Modern vehicle software is too complex for pure testing. Hidden execution paths, memory errors and multicore effects often remain undetected. Formal verification becomes a decisive factor here.
Memory errors such as buffer overflows or use-after-free jeopardize the stability of vehicle software. Formal verification helps to turn tested software into verifiably safe systems.
(Image: Dall-E / AI-generated)
Most errors in embedded software for vehicles are not caused by missing functions. They result from hidden execution paths that violate safety, timing or memory assumptions under certain runtime conditions. These problems are often caused by undefined behavior, memory corruption or multicore interference and can go undetected for months or even years before they occur in real operation.
The challenge is not that these errors are unknown. Rather, they are invisible to traditional workflow verification. Unit tests, integration tests and hardware-in-the-loop tests can validate thousands of scenarios without ever reaching the paths that trigger the error. While static analysis helps reduce errors, it still misses the critical execution paths.
In modern vehicle software, these hidden paths are not uncommon, but an inherent consequence of real-time multicore scheduling. They arise from task scheduling, interrupts, cache effects, memory management and complex data interactions between dozens of ECUs and centralized vehicle computing platforms. Even a single error hidden among billions of possible execution paths will eventually surface once the software is deployed in a fleet of vehicles.
This is why critical vehicle failures still occur even after validation. Unfortunately, the error has always been there, it was just not tested.
Memory errors are a major cause of these failures. Problems such as buffer overflows, out-of-bounds accesses, post-release usage and integer overflows often do not immediately cause the system to crash. Instead, they affect system behavior unnoticed until a later event turns this hidden corruption into a visible error.
Memory corruption is the main method attackers use to compromise embedded vehicle systems remotely. In connected vehicles, hidden reliability flaws also become hidden cybersecurity vulnerabilities that can spread to entire fleets.
The core problem is not the availability of tools, but the coverage. Modern vehicle software has become too extensive and too complex for random sample-based tests to prove that critical errors are not actually present—no matter how many tests are performed. For this reason, detection-based verification is no longer sufficient, and mathematically comprehensive verification is required for ASIL C and ASIL D systems.
Increasing Software Complexity And Risks in Vehicle Systems
Modern vehicle architectures have evolved into tightly integrated, software-defined platforms. Centralized computing units and domain controllers now coordinate braking, steering, propulsion, perception, energy management and data connectivity. These systems execute millions of lines of software under strict real-time conditions.
The resulting state space is enormous and cannot be fully examined by tests alone. Interrupts, task scheduling, cache behavior, DMA transfers and inter-task communication create execution paths that are practically impossible to test. The reuse of software across vendors and model generations increases this risk. A latent error in a shared component can spread to entire fleets and persist for years.
Over-the-air (OTA) updates, the radio-based transmission of software updates to vehicles, accelerate software changes and shorten validation times. This increases the reliance on early verification to prevent bugs from entering production code, as late detection is costly and disruptive.
Why testing alone cannot close the security gap
Tests check the functional behavior, but cannot guarantee correctness. They can show that errors are present, but never prove that there are no errors. Embedded software runs under non-deterministic conditions that are influenced by scheduling, interrupts, asynchronous I/Os and sensor inputs. The number of possible runtime behaviors far exceeds the capabilities of any test strategy.
Coverage metrics offer only limited certainty. Issues such as race conditions and memory corruption often depend on rare time sequences and specific data patterns that may never occur in controlled test environments. Therefore, hidden errors often only come to light during integration, fleet operation or under specific time and load conditions, when they become costly and uncertain to fix.
Storage Security As A Structural Weakness
Memory safety violations are a constant risk in vehicle software. Issues such as buffer overflows, out-of-bounds accesses, use-after-free errors, integer overflows and null pointer dereferencing can lead to undefined behavior that affects error detection and compromises predictable system behavior.
C and C++ dominate vehicle development due to their performance and hardware access requirements. However, manual memory management leads to subtle errors that can remain undetected for a long time. Parallel execution further increases this risk as it leads to race conditions that result in unpredictable and hard-to-diagnose state corruption.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
Languages such as Rust provide stronger guarantees for memory safety, but do not eliminate all risks in safety-critical systems. Rust code often interacts with hardware registers, RTOS kernels, DMA buffers and legacy C/C++ components and uses unsafe blocks for performance-critical paths. These conditions again lead to risks such as memory corruption, data conflicts and logic errors. Rust panics add another error mode that needs to be controlled. If not fully analyzed and limited, panic behavior can bypass error handling, break timing assumptions, and cause system failures that are difficult to predict through testing.
Static analysis and the risk of false negatives
Static analysis tools detect many errors early, but rely on approximations to remain computationally practical. This leads to false positives, which require manual checking, and false negatives, which overlook real errors.
False negatives are the biggest security risk. A single undetected memory safety issue can affect error handling and lead to a series of failures in various subsystems. These failures often occur during integration or fleet operations, when corrections are costly and recertification poses a major risk to delivery dates and regulatory compliance.
Economic reasons for evidence-based verification
The requirements for functional safety are becoming ever stricter. ISO 26262 increasingly demands proof that entire classes of error modes are eliminated at software level and not just mitigated by redundancy or monitoring. At the same time, the costs for validation and verification are rising rapidly. This is due to stricter safety standards and the growing economic consequences of delayed defect detection, recertification and fleet-wide corrections.
Together, these trends point to a shift from detection-based workflows to mathematically rigorous verification strategies for safety-critical automotive software.
From Recognition to Detection
Formal verification uses mathematical proofs instead of random execution. Techniques such as abstract interpretation enable a comprehensive analysis of all possible execution paths and inputs within defined limits.
For vehicle systems, this means that the absence of entire fault classes, such as memory safety violations and undefined behavior, must be verified. This eliminates false negatives and reduces false positives. Developers can confirm whether life-threatening failure modes in braking, steering, power management and perception systems can occur at all, rather than relying on probable test results.
Impact on development, security and cyber security
Comprehensive verification improves productivity by reducing false alarms and enabling earlier troubleshooting. It reduces rework, integration delays and recertification costs. For large, existing code bases and third-party components, mathematical verification provides objective assurance without extensive rework.
Formal verification strengthens functional safety by proving that dangerous behaviors cannot occur during runtime. This is critical in systems where software errors can directly lead to loss of braking, steering or drive control. From a cyber security perspective, eliminating memory security flaws reduces a large attack surface and thus improves vehicle safety.
Conclusion
Memory safety violations are a constant risk in vehicle software. Problems such as buffer overflows, out-of-bounds accesses, use-after-free errors, integer overflows and null pointer dereferencing can lead to undefined behavior that affects error detection and compromises predictable system behavior.
Mathematically complete verification offers a path from detection to proof. As software increasingly controls the core functions of vehicles, the transition from tested to mathematically verified software is a necessary development in vehicle construction.
:quality(80)/p7i.vogel.de/wcms/a2/9b/a29bb02b3f1e34962e28579dccfbbc49/0129266114v1.jpeg "Bevel gears on workpiece carriers in the rotary indexing conveyor of the VSC 400 DDS - the pick-up spindle removes the workpiece precisely and reproducibly for hard machining at EWS. (Image:Emag)")
:quality(80)/p7i.vogel.de/wcms/c0/2c/c02c6f8c4c079cc5db6a21c00affcecd/0128311235v1.jpeg "Tatra chose a Fastems FPC3000 system as the automation solution, which initially contains twelve pallet spaces, and in a later stage 18 pallet spaces and a linear conveyor. (Image:Starrag/Ralf Baumgarten)")
:quality(80)/p7i.vogel.de/wcms/45/e4/45e497fad5299ffbb7278c1636a261ba/0129304667v1.jpeg "Screw head forming with heat: The heads of the blanks are heated to over 1,000 °C in the induction stage. (Image:Aachen mechanical engineering)")
:quality(80)/p7i.vogel.de/wcms/bc/df/bcdfa690253179f44dfa43986e35e3d4/0129302450v1.jpeg "The VSC 400 DDS retrofit machine from EMAG at EWS Weigele with tool shuttle for external tool preparation - the basis for reliable hard machining of gears. (Image:Emag Systems)")
:quality(80)/p7i.vogel.de/wcms/a3/0c/a30c4c3a36910e92d6082fde37261730/0129555015v1.jpeg "From command recipient to decision-maker: thanks to Agentic AI, robots no longer just stubbornly execute pre-programmed scripts. Instead, they analyze visual data in real time and decide autonomously on the next process step (Image:Nano Banana / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/19/97/1997c06eb2970b0528308f315d0c8e2b/0129538778v1.jpeg "Robots on demand: Rental robots can offer advantages for small and medium-sized companies in particular. (Image:Christopher White)")
:quality(80)/p7i.vogel.de/wcms/99/2e/992e57a54c4ddeaafc113de8e56f2b73/0129501004v1.jpeg "Sereact's AI-based control system can process new and unknown items without prior data collection. (Image:Sereact)")
:quality(80)/p7i.vogel.de/wcms/97/3a/973acc83133c28605f855d750523142e/0129492013v1.jpeg "During the opening, Agile One symbolically pressed the start button. (Image:Deutsche Telekom AG / Cindy Albrecht)")
:quality(80)/p7i.vogel.de/wcms/3f/7f/3f7f9f45ebccd4751d41106866314aea/newsimage418028-2772x1559v1v1.jpeg "Live in the ice channel—detailed recordings in real time make the smallest mistakes and thus time losses in the luge run visible. (Image:Mittweida University of Applied Sciences)")
:quality(80)/p7i.vogel.de/wcms/05/b7/05b7c58dcf5a7fc900348d1c30f7c116/0129540459v1.jpeg "Researchers from Stuttgart have investigated whether the \"technology\" behind hairy elephant trunks, which function as a sensitive gripping system, can also be used in robotics. (Image:Zoo Magic)")
:quality(80)/p7i.vogel.de/wcms/5c/6b/5c6ba3b01c770e0430c88a902149b004/0129558666v1.jpeg "Using quantum computing for highly complex industrial applications: this is what the Q-Genesys project is working on. (Picture: ©Kale Galaxy - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/f8/2d/f82d45c2610205e2c0c188968022890d/more-liftoff-power-first-ariane-6-with-four-boosters-launched-4781x2691v1v1.jpeg "The Ariane 6 can be modularly adapted to any mission—either with two or four boosters and a variable payload fairing length. (Image:ESA-M. Pedoussaut)")
:quality(80)/p7i.vogel.de/wcms/05/5c/055c523a3be81da64c15c017bbd25348/0129529705v1.jpeg "Memory errors such as buffer overflows or use-after-free jeopardize the stability of vehicle software. Formal verification helps to turn tested software into verifiably safe systems. (Image:Dall-E / AI-generated)")
:quality(80)/p7i.vogel.de/wcms/40/46/4046da1c71903423938da8f8ddd9bd4a/0129532197v1.jpeg "The AxTrax 2 LF electric portal axle, specially developed for low-floor buses, delivers a continuous output of up to 360 kW, which is twice as much as its predecessor model at almost the same weight. (Image:ZF Group)")
:quality(80)/p7i.vogel.de/wcms/19/a6/19a63e69256e4dcfb3671d42d3eb5e98/0129568242v1.jpeg "Air bp and Airbus have signed a multi-year contract for the supply of fuel. (Image:Airbus)")
:quality(80)/p7i.vogel.de/wcms/ee/dc/eedc0c644f450569196251abb50015d7/0129550734v1.jpeg "The Open System Protocol from ams Osram for dynamic lighting applications and intelligent vehicle networks is to be implemented as an ISO standard in the future. (Image:ams Osram)")
:quality(80)/p7i.vogel.de/wcms/9d/3e/9d3e2184ac4490544bd6436d7ad1eb03/3d-interconnect-designer-1600x899v1.jpeg "3D Interconnect Designer simplifies high-speed 3D interconnect design for silicon bridges and interposers. (Source: Keysight)")
:quality(80)/p7i.vogel.de/wcms/18/87/1887248f7eb3fabfbbfb90b3b7e4e79e/0129551381v1.jpeg "Digital self-determination: Red Hat's new assessment tool helps companies regain full control over their IT infrastructure. (Image:AI-generated)")
:quality(80)/p7i.vogel.de/wcms/68/ec/68ec268edc51a26c4e6e2de7187e8e4f/0129456364v1.jpeg "The storage facilities are being built at three locations in Lithuania. (Image:Nidec Conversion)")
:quality(80)/p7i.vogel.de/wcms/a0/36/a03679debcdda99158f4eaa0d6fbe43d/0129505643v1.jpeg "Arduino App Lab: The current release 0.4.0 brings a number of helpful new features. (Image:Arduino)")
:fill(fff,0)/p7i.vogel.de/companies/68/a4/68a47beec75ce/logo-cmyk-de.jpeg "logo-cmyk-de (https://www.datatec.eu/)"){kind=logo}
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/af/67af6debad886/skz-whitepaper-future-trends-coverbild.png "SKZ Whitepaper_Future Trends_Coverbild")
:quality(80)/p7i.vogel.de/wcms/88/c0/88c0efef674e9a92a9438c4ca87232b4/0127890201v1.jpeg "A large number of different programming languages are used in the development of software for the automotive sector. But which language is best suited to meet the stringent requirements of cybersecurity? (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/5e/a4/5ea4b957571a1f1c9ede4bc78acf3da8/0124306848v1.jpeg "Digital twin: Shared representation of a robotics system—left as a digital simulation, right in the real production environment. (Image:AI-generated)")