Advertisement

Doping Tests for Cyber-Physical Systems

  • Sebastian BiewerEmail author
  • Pedro D’Argenio
  • Holger Hermanns
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11785)

Abstract

The software running in embedded or cyber-physical systems (CPS) is typically of proprietary nature, so users do not know precisely what the systems they own are (in)capable of doing. Most malfunctionings of such systems are not intended by the manufacturer, but some are, which means these cannot be classified as bugs or security loopholes. The most prominent examples have become public in the diesel emissions scandal, where millions of cars were found to be equipped with software violating the law, altogether polluting the environment and putting human health at risk. The behaviour of the software embedded in these cars was intended by the manufacturer, but it was not in the interest of society, a phenomenon that has been called software doping. Doped software is significantly different from buggy or insecure software and hence it is not possible to use classical verification and testing techniques to discover and mitigate software doping.

The work presented in this paper builds on existing definitions of software doping and lays the theoretical foundations for conducting software doping tests, so as to enable attacking evil manufacturers. The complex nature of software doping makes it very hard to effectuate doping tests in practice. We explain the biggest challenges and provide efficient solutions to realise doping tests despite this complexity.

Notes

Acknowledgements

We gratefully acknowledge Thomas Heinze, Michael Fries, and Peter Birtel (Automotive Powertrain Institute of HTW Saar) for sharing their automotive engineering expertise with us, and for providing the automotive test infrastructure. This work is partly supported by the ERC Grant 695614 (POWVER), by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) grant 389792660 as part of TRR 248, see https://perspicuous-computing.science, by the Saarbrücken Graduate School of Computer Science, by the Sino-German CDZ project 1023 (CAP), by ANPCyT PICT-2017-3894 (RAFTSys), and by SeCyT-UNC 33620180100354CB (ARES).

References

  1. 1.
    Adimoolam, A., Dang, T., Donzé, A., Kapinski, J., Jin, X.: Classification and coverage-based falsification for embedded control systems. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10426, pp. 483–503. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63387-9_24CrossRefGoogle Scholar
  2. 2.
    Annpureddy, Y., Liu, C., Fainekos, G., Sankaranarayanan, S.: S-TaLiRo: a tool for temporal logic falsification for hybrid systems. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 254–257. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19835-9_21CrossRefzbMATHGoogle Scholar
  3. 3.
    Barthe, G., D’Argenio, P.R., Finkbeiner, B., Hermanns, H.: Facets of software doping. In: Margaria and Steffen [20], pp. 601–608.  https://doi.org/10.1007/978-3-319-47169-3_46CrossRefGoogle Scholar
  4. 4.
    Baum, K.: What the hack is wrong with software doping? In: Margaria and Steffen [20], pp. 633–647.  https://doi.org/10.1007/978-3-319-47169-3_49CrossRefGoogle Scholar
  5. 5.
    BBC: Audi chief Rupert Stadler arrested in diesel emissions probe. BBC (2018). https://www.bbc.com/news/business-44517753. Accessed 28 Jan 2019
  6. 6.
    Chaudhuri, S., Gulwani, S., Lublinerman, R.: Continuity analysis of programs. In: Proceedings of the 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2010, Madrid, Spain, 17–23 January 2010, pp. 57–70. ACM (2010). http://doi.acm.org/10.1145/1706299.1706308
  7. 7.
    Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54792-8_15CrossRefGoogle Scholar
  8. 8.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. In: CSF 2008, pp. 51–65 (2008). http://dx.doi.org/10.1109/CSF.2008.7
  9. 9.
    Contag, M., et al.: How they did it: an analysis of emission defeat devices in modern automobiles. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, 22–26 May 2017, pp. 231–250. IEEE Computer Society (2017).  https://doi.org/10.1109/SP.2017.66
  10. 10.
    D’Argenio, P.R., Barthe, G., Biewer, S., Finkbeiner, B., Hermanns, H.: Is your software on dope? In: Yang, H. (ed.) ESOP 2017. LNCS, vol. 10201, pp. 83–110. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54434-1_4CrossRefGoogle Scholar
  11. 11.
    de Vries, R.: Towards formal test purposes. In: Formal Approaches to Testing of Software 2001 (FATES 2001). BRICS Notes Series, No. NS-01-4, pp. 61–76. BRICS, University of Aarhus, August 2001Google Scholar
  12. 12.
    Deshmukh, J., Jin, X., Kapinski, J., Maler, O.: Stochastic local search for falsification of hybrid systems. In: Finkbeiner, B., Pu, G., Zhang, L. (eds.) ATVA 2015. LNCS, vol. 9364, pp. 500–517. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24953-7_35CrossRefzbMATHGoogle Scholar
  13. 13.
    Doyen, L., Henzinger, T.A., Legay, A., Nickovic, D.: Robustness of sequential circuits. In: 10th International Conference on Application of Concurrency to System Design, ACSD 2010, Braga, Portugal, 21–25 June 2010, pp. 77–84. IEEE Computer Society (2010).  https://doi.org/10.1109/ACSD.2010.26
  14. 14.
    Ewing, J.: Ex-Volkswagen C.E.O. Charged With Fraud Over Diesel Emissions. New York Times (2018). https://www.nytimes.com/2018/05/03/business/volkswagen-ceo-diesel-fraud.html. Accessed 28 Jan 2019
  15. 15.
    Feijs, L.M.G., Goga, N., Mauw, S., Tretmans, J.: Test selection, trace distance and heuristics. In: Testing of Communicating Systems XIV, Applications to Internet Technologies and Services, Proceedings of the IFIP 14th International Conference on Testing Communicating Systems - TestCom 2002, Berlin, Germany, 19–22 March 2002. IFIP Conference Proceedings, vol. 210, pp. 267–282. Kluwer (2002)Google Scholar
  16. 16.
    Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\(^*\). In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-21690-4_3CrossRefGoogle Scholar
  17. 17.
    Hamlet, D.: Continuity in sofware systems. In: Proceedings of the International Symposium on Software Testing and Analysis, ISSTA 2002, Roma, Italy, 22–24 July 2002, pp. 196–200. ACM (2002).  https://doi.org/10.1145/566172.566203
  18. 18.
    Jard, C., Jéron, T.: TGV: theory, principles and algorithms. STTT 7(4), 297–315 (2005)CrossRefGoogle Scholar
  19. 19.
    Majumdar, R., Saha, I.: Symbolic robustness analysis. In: Proceedings of the 30th IEEE Real-Time Systems Symposium, RTSS 2009, Washington, DC, USA, 1–4 December 2009, pp. 355–363. IEEE Computer Society (2009).  https://doi.org/10.1109/RTSS.2009.17
  20. 20.
    Margaria, T., Steffen, B. (eds.): ISoLA 2016, Part II. LNCS, vol. 9953. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-47169-3CrossRefGoogle Scholar
  21. 21.
    Pettersson, S., Lennartson, B.: Stability and robustness for hybrid systems. In: Proceedings of 35th IEEE Conference on Decision and Control, vol. 2, pp. 1202–1207, December 1996Google Scholar
  22. 22.
    Riley, C.: Volkswagen’s diesel scandal costs hit \$30 billion. CNN Business (2018). https://money.cnn.com/2017/09/29/investing/volkswagen-diesel-cost-30-billion/index.html. Accessed 28 Jan 2019
  23. 23.
    Tabuada, P., Balkan, A., Caliskan, S.Y., Shoukry, Y., Majumdar, R.: Input-output robustness for discrete systems. In: Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2012, Part of the Eighth Embedded Systems Week, ESWeek 2012, Tampere, Finland, 7–12 October 2012, pp. 217–226. ACM (2012). http://doi.acm.org/10.1145/2380356.2380396
  24. 24.
    The European Parliament and the Council of the European Union: Directive 98/69/ec of the european parliament and of the council. Official Journal of the European Communities (1998). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31998L0069:EN:HTML
  25. 25.
    Tretmans, J.: A formal approach to conformance testing. Ph.D. thesis, University of Twente, Enschede, Netherlands (1992). http://purl.utwente.nl/publications/58114
  26. 26.
    Tretmans, J.: Conformance testing with labelled transition systems: implementation relations and test generation. Comput. Netw. ISDN Syst. 29(1), 49–79 (1996).  https://doi.org/10.1016/S0169-7552(96)00017-7CrossRefGoogle Scholar
  27. 27.
    Tretmans, J.: Model based testing with labelled transition systems. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) Formal Methods and Testing. LNCS, vol. 4949, pp. 1–38. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78917-8_1CrossRefGoogle Scholar
  28. 28.
    United Nations: UN Vehicle Regulations - 1958 Agreement, Revision 2, Addendum 100, Regulation No. 101, Revision 3 – E/ECE/324/Rev.2/Add.100/Rev.3 (2013). http://www.unece.org/trans/main/wp29/wp29regs101-120.html
  29. 29.
    de Vries, R.G., Tretmans, J.: On-the-fly conformance testing using SPIN. STTT 2(4), 382–393 (2000).  https://doi.org/10.1007/s100090050044CrossRefzbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Sebastian Biewer
    • 1
    Email author
  • Pedro D’Argenio
    • 1
    • 2
    • 3
  • Holger Hermanns
    • 1
    • 4
  1. 1.Saarland University, Saarland Informatics CampusSaarbückenGermany
  2. 2.FAMAFUniversidad Nacional de CórdobaCórdobaArgentina
  3. 3.CONICETCórdobaArgentina
  4. 4.Institute of Intelligent SoftwareGuangzhouChina

Personalised recommendations