“Hacking” is a time-honored tradition among petrol-heads. Squeezing a V8 into a space reserved for a much smaller engine or swopping out the standard carbs with Webers was a right of passage.
Today, cars are made to go faster by remapping the software – which has opened the doors to cyber hackers who can potentially wreak much more damage than a 17-year-old with a box of spanners.
In addition to meeting quality standards OEMs now have to ensure their vehicle systems are ISO 26262 certified for functional safety. In response Synopsys has extended its portfolio of ASIL B and D Ready
ISO 26262 certified DesignWare® IP to include PCI Express® 3.1 controller and PHY, USB 3.0 controller, MIPI CSI-2 controllers and D-PHY, LPDDR4 PHY, EEPROM and Trim NVM.
Automotive Industries (AI) asked Art Dahnert, Managing Consultant at Synopsys, what are some of the exciting new software-based features to be found in modern cars?
Dahnert: First and foremost, it is the advent of the autonomous vehicle. All of the automakers are moving to Level
Four as quickly as possible and this technology is only possible with software. From computer vision to artificial intelligence, and from system status to real time safety critical decisions, it is all happening in software. But, before we get self-driving cars, we will see bits and pieces of that technology trickle down to the vehicles in the upcoming model years. For example, the key building blocks of the autonomous vehicle – adaptive cruise control and lane assist – are technologies that will soon be standard on all new cars. Connected cars will also communicate with the auto manufacturer’s back-end servers using telematics software to transfer real-time data over the V2I frameworks, as well as other standardized V2V technology stacks. Software will be driving that entire level of communication.
AI: How is the automotive industry reacting to the need for greater cyber security? Dahnert: There is tremendous pressure from internal and external groups (insurance, government, etc) to ensure that the cars we drive are safe. This is now starting to include the millions of lines of code that ensure our cars and trucks function properly. Therefore, manufacturers have started to move the testing and verification of the software technologies to the same level as safety. And this means the supply chain has to meet new rigorous standards when it comes to software development.
The industry is moving strategically towards better solutions and processes for securing the software in upcoming vehicles.
There are various standards organizations moving forward on several fronts, including ISO and SAE. The automotive industry, including Synopsys, is taking an active part in the development of these standards. The automotive manufacturers are also continuously engaging with the security community to develop the expertise for secure software development. In addition, many of our automotive clients have expanded their security programs and processes to address the problem of security issues beyond the vehicle-related software ecosystem. Tools such as Synopsys’s
Coverity are used to help detect and remediate security flaws before they make it to production.
AI: How can standards help drive faster adoption of automotive security?
Dahnert: Standards, in general, will help the industry speak the same “language” when it comes to software security. This common language allows for a better understanding of how software will interact with its environment, including the framework needed to support cars communicating with other cars and the surrounding infrastructure. Software developers from various manufacturers will be able to implement software with a certain level of security and functionality, which can be depended upon as having been verified and validated. This reduces the burden on the software teams to create products for a disparate environment and different vehicles.
It is this reduced burden that will foster the faster adoption of automotive security since it can be built in from the beginning. The NHTSA guidelines are an excellent step in this direction. Having a recognized and agreed-upon set of industry guidelines allows the software teams to focus on innovative solutions to delight the customer without the overhead of understanding the security implications at the individual software developer level.
AI: How should companies respond to the dangers of automotive hacking?
Dahnert: The automotive industry has had to deal with “hacking” ever since the first car rolled off the assembly line.
Owners have been modifying (or hacking) their cars, making them go faster and personalizing them. Thieves have been figuring out ways around the impediments supplied by the factory, including locks and alarms and remote keyless entry.
What has changed is how hacking occurs. Today, thieves use laptops to create keys in the same way that the neighbourhood dealership does, sometimes even using software stolen from the very same dealership. Owners use their laptops to modify and enhance the fuel and spark tables to make the engine produce more horsepower. All of this is now just performed with software.
The dangers of hacking today arise from the connectivity to the Internet or even the owner’s home network. By allowing the majority of vehicles to communicate with back end systems, third party entertainment systems or even various traffic systems, the scale of abuse is magnified by each connection. This “network effect” is a scenario in which each additional connection makes the entire proposition more valuable. A single specific automotive software vulnerability has much more value if an attacker can remotely compromise millions of cars at the same time as opposed to a single vehicle at a time.
This scenario is currently being played out in the IoT (Internet of Things) space and the recent ransomware virus, “WannaCry.”
If a ransomware virus were to take over an automotive platform, it is possible that people could be injured or killed. And in the very least, the “bricking” of your vehicles’ computer could become a very expensive and time-consuming event.
AI: How has the acquisition of Cigital in 2016 helped Synopsys enhance its strengths?
Dahnert: Synopsys has tapped into the rich history of secure software development knowledge Cigital gained over 20 years. By understanding the process of secure software development and the associated processes, Synopsys can now guide automotive companies in the instantiation of a Secure Software Initiative. This includes everything from secure design and architecture reviews, automotive based penetration testing, development of secure coding guidelines and processes, to the expertise of leading edge tools like Coverity and Defensics.
AI: What does Cigital provide Synopsys that other software companies couldn’t offer?
Dahnert: Cigital has been leading the industry in the development of secure software for over two decades. That has led to a wealth of knowledge that is not equaled, particularly in the software static analysis space. Cigital has always been at the forefront of static analysis tools, including the original creation that eventually became Fortify. At the time of the acquisition,
Cigital had over 300 consultants worldwide, most of whom were originally software developers or had a software engineering education prior to joining. Finally, many Cigital employees have written books on software security or have contributed to the thought leadership of the security industry. This is a tremendous asset when helping clients resolve difficult security issues.
AI: Similarly, what has the acquisition of Codiscope brought to the stable of products and services?
Dahnert: One of the key aspects of developing secure software is developer training. Codiscope has an excellent Computer Based
Training (CBT) program, with content created by the very same consultants who are the pillars of the company. The content includes Architecture Risk Analysis, Defensive Programming in C/C++ (other languages as well) and Foundations of Software Security. In addition to the CBT, the SecureAssist tool is great for finding security issues within the code as you write it. Just like a spell checker for security, it will underline potential security flaws and provides remediation guidance for that specific mistake