Even the most advanced cars and other vehicles hide a rat’s nest of electronics—hundreds of processors and millions of lines of code that were designed separately but now must work together under the hood for years at a time. Keeping such a hodge-podge of systems updated and free of security vulnerabilities is exceedingly difficult, according to University of Michigan researcher Baris Kasikci. And your car is just the tip of the iceberg. Software vulnerabilities are an even bigger threat on large vehicles like spacecraft and in the autonomous drones and other vehicles that are moving toward widespread use.
“It’s a little bit of a mess,” said Kasikci, a professor of computer science and engineering. “Traditionally, you fix the bug in the source code, you rebuild the software and you redeploy it. But these moving environments are really hostile to that model because there’s a lot of different software and lots of different kinds of computers.”
Kasikci is leading a research team that has just received a $1.8 million grant from DARPA to fix the problem with a system called Ironpatch. Part of DARPA’s $50 million Assured Micropatching Program, the four-year project aims to develop a self-contained patching system to solve the growing problem of security vulnerabilities in cars and large vehicles like trucks and spacecraft. The other researchers on the project include assistant professor Manos Kapritsos, professor Westley Weimer and research fellow Kevin Leach, all in the Department of Electrical Engineering and Computer Science.
Ironpatch is a fundamental shift from the types of software patches that are common on widely used computer systems like PCs. These patches are made by producing a replica of a computer system, then making changes to its source code. Next, the patch is tested to make sure it doesn’t interfere with the software’s functionality. The program is then rebuilt using a tool called a compiler, which converts the source code into the ones and zeros that computers understand. Finally, it’s loaded onto the computer.
This process works well enough on PCs, but it’s all but useless on a vehicle’s systems. It can be impossible to produce an accurate replica of a system for testing, and editing and recompiling can tangle the complex web of code in ways that are impossible to predict.
“You’ve got hundreds of processors running different types of software, different versions of software, written in different languages by different people. And the system can change over time, for example if a spacecraft adds a new component for monitoring terrestrial events on a planet,” Kasikci said. “Replicating all those systems in exactly the right way is really an insurmountable task.”
Ironpatch takes a different approach, bypassing the source code and instead making tiny modifications called micropatches directly to the binary heart of the running software. This eliminates the need to recompile the software and because the changes it makes are so minute, they can fix problems without causing others. Ironpatch is designed to be self-contained—once a vulnerability is identified, the system will automatically generate, verify and apply a micropatch to eliminate it. This also eliminates the need to upload software patches to a remotely located system, a particularly handy feature when that system might be located on a spacecraft millions of miles away.
“We often assume that software developers have access to source code and sophisticated vehicle simulation environments,” Leach said. “However, some scenarios make that infeasible. We see an increasing need to develop techniques that deploy patches to vulnerable software that are generated without having an entire simulation stack or original source code available.”
To avoid the need to build a replica of the vehicle’s system for testing, Ironpatch will convert the original software and the patched version into two complex mathematical equations. Then it will solve the two equations, mathematically proving that both programs function in exactly the same way except for the intended modifications.
“Because we don’t have a replica of the system to test the patch on, we need another way to demonstrate that the micropatch won’t alter the baseline functionality of the system,” Kapritsos said. “So we use mathematical proofing to reason within the binary code, showing that the patched version and the original version have the same functionality.”
The goal is for the finished system to be able to generate and deploy patches automatically when security vulnerabilities are found, keeping even the most convoluted systems error-free. While the first versions of the system are being designed for trucks and spacecraft, Kasikci predicts that something similar will ultimately trickle down to more widely-used systems like those in cars. In the future, it could also give technicians the ability to diagnose and repair computer software without having access to the source code.
“The broader impact of this work is the ability to patch software directly in the binary code without the need for intermediary steps like compiling and without needing access to the source code,” Weimer said. “So it could be used to keep cars more secure, or even other types of computers like smart home components or legacy systems. It would be possible to do an audit, to go in and make sure the software is secure and is doing what it says it’s doing.”