Evaluation of Software Vulnerabilities in Vehicle Electronic Control Units

Jesse Edwards, Ameer Kashani, Gopal Iyer

Agenda

1. Technology Trends and Research Motivation 2. Code Quality: Existing Considerations 3. Static Code Analysis (SCA) Background 4. Main Purpose and Approach 5. Selection of System, SCA Tool, and Secure Coding

Compliances 6. Results

• Vulnerabilities Comparison • Most Common Vulnerabilities • Greatest Threats

7. Recommendation for Fixing Security Vulnerabilities 8. Conclusion, Limitations, and Future Work

2

Technology Trends

• Modern architectural design paradigms are increasing the complexity of vehicle platforms • Software features (DbW, electrification, etc.) • Increased number of computing modules/smart sensors • Increased external connectivity and data transactions • Interoperability of components with untrusted devices

• The rising complexity increases the potential for critical

threats • Unauthorized access of private OEM APIs • Loss of personally identifiable user data • Remote attacks (DoS, control manipulation, espionage,

etc.)

• Attack feasibility demonstrations are continuously published by the security research community

3

Research Motivation

• The largest class of security vulnerabilities stems from coding errors made by developers • 64 percent of the nearly 2,500 vulnerabilities in the National Vulnerability

Database were caused by programming errors [16]

• Existence of minor, preventable bugs in a device’s software simplifies efforts needed by adversaries to exploit the available attack vectors and compromise the system • Information disclosure • Buffer overflow • Use after free

Security Vulnerabilities

Coding errors

Design errors

MCU errors Etc…

• Many classes of vulnerabilities caused by coding errors can be entirely mitigated prior to production release • Early bug detection in SDLC

4

Code Quality: Existing Considerations

Standard Process

Code

Static Code Analysis

Code Review

Coding Standards

OEM Security Requirements

• Static Analysis

– Static Code Analysis (SCA)

• Dynamic Analysis

– Behavioral Analysis

– Dynamic Code Analysis (DCA)

– Fuzzing

• Interactive Analysis

– Penetration Testing

– Threat Analysis

• Hardware Testing

5

Static Code Analysis (SCA) Background

Advantages • Finding potential bugs, with references to CWE

• Comparing projects by severity

• Breaking down results by category

• Monitoring trends

Challenges • Consistency in reports (SCA scope and output is not the

same)

• False Positives: A warning that is not a bug

• False Negatives: Tool did not find a bug that was in the code

• Cost

6

Main Purpose and Approach

Main Purpose Finding the most common and dangerous security bugs

using static code analysis with secure coding compliance checks to achieve systematic elimination of bugs

Approach 1. Select target systems 2. Select SCA tools 3. Cross-reference secure coding standards 4. Gather insights 5. Bug elimination

Result

Secure Coding

•SANS Top 25

•CWE

•CERT C

SCA Tools

•Tool x

•Tool y

System

•RTOS

•Bare Metal

7

Select Target Systems

* Architecture varies by vehicle model and only an example.

Infotainment

• RTOS

• Linux

Cluster

• RTOS

• AUTOSAR OS

• Bare metal

BCM

• AutoSAR OS

• Bare metal

8

RTOS and Bare Metal

RTOS • Complex preemption • Common libraries • Middleware (Filesystem, USB, TCP/IP) • Heavy resources • Complex computing

Bare Metal • Light resources • Low memory • Simplistic

9

Evaluate SCA Tools • Developed evaluation framework • Benchmarked eight leading SCA tools

using framework and selected two competing finalists

Benchmark Item Weight

Functionality/coverage 50%

Tool PC Performance

Integrability Usability Upgradeability

30%

Cost 20%

10

Secure Coding Compliance • Secure coding check used in the SCA tool is SEI CERT C • CERT C has a relationship with Common Weakness Enumeration

(CWE) • CWE’s contain high level design issues and are independent of

programming language • There are over 1000 CWE’s

Secure coding guidelines covered by

MISRA C 2012

Covered 37%

Not Covered 43%

Partially Covered 19%

Contradicting 1%

[17]

11

Vulnerabilities Comparison

RTOS vs. Bare Metal • Hypothesis: higher warnings for the RTOS-based system

primarily due to the greater code size and software module complexity

• Hypothesis was incorrect

Bare Metal system contained ~10 times the amount of CWE warnings

12

Which Vulnerabilities Were Most Common in RTOS & Bare Metal? Most Common CWE’s (RTOS & Bare Metal) • CWE-192 Integer Coercion Error • CWE-197 Numeric Truncation Error • CWE-457 Use of Uninitialized Variable • CWE-466 Return of Pointer Value Outside of Expected Range • CWE-587 Assignment of a Fixed Address to a Pointer • CWE-665 Improper Initialization • CWE-704 Incorrect Type Conversion or Cast • CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior • CWE-908 Use of Uninitialized Resource

13

Which Coding Errors Posed the Greatest Threat?

SANS Top 25: a list of the top 25 most dangerous software errors. 1. CWE-120 Buffer Copy Without Input Size Check 2. CWE-134 Uncontrolled Format String 3. CWE-190 Integer Overflow or Wraparound 4. CWE-676 Use of Potentially Dangerous Function

Buffer overflow is still the leading weakness of embedded software

14

Recommendations for Fixing Security Vulnerabilities

• Immediate action of elimination of security vulnerabilities

• Use SCA with security compliance checks

• Avoid the noise (false positives). Filter for high risk warnings first

• Long term action of elimination of security vulnerabilities

• Provide training to developers for secure coding practices

• Work SCA into the environment

• Include SCA results in code reviews

• Always perform SCA before checking in code

• Secure coding standard and SCA checks should align

• Benchmark tools and find out which is best for your organization

• Revisit projects and compare SCA results to monitor potential issues

Code

SCA Test

Review

15

Conclusion, Limitations, and Future Work

Conclusion • After performing SCA with secure coding checks we can immediately

reduce security vulnerabilities early in the lifecycle.

Limitations

• SCA cannot conclude that a warning translates to a vulnerability and requires human expert intervention to investigate the code

• Can only catch coding errors (e.g. design logic flaws)

Future Work

• Using data aggregator with machine learning to eliminate false positives

• Automate SCA tool data collection and track quality improvement trend.

16

References

[1] Webb, John John Christopher Quannah. Driving connectivity: the future of the US telematics industry and its impact to Toyota Motors. Diss. Massachusetts Institute of Technology, 2010.

[2] Delgrossi, Luca, and Tao Zhang. "Dedicated Short ‐ Range Communications." Vehicle Safety Communications: Protocols,

Security, and Privacy (2009): 44-51. [3] Miller, Charlie, and Chris Valasek. "Remote exploitation of an unaltered passenger vehicle." Black Hat USA 2015 (2015). [4] Checkoway, Stephen, et al. "Comprehensive Experimental Analyses of Automotive Attack Surfaces." USENIX Security

Symposium. 2011. [5] Charette, Robert N. "This car runs on code." IEEE spectrum 46.3 (2009): 3. [6] Glas, Benjamin, et al. "Automotive Safety and Security Integration Challenges." Automotive-Safety & Security. 2014. [7] Holle Jan and Vembar Priyamvadha. “Secure Coding and MISRA C/C++ in ECU Development.” 12th ESCAR EUROPE, 2014 [8] MISRA C:2012 - Amendment 1: “Additional security guidelines for MISRA C:2012,” ISBN 978-906400-16-3, April 2016. [9] Seacord, Robert C. The CERT C secure coding standard. Pearson Education, 2008. [10] Martin, Robert A. "Common Weakness Enumeration." Mitre Corporation (2007). [11] Black, Paul E., et al. "Dramatically Reducing Software Vulnerabilities." (2016). [12] Chess, Brian, and Jacob West. Secure programming with static analysis. Pearson Education, 2007. [13] Martin, B., et al. "CWE." SANS Top 25 (2011). [14] Society of Automotive Engineers (SAE), http://www.sae.org/ [15] SAE Standard Works J3061 WIP, “Cybersecurity Guidebook for Cyber-Physical Vehicle Systems,” 2016. [16] https://www.cert.org/secure-coding/products-services/scale.cfm? [17] Secure Coding and MISRA C/C++ in ECU Development. Jan Hollea ESCRYPT GmbH, Priyamvadha Vembar Bosch Center

of Competence Security ETAS GmbH

17

18

http://www.densocorp-na.com