Secure automotive software development

June 24, 2015

Walter CapitaniProduct Manager, Klocwork

Agenda

• Security in automotive software development

• The software supply chain

• Forging more secure code

Security in automotive software development

Automotive hacks are well documented

© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 4

5© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

How does this happen?Incoming data is well-

formed

Data breaches are the result of one flawed assumption

Cross-site scripting

Most breaches result from input trust issues

OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today

SQL injection

Unvalidated input

Heartbleed: buffer

overrun

CWE is a community-drive identification of weaknessesCWE-20: Improper Input Validation

© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 6

Increasing size

Software is growing fast

USAF F-22

USAF F-35 JSF

Avg Ford car 2009

Boeing 787 Dreamliner

Avg Ford car 2010

S-class Nav 2009

Avg luxury car 2010

Avg luxury car 2014*

0 50 100 150 200 250 300 350

LOC (millions)

*Estimated Sources: IEEE Automotive Designline, IEEE Spectrum

© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 7

Increasing complexity: Connected cars

8© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

So what does this mean?

– Millions of lines of code, dozens of processors, each with multiple cores

– Multiple systems interconnected – Some designed years ago with little

or no security in mind

– New code, COTS, suppliers, legacy, open source

– Different platforms, people, and processes

– Vulnerabilities and bugs will last for years

– Not an easy update/upgrade path

– Automation will be critical– Certification is inevitable

More and more software running inside your car

More and more software running inside your car

Multiple sources of software being integrated

Software running your car could remain that way for

many yearsThis requires a very significant

security and functional verification process

9© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

ProblemsWhat attacks will these

software components be exposed to?

Will it be accessible over some type of network? Remote access?

How do we gauge the security health of code

coming in?

How do we measure compliance?

Lengthy process, unclear expectations, lots of resource

Are we spending time on “regular” bugs?

Can automated testing be more effective?

Do you have confidence in your suppliers? The Open Source

community?

10© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

Software supply chain

What happens when outsourcing goes wrong?

Software suppliers can introduce risks

(security, functional, compliance) before

they reach you

Different platforms, processes, tools, standards, etc.

require more effort to assess, test, and

standardize

If hooks are left in the code, sensitive data can be sent back to

the supplier

© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11

Software supply chain - example

Toyota unintended acceleration - Electronic Throttle Control System (ETCS)

• “…used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor-supplied version was not certified compliant” 1

• The ECU software also used recursion (prohibited!), which would be detected by MISRA 2004 compliant source code analysis

Forging more secure code

13© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED

All of the supply chain needs to be secure, not just your code but the code of the packages included in your software

Follow a well-known security standard applicable to your domain

What can you do?

Need to “bake in” security

Educate the development team, provide security based training

Automate!

© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 14

What can automation do?

Automate the build process

Automate testing

Automate reporting

Scanning to discover openAutomate the discovery of security weaknesses, compliance violations,

defects

Scanning to discover openFree up developer’s time

Scanning to discover openSeeing trends helps identify areas of bad

code

© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 15

Analysis and testing

Static code analysis

Traditionally used to find simple, annoying bugs

Modern, state-of-the-art SCA

Sophisticated inter-procedural control and

data-flow analysis

Model-based simulation of runtime

expectation

Provides an automated view of all

possible execution paths

Find complex bugs and runtime errors, such as

memory leaks, concurrency violations,

buffer overflows

Check compliance with internationally

recognized standards:

MISRACWE

OWASPISO2626

2

© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 16

Analysis and testing

Check code faster• Issues identified at your desktop

– Correct code before check-in– All areas impacted by a given

defect are highlighted– After system build, the impact of

other developers’ code is also delivered to the desktop for corrective action

• Create custom checkers to meet specific needs

• Debugger-like call-stack highlights the cause of the issues

• Context-sensitive help provides industry best-practices and explanations

50% of defects

introduced here

Build Analysis

/ Test