Accelerating Automotive Software Safety with MISRA C and SASTMarch 24, 2022 Tweet
The MISRA C/C++ coding guidelines were created based on concerns about the ability to safely use the C and C++ programming languages in critical automotive systems. Since its inception in 1998, MISRA has become one of the most-used coding standards in the automotive industry, and has even spread to use in safety-critical devices in other industries, such as medical and industrial control.
Static application security testing (SAST) tools are needed to properly use and enforce the standard, but it's important to understand that not all SAST tools are created equal. Advanced SAST tools that provide support for the complex development process and perform more than just simple syntax checking are more ideal than lightweight tools, providing more effectiveness in reducing risks, costs, and time-to-market.
Supporting the Development Process
Several previous posts have discussed the role of SAST in safety-critical software development, including automotive systems. The recurring theme is that these tools play a critical role in improving software security and quality, by enforcing safe-coding standards such as MISRA, finding defects, and detecting security vulnerabilities that are difficult to find during testing.
MISRA plays an important role in C development when applied to safety-critical automotive software. Enforcement of the standard is difficult manually, so SAST tools are used to enforce the standard. However, not all tools are created equally, as discussed in this recent post. GrammaTech's CodeSonar is not only capable of supporting MISRA coding enforcement, but can also provide valuable error detection and security vulnerability analysis that goes above and beyond simple code-syntax checking.
CodeSonar is also integrated with many software development tools, such as Jenkins, GitLab, GitHub, Jira, Visual Studio, Eclipse and more. These integrations allow seamless adoption of SAST into an existing development process, including existing tools. Source code safety, security and quality standards compliance can be checked right at the developer’s desktop before checking into the build system. Defects and vulnerabilities can be automatically assigned for review and remediation. Audits can be done at any time and results distributed to the development team.
Improving Safety with MISRA and SAST
The MISRA guidelines themselves acknowledge the importance of tools in successfully using the guidelines:
…in its favor as a language is the fact that C is very mature, and consequently well-analysed and tried in practice. Therefore, its deficiencies are known and understood. Also, there is a large amount of tool support available commercially which can be used to statically check the C source code and warn the developer of the presence of many of the problematic aspects of the language. - [MISRA-C:2004 Guidelines for the use of the C language in critical systems]
MISRA guidelines define a safer subset of C that should prevent many classes of errors, so following these guidelines does improve code safety, security and quality. In combination with modern development tools, rigorous testing, and good software development practices, system safety and security should improve as well (assuming the level of rigor remains the same throughout hardware and system development). But no coding standard is perfect, and to ensure better software security and safety, enforcing the rules by itself isn’t enough.
Detecting Errors that Coding Standards and Testing Misses
A key contribution that advanced SAST tools like CodeSonar provide to safety-critical software development is the ability to find defects that have slipped through the traditional development techniques. As evidenced by high-profile cases in the automotive industry, safety issues that make it to market and on the road are expensive to fix, by orders of magnitude more than issues found during development. The best return on investment is detecting these critical defects early enough to be caught during coding. Classes of defects that can be missed during development, even when using MISRA coding guidelines and good engineering practices, include the following:
- Concurrency defects often occur randomly and only after a system has been integrated completely on the final hardware platform. CodeSonar can reason about multithreaded/multitasking code behavior and detect dead locks and race conditions and other types of concurrency errors, during development.
- Security vulnerabilities are software defects that can be exploited to interfere with a system's behavior or expose critical data. Security is often overlooked in systems where safety is a primary focus. For example, using advanced analysis techniques in CodeSonar, you can detect security vulnerabilities that arise from common memory errors leading to crashes or command injections.
- Assuming that system input data is well-formed is foolhardy in today’s hostile operating environment. Detecting these types of security issues is very difficult when data is passed across many functions. Tainted data analysis helps to trace input data in the system to its use in the application and warn of any potential security vulnerabilities that arise. This advanced automated analysis can provide the full control and data path for tainted data, which allows for rapid remediation.
- Complex inter-procedural defects are difficult to detect, especially with unit and subsystem testing. CodeSonar does advanced inter-function (procedure) analysis of control and data flow of the entire scope of the program. Deep analysis decreases the rate of false positives (errors that are false) but also increases the rate of true positives (errors that are verified true). CodeSonar’s analysis extends into executables, object files, and libraries.
- Binary analysis is a unique capability, which provides insight and error-detection of compiled code as object files, libraries, and even executables. Automated binary analysis performs the same detailed analysis on binary code as it does on source, including system and third-party libraries that are provided without source code. Developers can ensure that all code, including binary and source, is up to the quality standard required for the project.
Defect and vulnerability reduction in early stages of development is the obvious contribution that automated SAST brings to time-reduction and risk-remediation. The costs savings in finding critical defects right away, as opposed to finding and fixing these bugs in system integration or worse, when products are in service, is significant.
CodeSonar also provides automated documentation to support testing and quality/robustness evidence. Much of the manpower used in safety certifications is documentation and producing evidence. SAST automation reduces this burden significantly. As a TÜV SÜD certified ISO 26262 tool, CodeSonar provides assurance to developers that it can be integrated into a safety-critical development project without further certification requirements.
The tools needed to support secure and successful safety-critical projects require more than simple source analysis and MISRA rule checking. Enterprise-level development projects require sophisticated tools that support and enhance the development lifecycle, and integrate with other development automation tools. The ability to go beyond MISRA enforcement and prevent critical defects and vulnerabilities from leaking through the development process pays big dividends in cost and risk reduction.
To learn more, we welcome you to download a read this white paper, “Accelerating MISRA Automotive Safety Compliance with Static Application Security Testing.”