An AUTOSAR-Aligned Architectural Study of Vulnerabilities in Automotive SoC Software
Srijita Basu, Haraldsson Bengt, Miroslaw Staron, Christian Berger, Jennifer Horkoff, Magnus Almgren
TL;DR
The paper addresses security challenges in AUTOSAR-aligned automotive SoCs by deriving an AUTOSAR-consistent ASoCS architecture from open-source data and mapping 180 CVEs from the NVD to this model. Using a two-researcher, high-consistency mapping process, it identifies 16 root causes and 56 software modules affected, analyzes vulnerability distribution across kernel, user space, and secure execution environments, and compares mitigation timelines across CWEs and modules. Key findings show Missing Size/Length Validation as the dominant root cause, WLAN as a major CVE contributor, and CWE-416 (Use After Free) driving lengthy patch times, with notable variation across IPC and WLAN modules. The study provides actionable guidance for secure architectural hardening, component procurement decisions, and vulnerability prioritization in SoC-based vehicle platforms, offering a concrete, architecture-grounded approach that can inform AUTOSAR-adaptive deployments and CPS security workflows. Data and mappings are publicly available to support further validation and extension to broader CPS domains.
Abstract
Cooperative, Connected and Automated Mobility (CCAM) are complex cyber-physical systems (CPS) that integrate computation, communication, and control in safety-critical environments. At their core, System-on-Chip (SoC) platforms consolidate processing units, communication interfaces, AI accelerators, and security modules into a single chip. AUTOSAR (AUTomotive Open System ARchitecture) standard was developed in the automotive domain to better manage this complexity, defining layered software structures and interfaces to facilitate reuse of HW/SW components. However, in practice, this integrated SoC software architecture still poses security challenges, particularly in real-time, safety-critical environments. Recent reports highlight a surge in SoC-related vulnerabilities, yet systematic analysis of their root causes and impact within AUTOSAR-aligned architectures is lacking. This study fills that gap by analyzing 180 publicly reported automotive SoC vulnerabilities, mapped to a representative SoC software architecture model that is aligned with AUTOSAR principles for layered abstraction and service orientation. We identify 16 root causes and 56 affected software modules, and examine mitigation delays across Common Weakness Enumeration (CWE) categories and architectural layers. We uncover dominant vulnerability patterns and critical modules with prolonged patch delays, and provide actionable insights for securing automotive CPS platforms, including guides for improved detection, prioritization, and localization strategies for SoC software architectures in SoC-based vehicle platforms.