When security researchers first demonstrated that they could hack a car over the internet to control its brakes and transmission, Chrysler had to recall 1.4 million vehicles to fix the software vulnerability. The infamous Jeep hack of 2015 was an expensive wake-up call for the automotive industry. So, what has changed since then?
In today’s cars, software now controls everything from safety-critical systems (anti-lock brakes and power steering) to basic controls (doors and windows) to navigation and infotainment systems. These come from different vendors. As the software supply chain gets longer―with multiple vendors contributing to the software that goes into the final product―coding standards are critical to prevent life-threatening malfunctions.
Motor Industry Software Reliability Association (MISRA) guidelines facilitate the development of safe, secure, and portable code. Whereas ISO 26262 focuses on automotive functional safety, MISRA focuses on security. But is MISRA prepared to handle increasing connectivity and the exponential rise in open source code?
MISRA is a collaborative effort among vehicle manufacturers, component suppliers, and engineering consultancies including Ford, Jaguar, Lotus, MIRA, TRW Automotive, and the University of Leeds. MISRA provides guidelines for developing safety- and security-related electronic systems and software-intensive applications. It also promotes best practices for the safe and secure application of embedded control systems and standalone software.
Coding guidelines help ensure the development of code that is reliable enough to run in safety-critical systems, secure against common code exploits, and portable (reusable) throughout the supply chain. Most prominent are MISRA guidelines for projects developed using the C and C++ programming languages. These include MISRA C 2004, MISRA C++ 2008, and MISRA C 2012 standards.
MISRA compliance defines more than just coding guidelines―it also defines the criteria for software quality as that software moves from a supplier to an acquirer. The compliance process is not only robust (based on the C coding standards) but also practical, explaining how to handle exceptions to the rules when necessary.
MISRA guidelines are classified as mandatory, required, or advisory. Compliance demands that no “mandatory” guidelines are violated. However, “required” guidelines permit certain violations if there are documented justifications. These deviations are allowed if and only if safety and security are not impacted and there is no acceptable workaround. An example would be third-party custom code that can’t be altered.
While some research questions the effectiveness of MISRA, the guidelines are a huge leap in the right direction. MISRA C has become the de facto standard for embedded C programming in most safety-related industries, and is also used to improve software quality even where safety is not the main consideration. More recently MISRA has published MISRA C++, guidance on safety analysis, and guidance on model-based development and automatic code generation.
Though born in the automotive industry, MISRA has gained acceptance in other markets such as aerospace, biomedical, communication, and financial and is now accepted across embedded, IoT, and industrial control systems. While MISRA compliance doesn’t guarantee that software will be free from all quality or security issues, it does produce code that is more robust, easier to maintain, and more portable.
Today’s car contains more than 150 million lines of code. In the next decade, the average car will contain 300 million lines of code. And as cars become more and more connected, hackers will increasingly target automotive apps. The benefits of MISRA compliance far outweigh the risks of not using it.