Unlike a glitch in a desktop computer, bugs found in autonomous vehicle (AV) software could be more than just inconvenient. Travelling at high speed and in busy traffic, software errors in an AV could prove life threatening.
To avoid unsavoury situations and ensure the software in the vehicle is up to the mark, the automotive industry is using intelligent tools to sift through programming language for potential weak spots. One of the key players in this area is Perforce Software. Headquartered in Minneapolis, the company supplies tools that can help developers to produce software more efficiently and at high quality. These tools also handle the herculean task of analysing the swathes of code being created for safe and secure vehicles. “Our tool scans source code to check for errors,” explains Richard Bellairs, Product Marketing Manager at Perforce Software. “It flags up those errors to developers so that they can fix them at the earliest opportunity.”
Code writers within automotive tend to use general-purpose programming languages such as C++, which is known for its flexibility. Modern vehicles on sale today run between 80 and 100 million lines of code—significantly more than the Mars Rover or an F-35 fighter jet—and while some way off, AVs are expected to see an exponential rise in those numbers. With all of that code and complexity, there is certainly room for error. “Because of the inherent flexibility in those programming languages, it is very easy for people to make mistakes and introduce bugs that are difficult to detect,” says Bellairs, “particularly as it is impossible to test every kind of execution path for a program using traditional methods.”
Just as in other professions, peer review is common practice in software development. However, manual code reviews are extremely time consuming—particularly in today’s fast-paced development environment—and thus static analysis has become essential.
Static analysis is carried out by a computer program, which can perform debugging at greater speed and scale than any team of humans could. In fact, the ISO 26262 automotive functional safety standard currently recommends that an automated tool is used to ensure that coding is based on a best practice standard known as MISRA (Motor Industry Software Reliability Association).
“We are known as the de facto tool for MISRA checking within the automotive industry,” affirms Bellairs. “Static analysis is absolutely critical for any significant software development these days. In the past, people would conduct manual code reviews, but it is absolutely unreasonable to expect that to be done with modern software development,” he continues. “Bugs can get through the testing stage and surface later on. We instil confidence that that code is safe and that intermittent failures, which could result in the failure of a safety critical system, will not eventually appear.”
So-called ‘bug hunts’ have become something of a pastime within the automotive space of late. Various automakers have engaged in ‘bug bounty’ programmes, in which researchers—often dubbed ‘white hat hackers’—are rewarded for finding vulnerabilities in a vehicle. The idea is to find and fix any issues proactively, rather than waiting for them to arise on the road.
General Motors has run several such schemes in recent years; former GM President and current head of Cruise Automation, Dan Ammann, told The Detroit News in 2018 that the company would ply hackers with pizza and Red Bull and “turn them loose” on its vehicles. Fiat Chrysler Automobiles (FCA) and Tesla have run similar initiatives, with the latter offering up to US$10,000 for serious bugs found in its software.
“New vehicles contain numerous electronic control units (ECUs) with millions of lines of code. That’s only going to become more complex with the advent of autonomy and more connected technologies in the car,” says Bellairs.
One of the primary challenges lies in handling this complexity and the potential for coding errors. A common problem such as a buffer overflow, for example, can occur when a programmer accidently overwrites a piece of memory. If a hacker can gain access to the system in question, he or she could insert malicious code. Numerous instances have already shown how remote access to a connected vehicle with driver assistance functions can leave passengers at the mercy of a hacker—none more so than the Wired hack of 2015. Two researchers—both of whom are now at GM’s Cruise Automation unit—held journalist Andy Greenberg hostage on a St Louis highway, cutting the Jeep Cherokee’s brakes and throttle from the comfort of a remote location ten miles away.
The secure connected car
The automotive industry is taking the issue seriously, and static analysis tools are becoming invaluable to software developers today. “Code bases are becoming larger, so in order to analyse your code you need an automated tool,” Bellairs explains. “To ensure safety, you need a tool that provides coverage of all the rules within your coding standard, and you have to demonstrate that all the tools in your development process are up to scratch.”
Among others, Perforce has already seen automotive success stories with the likes of Scania, Delphi and in-wheel electric motor specialist Protean Electric. Acquired by private investment firm Clearlake in 2018, Perforce sees automotive as a growing area of interest, and aims to tap further into the burgeoning autonomous and connected space.
“Writing secure code is becoming increasingly important as more connectivity enters new cars—there is more of an attack surface for hackers to break into,” concludes Bellairs. “Many security issues found in cars are not due to the way that application has been designed, but a result of fundamental coding errors that create loopholes and vulnerabilities for hackers to exploit. Our Helix QAC software helps developers to catch those vulnerabilities very early on in the coding process, when they’re much easier to fix.”