揭示自动驾驶系统安全弱点：一项深入的实证研究

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-03-08 DOI:10.1016/j.infsof.2025.107709

Wenyuan Cheng , Zengyang Li , Peng Liang , Ran Mo , Hui Liu

{"title":"揭示自动驾驶系统安全弱点：一项深入的实证研究","authors":"Wenyuan Cheng , Zengyang Li , Peng Liang , Ran Mo , Hui Liu","doi":"10.1016/j.infsof.2025.107709","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust.</div></div><div><h3>Objective:</h3><div>This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS.</div></div><div><h3>Methods:</h3><div>We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research.</div></div><div><h3>Results:</h3><div>Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance.</div></div><div><h3>Conclusions:</h3><div>These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities. Meanwhile, proactive protection strategies, such as regular update of third-party libraries, are essential to improve ADS security. And regulatory bodies can play a crucial role in promoting the use of static code analysis tools and setting industry security standards.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107709"},"PeriodicalIF":3.8000,"publicationDate":"2025-03-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Unveiling security weaknesses in autonomous driving systems: An in-depth empirical study\",\"authors\":\"Wenyuan Cheng , Zengyang Li , Peng Liang , Ran Mo , Hui Liu\",\"doi\":\"10.1016/j.infsof.2025.107709\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><h3>Context:</h3><div>The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust.</div></div><div><h3>Objective:</h3><div>This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS.</div></div><div><h3>Methods:</h3><div>We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research.</div></div><div><h3>Results:</h3><div>Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance.</div></div><div><h3>Conclusions:</h3><div>These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities. Meanwhile, proactive protection strategies, such as regular update of third-party libraries, are essential to improve ADS security. And regulatory bodies can play a crucial role in promoting the use of static code analysis tools and setting industry security standards.</div></div>\",\"PeriodicalId\":54983,\"journal\":{\"name\":\"Information and Software Technology\",\"volume\":\"182 \",\"pages\":\"Article 107709\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2025-03-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Software Technology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0950584925000485\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925000485","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

背景：自动驾驶系统（ADS）的出现标志着智能交通的重大转变，对公共安全和交通效率产生了影响。虽然这些系统集成了各种技术并提供了许多好处，但它们的安全性至关重要，因为漏洞可能对安全和信任造成严重后果。目的：本研究旨在利用静态代码分析工具CodeQL系统地调查知名开源ADS项目代码库中潜在的安全漏洞。目标是识别常见的漏洞、它们在不同版本之间的分布和持久性，以增强ADS的安全性。方法：我们选择了三个具有代表性的开源ADS项目，Autoware、AirSim和Apollo，基于它们的高GitHub星数和4级自动驾驶能力。使用CodeQL，我们分析了这些项目的多个版本以识别漏洞，重点关注CWE类别，如CWE-190（整数溢出或环绕）和CWE-20（不正确输入验证）。我们还跨软件版本跟踪了这些漏洞的生命周期。这种方法使我们能够系统地分析项目中的漏洞，这在以前的ADS研究中没有得到广泛的探讨。结果：我们的分析显示，特定的CWE类别，特别是CWE-190（59.6%）和CWE-20(16.1%)，在选定的ADS项目中普遍存在。这些漏洞通常持续超过6个月，跨越多个版本迭代。实证评估表明，这些漏洞的严重程度与其对ADS性能的实际影响之间存在直接联系。结论：这些安全问题仍有待解决。我们的发现强调了将静态代码分析集成到ADS开发中以检测和减轻常见漏洞的必要性。同时，需要采取主动防护策略，如定期更新第三方库，以提高ADS的安全性。监管机构可以在促进使用静态代码分析工具和制定行业安全标准方面发挥关键作用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Unveiling security weaknesses in autonomous driving systems: An in-depth empirical study

Context:

The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust.

Objective:

This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS.

Methods:

We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research.

Results:

Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance.

Conclusions:

These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities. Meanwhile, proactive protection strategies, such as regular update of third-party libraries, are essential to improve ADS security. And regulatory bodies can play a crucial role in promoting the use of static code analysis tools and setting industry security standards.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.