Development of a Code Analysis and Verification System for Automotive Firmware Using AI and Enhanced User Interfaces

In today’s embedded systems landscape, maintaining reliable and compliant code is crucial. This project introduces a code analysis and verification platform designed to streamline the review of Infineon microcontroller firmware. Leveraging comprehensive Python scripts, it evaluates entire firmware projects by applying various rule-based test cases, thus supporting or replacing manual reviews that typically require substantial time and concentration. The test cases developed are divided into two main branches, one for project structure analysis and one for file content analysis including firmware source code. Project structure analysis includes file existence checks for some of the necessary configuration and integrated development environment-related files. Content-related analysis is the analysis performed on the source code and project description files like the README files. A portion of the test cases that are related to source code analysis are aligned with international C coding guidelines such as MISRA C and CERT C and some are aligned with company-specific guidelines. The C coding guidelines have been utilized as a baseline, and thus better safety-related checks have been performed with respect to manual code reviews. The main motivations of the project include reducing vulnerable code patterns, maintaining readability, and compliant project structures for public release. The methods used for the test cases include applications with regular expressions, existing Python libraries, large language models (LLM), and some additional software tools. A novel aspect of the project is utilizing artificial intelligence through LLM to assist code analysis. Two approaches have been utilized together, prompt engineering and fine-tuning of an existing LLM. As an LLM OpenAI's GPT-4o model has been utilized. A dataset for selected coding rules has been prepared and integrated into the LLM by the fine-tuning service provided by OpenAI. The dataset includes rule descriptions, non-compliant and compliant code examples, rule numbers, and some other information related to the rule with suitable data labelings. With the fine-tuned model along with a well-structured prompt, the AI application has been tested on an example source code injected with multiple rule violations. As a result, it has been observed that the majority of the rule violations have been detected with the AI application, thus allowing us to assist vulnerable code pattern detection. However, it is important to mention that the AI application is not a deterministic solution and it should only be considered as a complementary solution. The thesis project includes a modular Python-based architecture with dual interfaces: a command-line tool for automated pipelines and a graphical user interface (GUI) for interactive use. The author's main contributions were developing multiple test cases that cover vulnerable code patterns and readability, utilizing the LLM for code analysis, refactoring the existing project structure for increased modularity by utilizing Python object-oriented programming approaches and developing the user interfaces. Preliminary evaluations indicate the system’s potential to reduce manual effort in firmware verification while improving adherence to selected automotive safety guidelines.