This post concludes a three-part series examining the implications of the ISO/SAE 21434 automotive cybersecurity standard from a software development perspective.
In Part 1, we looked at how recent trends in the industry are rapidly increasing vehicle attack surfaces, and the challenges developers face in ensuring adequate cybersecurity and complying with ISO/SAE 21434.
In Part 2, we examined undefined behaviors (UB)—the vulnerabilities hackers most often exploit to gain access to a vehicle’s systems—and why they’re so dangerous.
In this final installment, we’ll see how one specialized, purpose-built tool can totally eliminate UBs from automotive software and firmware, and lower the cost of ISO/SAE 21434 compliance.
This post is Part 3 of a 3-part series derived from TrustInSoft’s new white paper, “ISO/SAE 21434 from a Software Development Perspective: How sound, exhaustive static analysis can help ensure air-tight automotive cybersecurity while lowering its costs.”
To get your FREE copy, CLICK HERE.
In our previous article, we mentioned that the systematic detection of undefined behaviors requires a specialized, purpose-built tool. That tool is TrustInSoft Analyzer.
TrustInSoft Analyzer was designed specifically to detect and verify the elimination of undefined behaviors in software. For that reason, it directly contributes to the fulfillment of the requirements of ISO/SAE 21434 section 10.4.2, Integration and Verification. It fully complies with the requirement “testing should be performed in order to confirm that unidentified weaknesses and vulnerabilities remaining in the component are minimized.”
TrustInSoft Analyzer outperforms the baseline techniques cited by ISO/SAE 21434 and goes beyond expectations of the standard at the software level in three specific ways. First, it focuses on undefined behaviors, which are very subtle and difficult to detect. Second, it will not miss any undefined behaviors (no false negatives). And third, it takes into account the characteristics of the target hardware and the toolchain.
TrustInSoft Analyzer also contributes to the ISO/SAE 21434 goal of cybersecurity risk management at the software level. It contributes to an in-depth analysis of specific cybersecurity risks (undefined behaviors). It detects risks linked to undefined behaviors. And it contributes to confirmation that no unreasonable risks remain.
Perhaps most importantly of all, TrustInSoft Analyzer makes the elimination of vulnerabilities and compliance with ISO/SAE 21434 more efficient. It greatly reduces the number of hard-to-find software vulnerabilities in your code early in the development lifecycle, and it reduces the effort and time required to periodically identify and eliminate vulnerabilities that might be added during code modifications over the life of the software product.
ISO/SAE 21434 provides a flexible and adaptable framework for organizations to select and apply appropriate cybersecurity measures. It also suggests a number of software verification techniques organizations may choose to use to help ensure cybersecurity. Among the techniques it suggests are the application of CERT-C coding rules, fuzzing, and penetration testing.
Because of its ability to find and eliminate hard-to-detect undefined behaviors, TrustInSoft Analyzer can be used to enhance all the techniques just mentioned and perform them more efficiently. We’ll look, in turn, at how it strengthens each of those techniques.
CERT C was developed by the CERT Coordination Center (CERT/CC) of the Software Engineering Institute (SEI) because of the inherent security weaknesses of the C/C++ language.1 It currently consists of a set of 122 rules and 180 recommendations. Cert C rules are meant to provide normative requirements that, when followed, should improve the safety, reliability, and security of software systems.
Cert C was developed with input from a wide range of software experts. The standard is widely recognized and used by government agencies, private industry, and academic institutions.
Following Cert C rules:
While these benefits are good, it is important to achieve and verify that the goal of Cert C compliance is also being achieved.
As a sound formal methods tool designed specifically to detect undefined behaviors, TrustInSoft Analyzer is ideally suited to helping software development organizations achieve the stated goals of CERT C and MISRA C.
An exhaustive analysis with TrustInSoft Analyzer will identify the location of every undefined behavior within your code. Because of its soundness, TrustInSoft Analyzer will not miss a single undefined behavior. This significantly reduces the number of residual vulnerabilities that must be addressed by other means.
Fuzz testing, also known as fuzzing, is recommended by ISO 21434 (in requirement RC-10-12) because it has been shown highly effective in uncovering cybersecurity vulnerabilities in software. In general practice, fuzzing is a software testing technique that rapidly applies large numbers of valid, nearly valid, or invalid inputs to a program, one after the other, in a search for undesired behaviors (vulnerabilities).
The term “nearly valid inputs” refers to inputs that meet the expected form of the input space but contain values that are malformed or unexpected. The idea is to automatically generate inputs for the tested program, trying to find input data that cause the program to misbehave in some way. This may result in a safety or security flaw, such as a crash, memory leak, or arbitrary code execution.
Fuzz testing searches for vulnerabilities in a semi-brute-force manner—in much the same way as a hacker in possession of your username for a given online account might apply a computer program to try to guess your password by repeated trial and error. Good fuzzers use some heuristics to build “smart” inputs that improve the chances of revealing problems.
Ultimately, the goal of fuzzing is to automate the process of finding vulnerabilities by generating a large number of test inputs that exercise a program or system in ways that are unexpected or that stress its functionality. By exercising the software in this way, fuzz testing can help identify vulnerabilities and weaknesses in a system that might not be found using other testing techniques.
Like Cert C, fuzzing can be greatly enhanced through the use of TrustInSoft Analyzer. The tool can eliminate the need to repeat fuzz testing and reduce verification costs. The mathematical guarantees it provides simplify discussions with customers and regulators.
Fuzzing with TrustInSoft Analyzer will eliminate the vast majority of undefined behaviors in your code. The tool also provides target emulation for embedded hardware platforms, which allows you to fuzz your embedded code in an environment that closely resembles your target architecture.
It is important to remember, however, that fuzzing is not exhaustive. To guarantee the elimination of all undefined behaviors, it is necessary to apply a technique that only TrustInSoft Analyzer provides—a technique called exhaustive static analysis.
Proceeding to exhaustive static analysis after fuzz testing provides several advantages.
First, it’s exhaustive. It removes every undefined behavior from your code.
Second, it provides you with formal proof—a mathematical guarantee—that can be used as evidence in reviews with security specialists, customers, and regulators. Because of the tool’s soundness and the mathematical guarantee it offers, TrustInSoft Analyzer increases the level of confidence between suppliers and customers
Finally, having accomplished exhaustive static analysis once for a given program, you’ll find it is much less work than fuzzing when you modify your code. You’re now working from a much cleaner baseline. You simply re-run the analyses you’ve already set up.
For additional information on how combining fuzzing with TrustInSoft Analyzer can streamline the process of eliminating cybersecurity vulnerabilities, please see our white paper on that topic titled Fuzzing and Beyond.
Penetration testing, also known as pen testing, is a software testing method that tries to determine whether vulnerabilities within or between components can be exploited to compromise the application, its data, or its environmental resources.
Often performed as part of a security audit to assess a product’s overall resistance to cyberattack, pen testing explores and seeks to resolve system vulnerabilities in the same way an attacker will try to find and exploit them.
Penetration testing offers several advantages in achieving good cybersecurity. It helps identify risks that result from combinations of lower-risk vulnerabilities. It also helps identify risks that are difficult to detect with other methods. In the end, it helps establish trust with customers.
However, pen testing should be repeated when significant modifications are made to the product. So while its benefits are good, it needs to be performed as efficiently as possible to minimize its cost over the lifecycle of the product.
TrustInSoft Analyzer optimizes pen testing through exhaustive analysis. It finds all vulnerabilities caused by undefined behaviors within the program, and it helps eliminate those vulnerabilities before pen testing is performed.
Eliminating all UBs with TrustInSoft Analyzer before proceeding to penetration testing greatly reduces the time and effort required to execute a pen testing campaign
The following is a review of the key features and benefits of TrustInSoft Analyzer.
TrustInSoft Analyzer exhaustively hunts down all undefined behaviors existing in your software. That is its main purpose. Once those undefined behaviors have been eliminated, TrustInSoft Analyzer can then provide verifiable, mathematical proof that your software is 100% free of undefined behaviors.
Because of its soundness and the mathematical guarantee it provides, TrustInSoft Analyzer effectively outperforms all of the verification techniques listed in ISO/SAE 21434 section 10.4.2.
TrustInSoft Analyzer is a qualified tool for ISO 26262 for all ASIL levels. It has been recognized by the TÜV SÜD for its capacity to prove the absence of undefined behaviors in code. As a qualified tool, its results can be used as evidence to demonstrate reliable safety and compliance with ISO 26262.
So, while ISO/SAE 21434 does not require tool qualification, the confidence level required for qualification under ISO 26262 means that TrustInSoft Analyzer is ideally suited to providing proof of cybersecurity (and eliminating costly peer reviews) in ISO/SAE 21434.
In addition, TrustInSoft Analyzer provides a fully representative emulation of the target hardware on which your code will run. It enables you to precisely specify hardware characteristics such as endianness, padding, and memory alignment.
Target emulation allows you to verify your code within its target environment much earlier in the software cycle—without putting the actual hardware in the loop.
TrustInSoft Analyzer also implements a unique feature that faithfully represents the memory mappings between the program variables and chipset-specific memory regions. This feature allows the tool to analyze the software in the exact configuration in which it will run on the final hardware.
Thanks to this accurate representation of physical memory access, TrustInSoft Analyzer guarantees the detection of all memory-related vulnerabilities at the software level.
This capability is explained in detail in our white paper “From Bare Metal to Kernel Code: How Exhaustive Static Analysis Can Guarantee Airtight Security in Low-level Software and Firmware.”
Overall, TrustInSoft Analyzer reduces the amount of effort required to fully test software for cybersecurity vulnerabilities.
TrustInSoft Analyzer makes it possible to do the equivalent of billions of tests with a single, generalized test. It drastically reduces the number of vulnerabilities in your code early in the software development lifecycle, and it reduces the effort and time required to periodically identify and eliminate vulnerabilities that might be added by modifications during the course of that lifecycle. At the same time, it exhaustively detects all vulnerabilities resulting from undefined behaviors.
In the end, you have a mathematical guarantee—for the scope of the analysis performed—that your code is totally free of all undefined behaviors a hacker might exploit.
This post is Part 3 of a 3-part series derived from TrustInSoft’s new white paper, “ISO/SAE 21434 from a Software Development Perspective: How sound, exhaustive static analysis can help ensure air-tight automotive cybersecurity while lowering its costs.” To get your FREE copy, CLICK HERE.
If you find this post useful, our new white paper, ISO/SAE 21434 from a Software Development Perspective, contains a more detailed discussion of all the topics covered in this blog series, as well as additional examples.
To download your FREE copy, CLICK HERE.