As more and more software is used in vehicles, must the risks of errors and attacks inevitably increase? Modern cars contain around 100 million lines of code, which will increase to 300 million by 2030. Even though written by extremely competent and professional people, no codebase can be perfect and will contain some vulnerabilities. Unlike many other computer or mobile phone applications, automotive applications can be safety-critical which must perform even when malfunctioning or in the face of malicious attacks.
So, the challenges in managing this rapidly expanding automotive code base are many.
Scaling Capacity & Skills
Most vehicle makers are rapidly reorganizing their in-house software capabilities, but it is hard to find the resources to build these teams, and it is very expensive. Expertise in computer cyber security is not always a good fit for the globally regulated and risk averse automotive industry.
In addition to complex electronics for hybrid and electric vehicles, manufacturers are differentiating more and more by advanced features enabled by software and connectivity. So, required competences have expanded to include wireless connectivity and ADAS features such as image and radar processing.
This provides opportunities for specialist suppliers to bring additional expertise as well as extra capacity. However, integrating software from several sources is a hugely complex supply chain management problem, especially to ensure high quality, cyber resilience, and to minimize the vulnerabilities in the combined code.
Evolving Architectures
Vehicles today have up to 150 separate Electronic Control Units (ECUs) each with the embedded functionality for the engine, braking, steering, lights, and door locks etc. The trend is towards integrating more functions into fewer but more powerful ECUs each managing a Zone or Domain in the vehicle. This means the software for multiple, and diverse functions must run simultaneously on the same ECU hardware, which can cause vulnerabilities or bugs due to scheduling of processes and sharing of memory.
Scaling Development Processes
Software for functional safety of vehicles is developed and extensively tested over several years. Scaling development and testing processes that were developed over decades is demanding substantial change. Tool chains and processes are rushing to adapt to new sources, and types, of software. A range of ‘static analysis’ tools are used to interrogate code to identify errors and potential vulnerabilities at ‘compile time’, so they can be fixed during development. However, software almost always incorporates widely available standard code for many functions, sometimes this code is open source. Increasing code size and complexity demands more frequent updates to fix known bugs and to add features, often Over-The-Air. This can introduce bugs during a vehicle’s operating life which require detection mechanisms implemented in the vehicle.
For more information, the AESIN SDV White Paper discusses these and other challenges.
A Promising Way Forward
Frequently updated complex code requires detection of bugs after release at ‘run time’ especially for safety-critical functions. This can be done by another software module, which obviously uses processing cycles and memory. Implementing run time bug detection in hardware requires less overhead and can enable a more immediate response. If microcontrollers provide this detection capability, it will be lower cost too.
A UK technology has recently emerged from research to enhance processor architectures with capability to detect errors in, or malicious misuse of, memory at ‘run time’. The Capability Enhanced Hardware Enhanced RISC Instructions (CHERI) technology has been used by Microsoft in an IoT processor, and features in a US White House report on cyber security.
Supported by the UK’s Digital Security by Design programme, and named in the UK’s National Semiconductor Strategy, ARM has developed a prototype CHERI processor known as Morello which is being evaluated in applications from desktops to aerospace and defence.
AESIN is working with network members Thales and WMG to research the technical, and commercial, impacts of CHERI for the automotive sector. The RESAuto project includes development of an example automotive braking system using Morello, and testing resilience against common automotive threats. The project will exhibit at the AESIN Conference at the British Motor Museum on 11th July and demonstrate at an industry workshop scheduled for 20th November 24.
To learn more in the meantime, join the AESIN TechTalk by Dan Fowler of Warwick University WMG on 20th March 24.