Security Vulnerabilities in Software Supply Chain for Autonomous Vehicles
Research Excerpt
Authors: MD WASIUL HAQUE, MD ERFAN, SAGAR DASGUPTA, MD RAYHANUR RAHMAN, MIZANUR RAHMAN | Year: 2025 | arXiv
The Crux (TL;DR): This paper demonstrates that open-source autonomous vehicle (AV) software stacks (Apollo, Autoware, and openpilot) contain significant, recurring security vulnerabilities in both their source code and third-party dependencies. It argues that early and systematic implementation of supply chain security practices is essential to prevent these software flaws from causing real-world safety hazards.
Primary Contribution: An empirical, comparative study utilizing static analysis and Software Bill of Materials (SBOM) tools to systematically identify and categorize Common Weakness Enumerations (CWEs) and third-party dependency vulnerabilities across three major open-source AV platforms.
Core Focus Tags: #AutonomousVehicles | #SoftwareSupplyChain | #VulnerabilityManagement | #Cybersecurity | #StaticAnalysis
1. Core Areas Covered
Scope & Boundaries: The research explicitly focuses on the software supply chain of three specific open-source AV platforms (Autoware, Apollo, and openpilot). It utilizes static analysis tools (e.g., Flawfinder, Bandit, Semgrep) and SBOM tools (e.g., Microsoft sbom-tool, Grype). It does not cover dynamic/runtime vulnerability analysis, proprietary closed-source AV stacks, or hardware-level security.
2. The Problem
Core Issue: AVs are increasingly "Software Defined Vehicles" (SDVs) that rely heavily on complex, interconnected open-source software supply chains. These components often lack rigorous, early-stage security best practices, leading to pervasive vulnerabilities such as buffer overflows, command injections, and insecure third-party dependencies.
Real-World Impact: Because AVs are cyber-physical systems, software defects or compromised dependencies can cascade into safety-critical failures (e.g., misclassification of obstacles, loss of synchronization between perception and control), directly threatening passenger safety and public trust.
3. The Proposed Solution & Recommendations
Approach: The authors proposed and demonstrated a multi-layered vulnerability analysis workflow that includes:
Code Vulnerability Identification: Using static analyzers to detect CWEs in C/C++ and Python codebases.
Third-Party Library Analysis: Utilizing SBOM generation and scanning to detect vulnerable external dependencies.
Recommendations:
Embed secure development practices early in the software development lifecycle (SDLC).
Implement regular, automated SBOM scanning and continuous monitoring of dependencies.
Prioritize remediation based on both technical severity (e.g., CVSS/CWE) and system-level safety impact.
Adopt hardened build pipelines and provenance tracking.
4. Core Areas Covered (Technical/Regulatory/Architectural)
Technical Domains: Software Supply Chain Security, Static Code Analysis, Vulnerability Enumeration (CWE), and Dependency Management.
Regulatory/Standard Domains: ISO/SAE 21434 (Road vehicles – Cybersecurity engineering), UN R155 (Cybersecurity Management System), and NIST Secure Software Development Framework (SSDF).
Architectural Domains: AV Software-Defined Vehicle (SDV) stacks, specifically Middleware (ROS/ROS 2, Cyber RT), Perception, Planning, and Control modules.
5. Key Areas of the Literature Review
Existing Research: The authors build upon established studies regarding supply chain attacks in open-source software (e.g., [Ladisa et al. 2023]) and the general security challenges of cyber-physical systems.
Frameworks: The review highlights standard cybersecurity risk assessment methods such as STRIDE, PASTA, and LINDDUN, as well as automotive-specific standards like ISO/SAE 21434 and the NIST SSDF for software assurance.
6. Practical Utility
Industry Relevance: Highly relevant for cybersecurity teams, automotive OEMs, AV software developers, and regulators.
Implementation Readiness: The workflow is prototype-tested via the case study on three major open-source platforms and provides actionable scripts for replication.
Methodology: The findings are empirical, based on systematic scans and vulnerability analysis of actual open-source repositories.
