All posts by Code Curmudgeon

I've been working in Software Development at Parasoft since 1992 - which in my opinion is before the epoch (my measure being the first real use of the web). I've been involved deeply in creating software, creating software tools, and helping customers address their software problems including automotive, cybersecurity and embedded. The views and opinions expressed herein are those of the author and do not necessarily reflect the views of anyone else on the planet. Caveat lector. You can follow me on twitter @CodeCurmudgeon, Google+, Static Analysis for Fun and Profit, Facebook, and LinkedIn.

Prevent Automotive Software Bugs with Static Analysis

We all knows that automotive software is becoming increasingly complex. It’s gotten to the point that high-end cars not only have more code than jet fighter aircraft, but a LOT more code – in some cases as much as 100 million lines of code. Given that the automobile is a complex creation with lots of smart parts talking on multiple buses, trying to ensure that it’s bug-free is a frustrating and difficult task.

Bug in code
Bug in code

Anyone who knows me knows that I’m a huge proponent of software-development-as-engineering. This means that instead of simply chasing bugs and trying to test quality into a product, we change the way we build software and start by producing code that is less susceptible to bugs. Static analysis is the way to do this. For several years now a few vendors have been pushing the idea that static analysis is only for finding bugs, but it’s real power is in prevention. If you want your car to not have serious problems when it rolls out the door, static is your best friend.

Last week Adam Trujillo and I wrote an article in Embedded Computing Design detailing three simple static analysis rules to get you a jump-start into producing better automotive software. As it turns out there are a few MISRA rules that end up preventing a large number of very common and potentially dangerous problems such as buffer overflow.

It’s a short article but very practical. Give it a read and if you want to know more, be sure to let us know.

For more info check out these books:

Automotive Software Engineering: Principles, Processes, Methods, and Tools

Formal Techniques for Safety-Critical Systems

Effective Modern C++: 42 Specific Ways to Improve Your Use of C++11 and C++14

AutoSec Automotive CyberSecurity

parasoft car small
Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term, especially as it applies to automotive and I mostly agree with him. But appsec is also pretty poorly fitted to automotive so maybe we should be calling it AutoSec. Feel free to chime-in using the comments below or on twitter.

I guess the point is that as cars get more complicated and get more “smart” parts and get more connected (The connected car) as part of the “internet of things”, you will start to see more and more automotive security breaches occurring. From taking over the car to stealing data to triggering airbags we’ve already had several high-profile incidents which you can see in my IoT Hall-of-Shame.

To help out we’ve put together a high-level overview of a 7-point plan to get you started. In the near future we’ll be diving into detail on each of these topics, including how standards can help you not only get quality but safety and security, the role of black-box, pen-test, and DAST as well as how to get ahead of the curve and harden your vehicle software using static code analysis (SAST) and hybrid testing (IAST).

The webinar was recorded for your convenience, so be sure and check it out. If you have automotive software topics that are near and dear to your heart, but sure to let me know in the comments or on Twitter or Facebook.

In the meantime, for more security info check out the security resources page and a few of these books can help.
Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)

Lost Bros is Retro Game Fun

And now for something a little different. My nephew has been working hard for a long time on a game which is now live on Steam Greenlight.

Lost bros running from a skeleton in the swamp area.
Lost bros running from a skeleton in the swamp area.
Lost Bros is inspired by Blizzard’s The Lost Vikings and classic 80’s time travel movies like Bill and Ted’s Excellent Adventure and Time Bandits.

Outside the labyrinth: Zeus has tasked the Lost Bros with retrieving the minotaurs heart.
Outside the labyrinth: Zeus has tasked the Lost Bros with retrieving the minotaurs heart.
It’s a retro style game in which you simultaneously control three independent characters as they travel through time to save their kidnapped friend. Gunman, Shieldman, and Swordman must cooperate with unique abilities to traverse dangerous puzzles and fight monstrous baddies.

Please take a look and upvote him so he can release his game on Steam! This is a one-man project which he has invested a TON of his energy and creativity into, from art to design to music to programming. Especially, if you know anyone you’ve ever heard complain that games these days are too easy, please point them at this! It’s got a great retro feel with crazy complex gameplay!

Lost Bros walking through town in the wild west. At the post office they can take horse delivery missions to earn cash.
Lost Bros walking through town in the wild west. At the post office they can take horse delivery missions to earn cash.

Game Features:

  • Alternate game modes that help explore the concept of controlling 3 with 1.
  • Nine distinct time periods that can be tackled in any order.
  • Unique game play and design.
  • Challenging gameplay.
  • Xbox360 and XboxOne controller support (highly recommended!)
  • 21 homemade audio tracks.
  • Friendly Fire.
  • Retro pixel art.
  • Powered by Unity.
  • Art, music, programming, and design all done by one person.
  • Unlockables to increase character power.

Like it on Facebook.

Internet of Things (IoT) Hall-of-Shame

A collage of various devices that not only can be hacked, but already have been.
A collage of various devices that not only can be hacked, but already have been.
As I’ve said before, the “Internet of Things” aka IoT has become the internet of hacks. More and more devices are being internet enabled, but security on the devices isn’t keeping up. Some vulnerabilities are difficult, but many of those that have been in the news seem to have been more from either lack of training or simply not prioritizing software security.

In the grand tradition of my SQLi Hall-of-Shame, I’ve decided to start creating a list of IoT hacks that have hit the press. The list is small but will surely grow. Please let me know if you’re aware of publicized hacks on IoT devices. If this doesn’t scare you then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

I know the answer to this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have. So take a look, and let me know in the comments, twitter, email, etc. when you hear about new ones I haven’t covered. You can view it at the IoT Hall-of-Shame.

IoT Security Resources

Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices