopilot and flight controls requires very stringent evidence of verification. The least critical, Level E, requires basically no verification or documentation whatsoever, and this is what entertainment systems are developed under.
There was a case in the early days when in-flight entertainment systems were first put on planes where a short in the video system crashed other critical computer components due to the entertainment system and flight system being on the same electrical bus. This obviously caused changes to the rules, so now everything is separated.
Re:Err (Score:3, Informative)
per the WAIS-III manual sitting in front of me, the std. dev is 15, not 10. Therefore, 85-115 is +/- 1 s.d. from the mean of 100. But your point is still accurate that a an IQ of 185 is astoundingly high. Mental retardation is -2 s.d.'s below average, which puts that at an I.Q. of =70. You also need significant adaptive impairment in at least two domains (e.g. communication, self care, interpersonal skills, etc...)
just my
jeff
Re:Err (Score:1, Informative)