??? CERT-C: Elevating Secure C Programming in Automotive Systems

As the demand for secure, reliable, and robust software in embedded systems grows, particularly in the automotive industry, the importance of following coding standards and secure development practices cannot be overstated. CERT-C, developed by the SEI CERT Coordination Center, is a coding standard aimed at improving the security and safety of C programming in software systems. In this article, we will explore the technical aspects of CERT-C, its importance, and specific rules relevant to the automotive industry.

Why CERT-C for Automotive Systems?

C is one of the most commonly used programming languages in embedded systems, including automotive software development. However, due to its flexibility and low-level capabilities, C can introduce vulnerabilities such as buffer overflows, null pointer dereferences, and integer overflows if not managed properly. CERT-C was developed to address these vulnerabilities and to help developers write more secure, robust C code.

In the automotive context, safety and security are paramount. Modern vehicles have thousands of lines of code controlling everything from engine management to advanced driver-assistance systems (ADAS). A single vulnerability in the code could compromise the safety of the entire system. CERT-C provides guidelines to avoid such risks, thereby ensuring more secure and reliable automotive software.

Key Areas of Focus in CERT-C

CERT-C primarily focuses on the following critical aspects of C programming:

1. Buffer Overflow Prevention: Buffer overflows are a common security vulnerability in C, where more data is written to a buffer than it can hold, potentially overwriting adjacent memory. This can lead to unexpected behavior, crashes, or even exploitations such as code execution.
2. Integer Overflows and Underflows: Mismanaging arithmetic operations on integers, particularly in the context of overflow and underflow, can lead to incorrect calculations and security breaches.
3. Memory Management: Misuse of dynamic memory allocation (e.g., malloc/free) often results in memory leaks, dangling pointers, and other issues, which CERT-C addresses to prevent resource exhaustion or exploitation.
4. Concurrency Issues: As automotive systems become more complex, multithreading and concurrency are more commonly used, which can introduce race conditions or deadlocks. CERT-C includes guidelines to avoid these pitfalls.
5. Input Validation and Sanitization: Inputs, whether from sensors, user interfaces, or networked systems, must be validated and sanitized to prevent malicious data from entering the system and triggering unsafe operations.
6. Error Handling: Proper error handling is crucial in automotive systems where failure could lead to physical harm. CERT-C emphasizes robust error handling to prevent crashes or undefined behavior in critical functions.

?? CERT-C Rules in Action for Automotive Systems

Let’s now dive into specific rules of CERT-C that are especially relevant to automotive software development.

EXP33-C: Avoid Modifying Object Const-Qualified

A common issue in C programming is modifying a const-qualified object, which can lead to undefined behavior. In automotive systems, it’s critical that certain data remains immutable to ensure consistency across multiple ECU (Electronic Control Unit) operations.

For instance, an ECU managing the engine should not modify calibration constants at runtime. CERT-C provides guidance on how to avoid modifying objects that are const-qualified, thereby preventing software from behaving unexpectedly.

Example:

const int max_rpm = 6000;
void adjust_rpm() {
    int *ptr = (int *)&max_rpm; // Dangerous cast, should be avoided
    *ptr = 7000; // Modifies const object, leading to undefined behavior
}        

Copier le code

const int max_rpm = 6000; void adjust_rpm() { int *ptr = (int *)&max_rpm; // Dangerous cast, should be avoided *ptr = 7000; // Modifies const object, leading to undefined behavior }

CERT-C rule EXP33-C mandates that developers avoid such casts to protect the integrity of constants.

ARR01-C: Do Not Apply the sizeof Operator to a Pointer When Taking the Size of an Array

In C, using sizeof on a pointer does not return the size of the pointed-to array, but rather the size of the pointer itself. This can lead to miscalculations and buffer overflows when managing arrays in vehicle systems.

In automotive applications, where real-time data from multiple sensors or systems is collected and processed, any error in calculating buffer sizes can result in missed or corrupted data, potentially leading to malfunction.

Example:

void process_data(int *data) {
    size_t size = sizeof(data) / sizeof(data[0]); // Incorrect, size of pointer used
    for (size_t i = 0; i < size; i++) {
        // Process data
    }
}        

Copier le code

void process_data(int *data) { size_t size = sizeof(data) / sizeof(data[0]); // Incorrect, size of pointer used for (size_t i = 0; i < size; i++) { // Process data } }

CERT-C’s ARR01-C rule ensures developers calculate array sizes correctly by avoiding pointer-size errors, thus enhancing reliability.

MSC34-C: Do Not Use Deprecated or Obsolescent Functions

In an industry where system longevity is crucial, avoiding deprecated functions is essential for long-term maintainability and security. CERT-C specifies that functions like gets() must not be used, as they introduce vulnerabilities like buffer overflows, particularly dangerous in critical automotive applications.

Automotive systems require code that is both secure and maintainable for the lifetime of the vehicle, which may last several decades. Using obsolete functions increases the risk of future vulnerabilities and compatibility issues.

Example:

char input[10];
gets(input); // Deprecated function, leads to buffer overflow        

Copier le code

char input[10]; gets(input); // Deprecated function, leads to buffer overflow

CERT-C mandates the use of safer alternatives like fgets():

fgets(input, sizeof(input), stdin); // Secure alternative        

Copier le code

fgets(input, sizeof(input), stdin); // Secure alternative

DCL30-C: Declare Objects with Appropriate Storage Durations

Mismanagement of storage durations for variables can cause issues like dangling pointers or data corruption in complex systems, especially those interacting with hardware (e.g., sensors or actuators).

For example, declaring a local variable in an interrupt service routine (ISR) that interacts with hardware can lead to undefined behavior if the variable goes out of scope before the hardware finishes accessing it.

Example:

void ISR() {
    int sensor_data = read_sensor(); // Local variable used in ISR
    // Further processing
}        

Copier le code

void ISR() { int sensor_data = read_sensor(); // Local variable used in ISR // Further processing }

CERT-C advises declaring variables with the appropriate storage duration to ensure they remain valid for the entire duration of their use, particularly in time-critical operations in vehicles.

?? Adopting CERT-C in Automotive Development

To implement CERT-C effectively, automotive developers must integrate these guidelines into their development lifecycle, using static analysis tools to detect rule violations and ensure compliance. Additionally, developers should:

• Perform regular code reviews to ensure that CERT-C guidelines are followed.
• Integrate automated testing with tools that check adherence to CERT-C rules.
• Use static analysis tools like Coverity or Polyspace to enforce compliance with CERT-C during development.

?? Trends and the Future of CERT-C in Automotive

The use of CERT-C in the automotive industry is expected to grow as the focus on vehicle security intensifies. With the advent of autonomous vehicles and connected cars, the need for secure code practices becomes even more critical. Combining CERT-C with other standards like MISRA C and ISO/SAE 21434, which focus on cybersecurity, will be essential for developing resilient automotive software.

Furthermore, the increased use of Machine Learning (ML) and Artificial Intelligence (AI) in vehicles opens new areas for the application of CERT-C, especially in ensuring secure and reliable software execution in safety-critical systems.

Conclusion

CERT-C plays a vital role in elevating the security and robustness of C programming in automotive systems. By focusing on preventing common vulnerabilities like buffer overflows, integer overflows, and improper memory management, CERT-C helps automotive developers create safer, more reliable software. As vehicles become more connected and autonomous, adherence to CERT-C will be key in ensuring the security and integrity of their embedded systems.