Software doping – Theory and detection

Software is doped if it contains a hidden functionality that is intentionally included by the manufacturer and is not in the interest of the user or society. This thesis complements this informal definition by a set of formal cleanness definitions that characterise the absence of software doping. These definitions reflect common expectations on clean software behaviour and are applicable to many types of software, from printers to cars to discriminatory AI systems. We use these definitions to propose white-box and black-box analysis techniques to detect software doping. In particular, we present a provably correct, model-based testing algorithm that is intertwined with a probabilistic-falsification-based test input selection technique. We identify and explain how to overcome the challenges that are specific to real-world software doping tests and analyses. The most prominent example of software doping in recent years is the Diesel Emissions Scandal. We demonstrate the strength of our cleanness definitions and analysis techniques by applying them to emission cleaning systems of diesel cars. All our car related research is unified in a Car Data Platform. The mobile app LolaDrives is one building block of this platform; it supports conducting real-driving emissions tests and provides feedback to the user in how far a trip satisfies driving conditions that are defined by official regulations.Software ist gedopt wenn sie eine versteckte Funktionalität enthält, die vom Hersteller beabsichtigt ist und deren Existenz nicht im Interesse des Benutzers oder der Gesellschaft ist. Die vorliegende Arbeit ergänzt diese nicht formale Definition um eine Menge von Cleanness-Definitionen, die die Abwesenheit von Software Doping charakterisieren. Diese Definitionen spiegeln allgemeine Erwartungen an "sauberes" Softwareverhalten wider und sie sind auf viele Arten von Software anwendbar, vom Drucker über Autos bis hin zu diskriminierenden KI-Systemen. Wir verwenden diese Definitionen um sowohl white-box, als auch black-box Analyseverfahren zur Verfügung zu stellen, die in der Lage sind Software Doping zu erkennen. Insbesondere stellen wir einen korrekt bewiesenen Algorithmus für modellbasierte Tests vor, der eng verflochten ist mit einer Test-Input-Generierung basierend auf einer Probabilistic-Falsification-Technik. Wir identifizieren Hürden hinsichtlich Software-Doping-Tests in der echten Welt und erklären, wie diese bewältigt werden können. Das bekannteste Beispiel für Software Doping in den letzten Jahren ist der Diesel-Abgasskandal. Wir demonstrieren die Fähigkeiten unserer Cleanness-Definitionen und Analyseverfahren, indem wir diese auf Abgasreinigungssystem von Dieselfahrzeugen anwenden. Unsere gesamte auto-basierte Forschung kommt in der Car Data Platform zusammen. Die mobile App LolaDrives ist eine Kernkomponente dieser Plattform; sie unterstützt bei der Durchführung von Abgasmessungen auf der Straße und gibt dem Fahrer Feedback inwiefern eine Fahrt den offiziellen Anforderungen der EU-Norm der Real-Driving Emissions entspricht

On the road with RTLola : Testing real driving emissions on your phone

This paper is about shipping runtime verification to the masses. It presents the crucial technology enabling everyday car owners to monitor the behaviour of their cars in-the-wild. Concretely, we present an Android app that deploys rtlola runtime monitors for the purpose of diagnosing automotive exhaust emissions. For this, it harvests the availability of cheap Bluetooth adapters to the On-Board-Diagnostics (obd) ports, which are ubiquitous in cars nowadays. The app is a central piece in a set of tools and services we have developed for black-box analysis of automotive vehicles. We detail its use in the context of real driving emission (rde) tests and report on sample runs that helped identify violations of the regulatory framework currently valid in the European Union

RTLola on Board: Testing Real Driving Emissions on your Phone

This paper is about shipping runtime verification to the masses. It presents the crucial technology enabling everyday car owners to monitor the behaviour of their cars in-the-wild. Concretely, we present an Android app that deploys RTLola runtime monitors for the purpose of diagnosing automotive exhaust emissions. For this, it harvests the availability of cheap bluetooth adapters to the On-Board-Diagnostics (OBD) ports, which are ubiquitous in cars nowadays. We detail its use in the context of Real Driving Emissions (RDE) tests and report on sample runs that helped identify violations of the regulatory framework currently valid in the European Union

Doping Tests for Cyber-physical Systems

The software running in embedded or cyber-physical systems is typically of proprietary nature, so users do not know precisely what the systems they own are (in)capable of doing. Most malfunctionings of such systems are not intended by the manufacturer, but some are, which means these cannot be classified as bugs or security loopholes. The most prominent examples have become public in the diesel emissions scandal, where millions of cars were found to be equipped with software violating the law, altogether polluting the environment and putting human health at risk. The behaviour of the software embedded in these cars was intended by the manufacturer, but it was not in the interest of society, a phenomenon that has been called software doping. Due to the unavailability of a specification, the analysis of doped software is significantly different from that for buggy or insecure software and hence classical verification and testing techniques have to be adapted. The work presented in this article builds on existing definitions of software doping and lays the theoretical foundations for conducting software doping tests, so as to enable uncovering unethical manufacturers. The complex nature of software doping makes it very hard to effectuate doping tests in practice. We explain the main challenges and provide efficient solutions to realise doping tests despite this complexity.Fil: Biewer, Sebastian. Universitat Saarland; AlemaniaFil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; Argentina. Universitat Saarland; Alemania. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; ArgentinaFil: Hermanns, Holger. Universitat Saarland; Alemani

Is your software on dope? Formal analysis of surreptitiously "enhanced" programs

Usually, it is the software manufacturer who employs verification or testing to ensure that the software embedded in a device meets its main objectives. However, these days we are confronted with the situation that economical or technological reasons might make a manufacturer become interested in the software slightly deviating from its main objective for dubious reasons. Examples include lock-in strategies and the $\mathrm{NO}_x$ emission scandals in automotive industry. This phenomenon is what we call software doping. It is turning more widespread as software is embedded in ever more devices of daily use. The primary contribution of this article is to provide a hierarchy of simple but solid formal definitions that enable to distinguish whether a program is clean or doped. Moreover, we show that these characterisations provide an immediate framework for analysis by using already existing verification techniques. We exemplify this by applying self-composition on sequential programs and model checking of HyperLTL formulas on reactive models.Comment: To appear in the proceedings of ESOP 201

Conformance-Based Doping Detection forCyber-Physical Systems

We present a novel and generalised notion of doping clean-ness for cyber-physical systems that allows for perturbing the inputs andobserving the perturbed outputs both in the time– and value–domains.We instantiate our definition using existing notions of conformance forcyber-physical systems. We show that our generalised definitions are es-sential in a data-driven method for doping detection and apply our def-initions to a case study concerning diesel emission tests.</p