Is Your Software on Dope?

Formal Analysis of Surreptitiously “enhanced” Programs
  • Pedro R. D’ArgenioEmail author
  • Gilles Barthe
  • Sebastian Biewer
  • Bernd Finkbeiner
  • Holger Hermanns
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10201)


Usually, it is the software manufacturer who employs verification or testing to ensure that the software embedded in a device meets its main objectives. However, these days we are confronted with the situation that economical or technological reasons might make a manufacturer become interested in the software slightly deviating from its main objective for dubious reasons. Examples include lock-in strategies and the \(\mathrm {NO}_x\) emission scandals in automotive industry. This phenomenon is what we call software doping. It is turning more widespread as software is embedded in ever more devices of daily use.

The primary contribution of this article is to provide a hierarchy of simple but solid formal definitions that enable to distinguish whether a program is clean or doped. Moreover, we show that these characterisations provide an immediate framework for analysis by using already existing verification techniques. We exemplify this by applying self-composition on sequential programs and model checking of HyperLTL formulas on reactive models.


Model Check Selective Catalytic Reduction Atomic Proposition Software Manufacturer Existential Quantifier 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank the Dependable Systems and Software Group (Saarland University) for a fruitful discussion during an early presentation of this work, and Nicolás Wolovick for drawing our attention to electronic voting.


  1. 1.
    Agorist, M.: WATCH: computer programmer testifies he helped rig voting machines. MintPress News (2016) Accessed 13 Jan 2017
  2. 2.
    AppleInsider: Galaxy S4 on steroids: Samsung caught doping in benchmarks (2013). Accessed 13 Jan 2017
  3. 3.
    Arthur, W.B.: Competing technologies, increasing returns, and lock-in by historical events. Econ. J. 99(394), 116–131 (1989). Google Scholar
  4. 4.
    Barthe, G., Crespo, J.M., Kunz, C.: Relational verification using product programs. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 200–214. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21437-0_17 CrossRefGoogle Scholar
  5. 5.
    Barthe, G., D’Argenio, P.R., Finkbeiner, B., Hermanns, H.: Facets of software doping. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9953, pp. 601–608. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-47169-3_46 CrossRefGoogle Scholar
  6. 6.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: CSFW-17, pp. 100–114. IEEE Computer Society (2004).
  7. 7.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. Math. Struct. Comput. Sci. 21(6), 1207–1252 (2011). MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Barthe, G., Gaboardi, M., Arias, E.J.G., Hsu, J., Roth, A., Strub, P.: Higher-order approximate relational refinement types for mechanism design and differential privacy. In: Rajamani, S.K., Walker, D. (eds.) POPL 2015, pp. 55–68. ACM (2015).
  9. 9.
    Baum, K.: What the hack is wrong with software doping? In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9953, pp. 633–647. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-47169-3_49 CrossRefGoogle Scholar
  10. 10.
    Benton, N.: Simple relational correctness proofs for static analyses and program transformations. In: Jones, N.D., Leroy, X. (eds.) POPL 2004, pp. 14–25. ACM Press (2004).
  11. 11.
    Brignall, M.: ‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6. The Guardian (2010). Accessed 13 Jan 2017
  12. 12.
    Carrel, P., Bryan, V., Croft, A.: Germany asks Opel for more information in Zafira emissions probe. Reuters (2016). Accessed 13 Jan 2017
  13. 13.
    Chaudhuri, S., Gulwani, S., Lublinerman, R.: Continuity analysis of programs. In: Hermenegildo, M.V., Palsberg, J. (eds.) POPL 2010, pp. 57–70 (2010).
  14. 14.
    Checkoway, S., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H., Fredrikson, M.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) 23rd USENIX Security Symposium. pp. 319–335. USENIX Association (2014).
  15. 15.
    Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54792-8_15 CrossRefGoogle Scholar
  16. 16.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. In: CSF 2008, pp. 51–65 (2008).
  17. 17.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010). CrossRefGoogle Scholar
  18. 18.
    Dijkstra, E.: A Discipline of Programming. Prentice Hall PTR, Upper Saddle River (1997)zbMATHGoogle Scholar
  19. 19.
    Domke, F., Lange, D.: The exhaust emissions scandal (“Dieselgate”). In: 30th Chaos Communication Congress (2015). Accessed 13 Jan 2017
  20. 20.
    Dvorak, J.C.: The secret printer companies are keeping from you. PC Mag UK (2012). Accessed 13 Jan 2017
  21. 21.
    Feldman, A.J., Halderman, J.A., Felten, E.W.: Security analysis of the Diebold AccuVote-ts voting machine. In: Martinez, R., Wagner, D. (eds.) 2007 USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2007. USENIX Association (2007).
  22. 22.
    Felsing, D., Grebing, S., Klebanov, V., Rümmer, P., Ulbrich, M.: Automating regression verification. In: Crnkovic, I., Chechik, M., Grünbacher, P. (eds.) ASE 2014, pp. 349–360. ACM (2014).
  23. 23.
    Finkbeiner, B., Hahn, C.: Deciding Hyperproperties. In: Desharnais, J., Jagadeesan, R. (eds.) CONCUR 2016. LIPIcs, vol. 59, pp. 13:1–13:14. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2016).
  24. 24.
    Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\(^*\). In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-21690-4_3 CrossRefGoogle Scholar
  25. 25.
    Flak, A., Taylor, E., Wacket, M., Eckert, V., Stonestreet, J.: Test of fiat diesel model shows irregular emissions: Bild am Sonntag. Reuters (2016). Accessed 13 Jan 2017
  26. 26.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Jones, N.D., Leroy, X. (eds.) POPL 2004, pp. 186–197. ACM (2004).
  27. 27.
    Godlin, B., Strichman, O.: Regression verification: proving the equivalence of similar programs. Softw. Test. Verif. Reliab. 23(3), 241–258 (2013)CrossRefGoogle Scholar
  28. 28.
    Hatton, L., van Genuchten, M.: When software crosses a line. IEEE Softw. 33(1), 29–31 (2016). CrossRefGoogle Scholar
  29. 29.
    Hawblitzel, C., Howell, J., Kapritsos, M., Lorch, J.R., Parno, B., Roberts, M.L., Setty, S.T.V., Zill, B.: IronFleet: proving practical distributed systems correct. In: Miller, E.L., Hand, S. (eds.) SOSP 2015, pp. 1–17. ACM (2015).
  30. 30.
    Hawblitzel, C., Lahiri, S.K., Pawar, K., Hashmi, H., Gokbulut, S., Fernando, L., Detlefs, D., Wadsworth, S.: Will you still compile me tomorrow? Static cross-version compiler validation. In: Meyer, B., Baresi, L., Mezini, M. (eds.) ESEC/FSE 2013, pp. 191–201 (2013).
  31. 31.
    Kovács, M., Seidl, H., Finkbeiner, B.: Relational abstract interpretation for the verification of 2-hypersafety properties. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) CCS 2013, pp. 211–222. ACM (2013).
  32. 32.
    Lahiri, S.K., Hawblitzel, C., Kawaguchi, M., Rebêlo, H.: SYMDIFF: a language-agnostic semantic diff tool for imperative programs. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 712–717. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31424-7_54 CrossRefGoogle Scholar
  33. 33.
    Manjoo, F.: Take that, stupid printer! Slate (2008). Accessed 13 Jan 2017
  34. 34.
    Margaria, T., Steffen, B. (eds.): ISoLA 2016. LNCS, vol. 9953. Springer, Heidelberg (2016)Google Scholar
  35. 35.
    Milushev, D., Clarke, D.: Incremental hyperproperty model checking via games. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 247–262. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41488-6_17 CrossRefGoogle Scholar
  36. 36.
    Panzarino, M.: Apple apologizes and updates iOS to restore iPhones disabled by error 53. TechCrunch (2016). Accessed 13 Jan 2017
  37. 37.
    Schneier, B., Fredrikson, M., Kohno, T., Ristenpart, T.: Surreptitiously weakening cryptographic systems. IACR Cryptology ePrint Archive 2015, 97 (2015).
  38. 38.
    Sousa, M., Dillig, I.: Cartesian Hoare logic for verifying k-safety properties. In: Krintz, C., Berger, E. (eds.) PLDI 2016, pp. 57–69. ACM (2016).
  39. 39.
    Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005). doi: 10.1007/11547662_24 CrossRefGoogle Scholar
  40. 40.
    Tritech Computer Solutions: Dell laptops reject third-party batteries and AC adapters/chargers. Hardware vendor lock-in? (2010). Accessed 13 Jan 2017
  41. 41.
    Waller, K.: Has a printer update rendered your cartridges redundant? Which? (2016). Accessed 13 Jan 2017
  42. 42.
    Waste Ink: Epson firmware update = no to compatibles. (2012). Accessed 13 Jan 2017
  43. 43.
    Wikipedia: Volkswagen emissions scandal. Wikipedia, The Free Encyclopedia (2016). Accessed 13 Jan 2017
  44. 44.
    Yang, H.: Relational separation logic. Theor. Comput. Sci. 375(1–3), 308–334 (2007). MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  • Pedro R. D’Argenio
    • 1
    • 2
    Email author
  • Gilles Barthe
    • 3
  • Sebastian Biewer
    • 2
  • Bernd Finkbeiner
    • 2
  • Holger Hermanns
    • 2
  1. 1.FaMAFUniversidad Nacional de Córdoba – CONICETCórdobaArgentina
  2. 2.Computer Science, Saarland Informatics CampusSaarland UniversitySaarbrückenGermany
  3. 3.IMDEA SoftwareMadridSpain

Personalised recommendations