Ok, slashdot just lost my lengthy reply so I'll do it quick one (OK it got ranty torwards the end).
Generally the industry follow standards such as MISRA/OSEK/AUTOSAR, these stipulate static configuration, to do that you use automatic tools, for cost reasons(big driving force in automotive) they optimize the frame packaging for each network so you use less memory and can use cheap parts.
Due to limited bandwidth you have different frame packaging on different networks as well, so in a gatewaying scenario the com-stack will repackage the data, any unexpected frames will be ignored.
I read the article now and according to it they put the radio on the same bus as the brakes, that's funny. I guess it's a can or flexray bus (I don't think they use ethernet yet) they you could just inject the frames directly (you might have to silence the original node first).
I look forward to the talk and it will be interesting to see how they defeat (or if they use) features such as signing of data on the bus (used for safety critical stuff).
If you want to have a look at how a typical automotive RTOS works you can check out an open source (GPLv2) implementation over at: http://www.arccore.com/develop...
Some last euro-cents: at this level safety under normal and anticipated failure scenarios is considered, security and intentional manipulation is not so much.. if you want to kill someone you can always cut the brake hoses. There is no point in trying to secure the internal buses from intentional attack, and focus should be on separating safety critical stuff and anything with outside connectivity (infotainment system, phone etc). Put them on physically different buses and if they really need to exchange information use a very limited gateway that can be proven to have no exploits and does rate limiting etc as well to prevent DoS attacks and make sure nothing safety critical is dependent on this gatewaying actually working.