Unveiling Security Weaknesses in Autonomous Driving Systems: An In-Depth Empirical Study

TL;DR

This paper conducts an empirical study on open-source autonomous driving systems, revealing prevalent security vulnerabilities through static code analysis, emphasizing the importance of integrating security practices into ADS development.

Contribution

It systematically analyzes vulnerabilities in prominent ADS projects using CodeQL, identifying common security weaknesses and their persistence across versions, which has been underexplored in prior research.

Findings

CWE-190 (Integer Overflow) is most prevalent at 59.6%.

Vulnerabilities often persist over six months across versions.

Security issues directly impact ADS performance and safety.

Abstract

The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust. This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS. We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research. Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance. These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities.