Unveiling Security Weaknesses in Autonomous Driving Systems: An In-Depth Empirical Study
Wenyuan Cheng, Zengyang Li, Peng Liang, Ran Mo, Hui Liu
TL;DR
The paper investigates security weaknesses in ADS codebases, focusing on open-source projects Autoware, AirSim, and Apollo. It leverages CodeQL, a static analysis framework, to identify vulnerabilities across multiple versions and CWE categories (notably CWE-190 and CWE-20) and to examine their lifecycles and impact on ADS performance. Key contributions include a systematic vulnerability distribution map, lifecycle insights showing persistence across versions, and validation through developer feedback demonstrating CodeQL's practical utility. Findings highlight persistent security risks in perception-related modules and the role of third-party libraries in introducing build-time vulnerabilities, underscoring the need to embed static analysis into ADS development workflows.
Abstract
The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust. This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS. We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research. Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance. These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities.