| So, this will be my last response to this thread as I think it's run it's course. > voluntary standards aren't standards Most of the worlds standards work this way. They are standards, and it is up to various legislative bodies to decide how to enforce these things. In automotive, compliance with a standard is generally attested to a government and included in the package that is shared with other governments to allow import or sale of the car in their country. Tesla simply flaunts that. > safety related bugs This kind of thing isn't a thing if you understand automotive safety, or shouldn't be. You should have sufficient safety controls such that an unsafe condition will not occur. If this is a thing, you're talking about a bug then in the applied safety mechanism that allows an escape. > watchdog timer expiring is an appropriate response? Keys for SecOC get out of sync and throw an error. Not a safety problem per say, but your health check (since I consider watch dog timers an implementation of health and state management), you'd trigger a restart of the software to resync the keys. > pretend certification is bullet proof even if it is useful it can miss glaringly obvious errors I don't, but when it works it is sufficient. Open sourcing something adds nothing when it works. Importantly, usually TUV assumes liability for things they certify in many cases (not all, but generally that is how it works) > limited to black box rather than in depth review and formal guarantees We get the latter at my place from them, so I would poke at this area more if you think its black box only. This likely depends on the contractual terms, and who assumes liability. > VW managed to bamboozle them in a way The VW code is likely not safety relevant, so it wasn't reviewed as in depth. Most ECU code also isn't reproduceable even today. > So I don't think anybody is looking too hard. On this I generally agree as someone in this space. The amount of money invested in Pwn2Own is small given the barrier for entry: https://www.zerodayinitiative.com/blog/2023/8/28/revealing-t... |
Ok, agreed in that case, though I'd prefer to see a forced reset rather than to rely on the watchdog timer as the mechanism to do it for you. You could just jump to the reset vector instead.