WP29 and challenges for automakers and suppliers

From 2022 onwards, automobile manufacturers selling vehicles in regions where the UN Regulations (hereinafter referred to as WP29) of WP29 (World Forum for Harmonization of Vehicle Regulations) apply are required to comply with these regulations. The same applies to suppliers in the supply chain.

Today, with the increasing complexity of automobile systems, the scale of software development in automobile development is increasing, and the number of lines of code is said to exceed 100 million lines. In addition, each related supplier provides a subsystem, creating a complex supply chain that makes up the entire system.

For this reason, each supplier understands the software configuration of the unit they develop, but for the finished car manufacturer who is responsible for the total system, it is difficult to understand the software BOM (parts list) and analyze the risk of each unit. It takes a huge load. Furthermore, in the supply chain, not all software is provided in source code, and analysis of binary files is also required.

Risk analysis of in-vehicle software built in such a complex supply chain has become a major issue.

In response to this issue, BlackBerry provides customers with a software analysis tool, Jarvis 2.0, designed to protect embedded assets and contribute to system risk analysis. Jarvis is a tool that brings together the security knowledge and software vulnerability diagnosis know-how that BlackBerry has cultivated over many years in the field of mobile devices and smartphones.

Automakers that have actually used Jarvis have reported significant process improvements, with the security evaluation code time reduced from 30 days to 7 minutes.

Features of Jarvis 2.0

Binary scanning using state-of-the-art technology
・Binary scan with/without debug symbols
・Scans native binaries (C/C++) and bytecode (java)
・Support for recursive extraction in archives

Broad and deep insight and analysis
Intuitive dashboard with CVSS scoring and security posture tracking
・Supports a wide range of architectures
CPU: ARM, x86, PowerPC, TriCore, Renesas
OS: QNX, Linux, Android, AUTOSAR
Archive formats: ZIP, TAR, VMDK, RPM, DEB, etc.
File format: ELF, SO, APK, JAR, etc.
・Check based on BlackBerry's own rules

Evergreen SaaS
・Browser-based UI can reside on the engineering workstation
・Significantly reduce scanning time from weeks to hours or minutes, and instantly share results globally
- Constantly updated to provide the latest features and capabilities

summary

An understanding of SBOM (Software Bill of Materials) is required not only for automotive companies, but also for developers of all embedded systems. On the other hand, the reality is that it is often difficult to access software source code in systems that are developed through complex supply chains. "Jarvis 2.0", which can perform software composition analysis from binary code, will contribute to reducing security risks for customers.

We also have a program that allows you to evaluate "Jarvis 2.0" free of charge.

Inquiry

​If you have any questions or unclear points related to this matter, please contact us from the following.