38 memory safety, and managing runtime issues and security vulnerabilities. Developers are increasingly confident about using it in the automotive space, and as automotive software evolves for software-defined vehicles, moving to Rust is expected to become more attractive as it could also help manage the cost of maintaining the software after the launch of the vehicle, and allow product teams to focus on new features. However, there are millions of lines of C and C++ code widely used by developers, and it is a significant challenge to port this code to Rust. There are now projects to use AI tools to convert C libraries to Rust to ease this challenge, with guidelines to help. MISRA AC These issues have also been addressed by the MISRA consortium, which, since the 1990s, has provided best practice guidelines for the safe and secure application of both embedded control systems and standalone software. The collaboration between manufacturers, component suppliers, engineering consultancies and academics started as a project for the UK government’s SafeIT research programme, and it developed guidelines for the creation of embedded software in road vehicle electronic systems. In November 1994, development guidelines for vehicle-based software were published for functional safety using a restricted subset of C, a decade before work began on ISO 26262 at the international level. This has been extended to automatically generated C code from development tools. This auto-generation can reduce the risk of error and improve the overall quality of the code. The MISRA AC documents deal with the application of its guidelines to automatically-generated Code (AC). Using these guidelines improves portability through the avoidance of compiler- or platform-specific constructs and it avoids unexpected application behaviour. It can identify unreachable or unfeasible code, which often suggests a defect and a potential security vulnerability, and it can reduce unsafe and insecure coding practices by prohibiting certain language constructs. This reduces program complexity and helps to improve program testability to ease compliance with functional safety and security standards. Real-time OS Real-time operating systems (RTOS) can also help provide more secure operation in an ECU. This software can be written with minimal code to reduce the attack surface, so it can be more easily certified to ISO26262 ASIL D for safety and ISO23414 for security, which can provide memory protection, fast boot and fast execution with a simple API for developers. This can allow applications, middleware and drivers to run outside of kernel memory space, but still be secure. The memory can be partitioned into several distinct regions, which guarantees the safe and secure isolation of tasks assigned to them. CHERI projects The demands of developing secure systems is also leading to new types of hardware, not just secure blocks in chips. The Capability Hardware Enhanced RISC Instructions (CHERI) project has developed a chip architecture that avoids the memory problems and risks, and this has been used in both ARM and RISC-V processor design. An automotive project called AutoCHERI has been testing this out with penetration testing. However, this will take time to be implemented and qualified in automotive chips, even with IP for processors available. CHERI has been in development since 2010, and it is now being tested in a number of ways for automotive uses, analysis and threat modelling. Specific use cases include vehicle diagnostics data, and processing data from CAN through the telematic control unit (TCU) and up to the cloud. It can also be used for over-the-air (OTA) software updates of the TCU, pulling software packages from the cloud and cryptographically verifying them, as well as communicating with roadside infrastructure via cellular-V2X protocols. It is a new CPU instruction-set architecture offering two new features: it enforces the memory safety of pointers and introduces compartmentalisation. The CHERI memory protection feature allows historically memory March/April 2025 | E-Mobility Engineering The CHERI architecture (Image courtesy of University of Cambridge/ARM)
RkJQdWJsaXNoZXIy MjI2Mzk4