Fortifying Automotive Cybersecurity: The Imperative of Compliance to MISRA C and CERT C

In an era where vehicles are increasingly connected and autonomous, automotive cybersecurity has ascended as a pivotal consideration. The software within a vehicle is no longer limited to managing the engine and the onboard diagnostics. It now encompasses sophisticated infotainment systems, connectivity features, advanced driver-assistance systems (ADAS), and potentially, fully autonomous driving capabilities.

To mitigate the risks associated with these complexities, the industry has turned to standards and guidelines like MISRA C and CERT C to ensure code robustness and security. In this article, we’ll explore the strengths, differences, similarities, and use cases of MISRA C Amendment 1 and CERT C. Furthermore, we will discuss why compliance to both is crucial for automotive cybersecurity.

Understanding MISRA C and CERT C

MISRA C is a comprehensive set of guidelines for C programming to facilitate the creation of safe, secure, portable, and reliable code. Initially developed for automotive applications, it’s increasingly adopted by other sectors that value software safety and reliability.

MISRA C Amendment 1 to the 2012 edition provides updated guidelines, including new rules and enhancements to existing ones, thus improving its effectiveness.

CERT C, established by the Software Engineering Institute at Carnegie Mellon University, is a secure coding standard designed to eliminate security vulnerabilities tied to undefined behaviors and other potential pitfalls in the C programming language.

Strengths and Similarities

Both MISRA C and CERT C aim to deliver secure and reliable C code by mitigating dangerous language features and fostering good coding practices. They offer rules ensuring code consistency across different platforms.

MISRA C Strengths:

• Created with safety-critical systems in mind
• Detailed rules cover various coding aspects
• Ensures code determinism and consistent behavior

CERT C Strengths:

• Emphasizes on eliminating security vulnerabilities
• Each rule is supported by extensive explanations and examples
• Provides severity level and likelihood metrics for risk assessment

Differences

Although they share common goals, the focal points and methodologies of MISRA C and CERT C differ:

• MISRA C strives to achieve safety in critical systems, aiming to prevent undefined and unspecified behaviors that could lead to system failures.
• CERT C zeroes in on secure coding practices, intending to reduce software security vulnerabilities.

Use Cases

While MISRA C was initially developed for the automotive industry, its reach extends to industries such as aerospace, medical devices, and industrial control systems, where software failure can result in severe consequences.

CERT C, on the other hand, is essential in sectors where systems might be targeted for cyber-attacks, including financial services, healthcare, and e-commerce.

Importance in Automotive Cybersecurity

The automotive industry’s swift evolution towards highly connected, software-intensive systems heightens the need for robust and secure software. Here, MISRA C and CERT C emerge as valuable allies.

1. Prevention of dangerous constructs: Both standards provide guidance on dangerous C constructs that can lead to undefined behavior or security vulnerabilities.
2. Improved Code Quality: Adherence to these standards typically results in higher quality, more maintainable code.
3. Reduced Risk: Avoidance of unsafe practices and the elimination of security vulnerabilities minimize the risk of successful cyber-attacks on automotive systems.

Given the increasing connectivity of modern vehicles, these benefits are no longer just desirable — they’ve become essential.

Their Relevancy to ISO/SAE 21434 and Regulations

ISO/SAE 21434 is a standard that addresses cybersecurity risk management for road vehicles, focusing on the complete lifecycle of automotive systems. It was created by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) in response to the increasing cybersecurity risks associated with modern, connected vehicles.

Under this standard, manufacturers are required to implement cybersecurity processes during the design, development, production, operation, maintenance, and decommissioning of road vehicle electronic systems. These processes must also be applied to software, hardware, and human factors.

This is where MISRA C and CERT C come in. Compliance with these standards significantly aids in the adherence to ISO/SAE 21434. Here’s how:

1. Risk Assessment and Treatment: ISO/SAE 21434 requires manufacturers to carry out risk assessments and mitigate identified risks. Following the rules and guidelines of MISRA C and CERT C can significantly reduce the risk of software defects, including those that could be exploited to compromise system security.
2. Secure Software Development: MISRA C and CERT C guidelines promote secure coding practices, helping to avoid undefined behaviors and other vulnerabilities that could be exploited by an attacker. By adhering to these standards, developers can build software that is resilient to common types of cyber attacks.
3. Software Updates and Vulnerability Management: The secure coding practices promoted by MISRA C and CERT C help ensure that software is robust and maintainable, making it easier to apply updates and patches in response to discovered vulnerabilities.

Regulatory Compliance

Beyond ISO/SAE 21434, there are numerous other regulations and guidelines regarding automotive cybersecurity across various regions. Examples include the UN Regulation on Cybersecurity and Software Updates (UN R155 & R156) and the U.S. National Highway Traffic Safety Administration’s (NHTSA) Cybersecurity Best Practices for Modern Vehicles.

Compliance with MISRA C and CERT C can play a key role in satisfying these regulatory requirements. By reducing the likelihood of software defects and security vulnerabilities, these standards help to satisfy the fundamental aim of these regulations — ensuring that vehicles are safe and secure.

In conclusion, the relevance of MISRA C and CERT C to ISO/SAE 21434 and other regulations is clear. They provide the foundation for secure and reliable software that is essential in today’s connected, software-intensive vehicles.

Example 1: Array Size

MISRA C Rule 21.3 (Required): “A standard library function shall not be used if it returns a value that, either explicitly or implicitly, may be used as an array size.”

#include <stdlib.h>
void func(size_t size) {
    if (size > 0) {
        int * p = (int *) malloc(size);
        /* ... */
        free(p);
    }
}

In this example, the code is non-compliant with MISRA C Rule 21.3 because the return value from malloc is used as an array size.

CERT C Rule ARR01-C: “Do not apply the sizeof operator to a pointer when taking the size of an array."

void func(char *ptr, size_t size) {
    size_t array_size = sizeof(ptr) / sizeof(char);
    /* ... */
}

In this example, the code is non-compliant with CERT C Rule ARR01-C because it incorrectly uses sizeof on a pointer when trying to determine the size of an array.

Example 2: Null Pointers

MISRA C Rule 14.4 (Required): “The controlling expression of an if statement and the controlling expression of an iteration-statement shall have essentially Boolean type."

#include <stdlib.h>
void func(void) {
    int *p = malloc(10 * sizeof *p);
    if (p) { /* Compliant with MISRA C Rule 14.4 */
        /* ... */
    }
    free(p);
}

In this example, the code is compliant with MISRA C Rule 14.4 because the controlling expression of the if statement (p) is of Boolean type.

CERT C Rule EXP34-C: “Do not dereference null pointers.”

void func(char *str) {
    if (str) { /* Compliant with CERT C Rule EXP34-C */
        /* ... */
    }
}

In this example, the code is compliant with CERT C Rule EXP34-C because it checks the pointer str for nullness before dereferencing it.

Similarities and Differences

Both MISRA C and CERT C provide rules that enhance the safety, reliability, and security of C code. The above examples, while they relate to different specific rules, share a common theme of avoiding dangerous or problematic constructs in the C language.

However, while MISRA C places more emphasis on avoiding behaviors that could lead to system failures (such as using library functions that could return a value used as an array size), CERT C is more focused on eliminating security vulnerabilities (such as dereferencing null pointers). As a result, some rules in each standard do not have direct equivalents in the other, but they all contribute to improving the overall quality of the code.

Conclusion

The relevance of MISRA C and CERT C in the realm of automotive cybersecurity cannot be overstated. By adhering to these standards, organizations can foster the creation of safer, more secure, and more reliable software, ultimately safeguarding both the privacy and safety of road users. As our vehicles continue to evolve and become more software-dependent, adherence to these standards will become ever more crucial in the ongoing battle against automotive cybersecurity threats.

References

1. Bagnara, Roberto. “MISRA C, for Security’s Sake!” Università di Parma. May 2017.
2. MISRA Consortium. “MISRA C: 2012 Guidelines for the use of the C language in critical systems.” 2013.
3. Software Engineering Institute. “SEI CERT C Coding Standard.” Carnegie Mellon University.
4. ISO/SAE 21434. “Road Vehicles — Cybersecurity Engineering.” International Organization for Standardization. 2020.
5. UN Regulations on Cybersecurity and Software Updates. UN R155 & R156. United Nations Economic Commission for Europe (UNECE).
6. NHTSA’s Cybersecurity Best Practices for Modern Vehicles. U.S. National Highway Traffic Safety Administration.