Accelerating Automotive Software Security with MISRA C and SAST
The MISRA C/C++ coding guidelines were created based on concerns about the ability to safely use the C and C++ programming languages in critical automotive systems. Since its inception in 1998, MISRA has become one of the most widely used coding standards in the automotive industry, and has even spread to be used in safety-critical devices in other industries, such as the medical and industrial control.
Static Application Security Testing (SAST) tools are required to properly use and apply the standard, but it is important to understand that not all SAST tools are created equal. Advanced SAST tools that support the complex development process and perform more than just syntax checking are more ideal than lightweight tools, providing more efficiency in reducing risk, cost, and time to market on the market.
Support the development process
Several previous posts have discussed the role of SAST in the development of safety-critical software, including automotive systems. The recurring theme is that these tools play a vital role in improving the security and quality of software, applying secure coding standards such as MISRA, finding defects and detecting hard-to-find security vulnerabilities. during testing.
MISRA plays an important role in C development when applied to safety-critical automotive software. Applying the standard is difficult manually, which is why SAST tools are used to apply the standard. However, not all tools are created equally as shown in this recent post. GrammaTech’s CodeSonar is not only capable of supporting the application of MISRA coding, but can also provide valuable error detection and security vulnerability analysis that goes beyond simple code syntax checking.
CodeSonar is also integrated with many software development tools, such as Jenkins, GitLab, GitHub, Jira, Visual Studio, Eclipse and many more. These integrations enable seamless adoption of SAST into an existing development process, including existing tools. Compliance with source code safety, security, and quality standards can be checked directly on the developer’s desktop before check-in to the build system. Defects and vulnerabilities can be automatically assigned for review and remediation. Audits can be performed at any time and the results distributed to the development team.
Improving security with MISRA and SAST
The MISRA guidelines themselves recognize the importance of tools to successfully use the guidelines:
… in its favor as a language is the fact that C is very mature, and therefore well analyzed and proven in practice. Therefore, its shortcomings are known and understood. Also, there is a large amount of tool holder commercially available that can be used to statically check C source code and alert the developer to many problematic aspects of the language. – [MISRA-C:2004 Guidelines for the use of the C language in critical systems]
The MISRA guidelines define a safer subset of C that should prevent many classes of errors, so following these guidelines improves code safety, security, and quality. In combination with modern development tools, rigorous testing and good software development practices, the safety and security of the system should also improve (assuming the level of rigor remains the same throughout the development of the hardware and system). But no coding standard is perfect, and to ensure better software security and safety, enforcing the rules alone is not enough.
Catch errors that coding standards and testing miss
A key contribution that advanced SAST tools like CodeSonar providing the development of safety-critical software is the ability to find defects that have eluded traditional development techniques. As evidenced by high-profile cases in the automotive industry, safety issues that come to market and on the road are costly to fix, far more so than problems encountered during development. The best return on investment is to catch these critical flaws early enough to be caught during coding. Classes of defects that may be missed during development, even using MISRA coding guidelines and good engineering practices, include the following:
- Competition defects often occur randomly and only after a system has been completely integrated onto the final hardware platform. CodeSonar can reason about the behavior of multi-threaded/multi-threaded code and detect deadlocks, race conditions, and other types of race errors, during development.
- Security vulnerabilities are software flaws that can be exploited to interfere with system behavior or expose critical data. Security is often overlooked in systems where security is a priority. For example, by using advanced scanning techniques in CodeSonar, you can detect security vulnerabilities resulting from common memory errors leading to crashes or command injections.
- Assuming the system input data is well-formed is reckless in today’s hostile operating environment. Detecting these types of security issues is very difficult when data is passed through many functions. Contaminated data analysis helps to trace data entering the system to its use in the application and warn of any potential security vulnerabilities that arise. This advanced automated analysis can provide full control and data path for tainted data, enabling rapid remediation.
- Complex inter-procedural faults are difficult to detect, especially with unit and subsystem testing. CodeSonar performs advanced cross-functional (procedural) analysis of control and data flow across the entire program. Deep analysis decreases the rate of false positives (errors that are false) but also increases the rate of true positives (errors that are verified to be true). CodeSonar’s analysis extends to executables, object files and libraries.
- Binary analysis is a unique ability, which provides preview and error detection of compiled code as object files, libraries, and even executables. Automated binary analysis performs the same detailed analysis on binary code as it does on source, including system and third-party libraries provided without source code. Developers can ensure that all code, including binary and source, meets the quality standard required for the project.
Acceleration of certification time
Reducing defects and vulnerability in the early stages of development is the obvious contribution that automated SAST makes to time reduction and risk resolution. The cost savings from detecting critical defects immediately, as opposed to finding and fixing those bugs in system integration or worse, when products are in service, is significant.
CodeSonar also provides automated documentation to support testing and quality/robustness proofs. Much of the manpower used in security certifications is spent on documentation and producing evidence. SAST automation significantly reduces this load. As an ISO 26262 certified tool by TÜV SÜD, CodeSonar provides assurance to developers that it can be integrated into a safety-critical development project without further certification requirements.
The tools needed to support secure and successful mission-critical projects require more than just source analysis and MISRA rule checking. Enterprise-level development projects require sophisticated tools that support and enhance the development cycle and integrate with other development automation tools. The ability to go beyond MISRA enforcement and prevent critical defects and vulnerabilities from leaking throughout the development process pays big dividends in terms of reduced cost and risk.
To learn more, we invite you to download and read this white paper, “Accelerating MISRA Automotive Safety Compliance with Static Application Safety Testing.”
*** This is a syndicated blog from the Security Bloggers Network of Blog written by Christian Simko. Read the original post at: https://blogs.grammatech.com/accelerating-automotive-software-safety-with-misra-c-and-sast