Embedded systems, and other systems, typically include some kernel, or core, piece of code whose proper functioning is essential to the operation of the system. As used in this document, the kernel is the part of the multitasking system responsible for the management of tasks (i.e. for managing the CPU's time) and communicating between tasks. The fundamental service provided by the kernel is context switching. An embedded system is a specialized computer used to control a device such as an automobile, appliance or space vehicle. The kernel is typically embodied in a software image that includes an Operating System (OS) and related programs and data, which reside in memory at all times and provide basic services. Due to defective programs, it is possible that the kernel can be corrupted. If such corruption occurs, the reliability, safety, and performance of the system as a whole can be seriously degraded.
Defective programs can be introduced into a system in a number of ways. For example, in an automotive embedded system, code, including the kernel, is initially loaded into the system, which is built into the automobile. Later, the code can be updated by downloading new code into the system. The new code can be downloaded in a number of ways, such as in a service bay procedure or a wireless connection to a network. The code that is downloaded to the embedded system can have a bug (i.e., a persistent error) or a virus, both of which can corrupt any area in the system's memory, including the kernel or data used by the kernel.
In modern systems, unintentionally downloading a defective or malicious program (i.e., a program with a bug or virus) can be remarkably easy to do. In addition, in typical systems, a program can essentially write to any area of memory simply by loading an address and data, thereby instructing a microcontroller or microprocessor to write to the address with the data. Thus, once in a system, a defective program can easily overwrite valid bytes in the kernel, or other areas in memory, with invalid bytes. Of course, if the kernel is overwritten with invalid bytes, the functionality can be changed or the entire system can crash (i.e., fail).
Often, there is no elegant way for crash recovery and the system must be restarted. Unfortunately, a persistently defective or malicious program may cause the system to repeatedly crash, even after restarting, such that the device may be rendered inoperable.