Security Given Short Shrift in Automotive Software Development, says AdaCore
NEW YORK and PARIS, August 23, 2010 – With each new model year, cars are becoming more dependent on microprocessors and complex software, challenging the auto industry to ensure that these systems are secure, safe, and reliable. According to AdaCore, this challenge is not being met: security and safety issues are not being properly considered at the start of the automotive system design cycle, but are instead being addressed as an afterthought. A recent paper from Rutgers University and the University of South Carolina, detailing preventable security flaws of in-car wireless networks, confirms AdaCore’s thesis.
“It is totally unacceptable for safety and security to be treated as add-on features for any safety-critical system, much less an automobile,” said Robert Dewar, President and CEO of AdaCore. “Car makers simply must consider these issues from the very start of a new vehicle design, because trying to add them in later, sometimes even after cars are on the road, is dangerous for drivers and expensive for manufacturers.”
AdaCore is a leading provider of tools and services that help software developers meet stringent safety and security standards.
Hacked Tire Sensors a Possibility
Researchers from Rutgers University and University of South Carolina found, for example, that wireless communications between new cars and their tires can be “hacked” – intercepted or even forged – just like vulnerable computers on a data network. The report also shows that digital eavesdropping is possible at a distance of roughly 40 meters from a passing vehicle, and safety-critical messages from sensors in the car can be triggered and spoofed remotely.
“While the potential for misuse may be minimal, this vulnerability points to a troubling lack of rigor with secure software development for new automobiles,” said Wenyuan Xu, in a recent Business Week interview with Joab Jackson of IDG News Service. Prof. Xu, from the Computer Science department at the University of South Carolina, was a co-lead on the study.
This specific security flaw is a symptom of a larger problem: electronic systems are being developed and deployed in automobiles without considering security requirements. AdaCore says this is a particularly surprising omission for software systems where development costs will ultimately be distributed across a very large volume of vehicles, since the added effort needed to integrate security is negligible on a per-vehicle basis.
Existing Techniques for Ensuring Safety and Security
The software discipline has come up with a wide range of technologies that have proven over the years to increase both safety and security. For example, the avionics industry has adopted the DO-178B safety standard to make sure that software in commercial aircraft systems is safe. Similar standards are used in many other safety-critical industries, including high-speed rail, nuclear reactors, and medical devices. Analogous standards, most notably the Common Criteria, address security issues. There are established communication encryption mechanisms, and also computer architectures that allow multiple programs to operate securely on a single computer system. Both of these technologies make sense for the computer systems on board an automobile, where typically various sensors communicate data to remote processors that, in turn, are managed and coordinated by a central computer.
This central computer will be running multiple programs at different security or criticality levels. The entertainment system, although nice to have, is not essential to the safe operation of the car. In contrast, the cruise control system is safety critical; a bug that, for example, prevented the driver from overriding the set speed could cause an accident. The Bluetooth wireless interface and, in the case of the tire pressure system considered in the Rutgers / Univ. of South Carolina study, sensor communication channels can allow outside access, and that’s the source of the security problem. These systems, along with the many other systems operating on a modern automobile, need to be protected from one another (and from outsiders) so that one system cannot adversely affect another.
The Multiple Independent Levels of Security (MILS) architecture was specifically designed to support this sort of multi-program computer system. It isolates separate programs into their own partitions where each can operate safely and securely without interfering with others. It also supports secure communication between these various programs in a policy-defined manner. This architecture is available commercially (GNAT Pro High-Integrity Edition for MILS), and can solve many of the security issues presented by a modern automobile with its many computer systems.
Founded in 1994, AdaCore is the leading provider of commercial software solutions for Ada, the state-of-the-art programming language designed for large, long-lived applications where safety, security, and reliability are critical. AdaCore’s flagship product is the GNAT Pro development environment, which comes with expert on-line support and is available on more platforms than any other Ada technology. AdaCore has an extensive world-wide customer base; see www.adacore.com/home/company/customers/ for further information.
Ada and GNAT Pro see a growing usage in high-integrity and safety-certified applications, including commercial aircraft avionics, military systems, air traffic management/control, railway systems and medical devices, and in security-sensitive domains such as financial services.
AdaCore has North American headquarters in New York and European headquarters in Paris. www.adacore.com