Breathalyzer source code obtained...and it's BS

[googe]

http://www.schneier.com/blog/archive...re_proble.html

Links to the PDF analysis: http://www.dwi.com/new-jersey/new-jersey/code-review

http://www.dwi.com/new-jersey/base-one-findings

This is an excellent lesson in the security problems inherent in trusting proprietary software:

After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc.

Draeger, the manufacturer maintained that the system was perfect, and that revealing the source code would be damaging to its business. They were right about the second part, of course, because it turned out that the code was terrible.

2. Readings are Not Averaged Correctly: When the software takes a series of readings, it first averages the first two readings. Then, it averages the third reading with the average just computed. Then the fourth reading is averaged with the new average, and so on. There is no comment or note detailing a reason for this calculation, which would cause the first reading to have more weight than successive readings. Nonetheless, the comments say that the values should be averaged, and they are not.

3. Results Limited to Small, Discrete Values: The A/D converters measuring the IR readings and the fuel cell readings can produce values between 0 and 4095. However, the software divides the final average(s) by 256, meaning the final result can only have 16 values to represent the five-volt range (or less), or, represent the range of alcohol readings possible. This is a loss of precision in the data; of a possible twelve bits of information, only four bits are used. Further, because of an attribute in the IR calculations, the result value is further divided in half. This means that only 8 values are possible for the IR detection, and this is compared against the 16 values of the fuel cell.

4. Catastrophic Error Detection Is Disabled: An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

Basically, the system was designed to return some sort of result regardless.

This is important. As we become more and more dependent on software for evidentiary and other legal applications, we need to be able to carefully examine that software for accuracy, reliability, etc. Every government contract for breath alcohol detectors needs to include the requirement for public source code. "You can't look at our code because we don't want you to" simply isn't good enough.

Edit:

Man, this thing is terrible.

Array aak is declared to the size of 4, which allows subscripts of 0 to 3. Lines
292 and 293 in the file ir_messw.c use array subscripts 4 and 5 for aak, which is
forcing a write beyond the end of the declared array size.

WTF? That's so bad (I'm sure there are a several programmers on here that understand how retarded that is).

Cylcomatic complexity of over 100 in some of the functions, 10 levels of nesting...that's gotta be among the poorest quality, unmaintainable code someone has dared to ship.

The ten-percent difference comparison of successive tests is done in units of ug/l, not %BAC.
There is a comment in that area of the code stating “this conversion to %BAC needs to be done”,
but the conversion is not done.

Fifty-one functions (subroutines or programs) of 475 total functions are not used and are still in
the source code.

[5hift]

not surprised at all.

[badatusrnames]

Great, now try and get someone non-technical like a judge or even law enforcement to understand this...

[5hift]

I'm about as non-techincal as you can be (at least by Beyond standards) and while I may be corrected what I got out of it was:


-The interupt that prevents wrong instructions being sent is disabled
-Allows software to execute wild branches or invalid code
- So if there is a mistake in the reading, the breathlalyzer, instead of giving an error, gives in inaccurate reading.
- If we are going to be forced to trust and be regulated by software program, the code should be public so it can be examined and scrutinized.

Not providing the code, but regulating rules/laws by its results, is like punishing someone for a crime without even an explantion of where they violated the criminal code. Just saying my magic black plastic wand says you broke the law, so off to jail you go.

[BerserkerCatSplat]

Wow, that's pretty awful. Is that unit used in Canada? I can only seem to find references to its use in New Jersey.

[googe]

Originally posted by 5hift
I'm about as non-techincal as you can be (at least by Beyond standards) and while I may be corrected what I got out of it was:


-The interupt that prevents wrong instructions being sent is disabled
-Allows software to execute wild branches or invalid code
- So if there is a mistake in the reading, the breathlalyzer, instead of giving an error, gives in inaccurate reading.
- If we are going to be forced to trust and be regulated by software program, the code should be public so it can be examined and scrutinized.

Not providing the code, but regulating rules/laws by its results, is like punishing someone for a crime without even an explantion of where they violated the criminal code. Just saying my magic black plastic wand says you broke the law, so off to jail you go.

Pretty much, though that is the tip of the iceberg with respect to the problems the thing has. That part basically says that for what small error checking the thing does have, instead of reporting that there was a problem, it will just randomly pick some valid value and pretend all is well, and report it back. So if it detects a problem in its own sensor reading, it will be like "No problems officer, dude is definitely drunk, haul him to jail!"

Even worse is that it does NOT err on the side of caution, ie, if it has a bad reading it does not take the safe approach and exonerate the guy. It rolls the dice instead. which is pretty fucking scary if you think about it.

No idea if this one is used in Canada, but if some dumbass incompetent programmer wrote the code that decides if I go to jail and tarnish my record for life, and I'm not even allowed to see it, that is pretty messed up imo. These types of things should be scrutinized and open for peer review, as should voting machines. Anything protecting the interests of the public and making such heavy decisions can't be left up to some random guy programming into a black box, and the rest of the population just has to assume that he knows what he is doing.

[phil98z24]

Yeeee-ikes. Just out of curiosity, is this something you found in relation to your line of work (assuming you are in that line or work) or just searching on the web. The reason I ask is because if this is something that could potentially affect the models used in Canada (commonly Intoxilyzer type models) that is fairly serious stuff.

I am not super programmer guy, but I can interpret that well enough that I am not exactly comfortable knowing that is happening. Not only that, but if a huge gas detection/safety company like Draeger isn't getting it right with an evidentiary instrument - then what else is going wrong in their H2S detection and things like that?

[googe]

Originally posted by phil98z24
Yeeee-ikes. Just out of curiosity, is this something you found in relation to your line of work (assuming you are in that line or work) or just searching on the web. The reason I ask is because if this is something that could potentially affect the models used in Canada (commonly Intoxilyzer type models) that is fairly serious stuff.

Kind of - I am in that line of work (software security), but am not working on anything related to the breathalyzer. Just that it's had some buzz on security blogs and I've been paying attention to the cases out of interest. They've been trying to get access to the code for awhile in several states. I believe one state (florida maybe?) ended up ruling that they won't force them to reveal the code, but they won't convict based on it then either.

[tsi_neal]

Correct me if im wrong, but I understood that the breathalizer was only a precurser to a blood test. Pretty much you blow over you get stuck with a needle and the blood results are what decided if you get charged. Again could be wrong, ive never been in that situation.

[rage2]

Originally posted by googe
WTF? That's so bad (I'm sure there are a several programmers on here that understand how retarded that is

Buffer overflow! So can you figure out a way to breath a certain amount of alcohol and make it run your own code?

[Cos]

Originally posted by tsi_neal
Correct me if im wrong, but I understood that the breathalizer was only a precurser to a blood test. Pretty much you blow over you get stuck with a needle and the blood results are what decided if you get charged. Again could be wrong, ive never been in that situation.

AFAIK not in canada. If you blow over the line they can suspend your license on the spot and impound your car.

[sputnik]

My boss was actually part of the breathalyzer testing program here in Alberta.

They would pick him up and feed him alcohol and food all day while getting him to blow into the device on regular intervals. Then once the day was done he would get a couple hundred bucks and get driven home.

[Cos]

Originally posted by sputnik
My boss was actually part of the breathalyzer testing program here in Alberta.

They would pick him up and feed him alcohol and food all day while getting him to blow into the device on regular intervals. Then once the day was done he would get a couple hundred bucks and get driven home.

can you ask him to get me in on the next round of testing?

[toastgremlin]

That's pretty bad - it's not unusual for the embedded code I've seen, but considering that this software has the ability to send someone to prison (or in the case of the H2S monitors, to their grave) you'd think they'd do a proper job of it.

A cyclomatic complexity of over 100 in any function is completely insane. I once tore into an ancient codebase that had an average depth of 6 and I thought I was going to go nuts from it.

A good technical lawyer should be able to find enough subject matter experts to tear the case apart in court and probably cause some cases becoming overturned that were based on readings from this piece of junk.

[Ballin]

Originally posted by sputnik
My boss was actually part of the breathalyzer testing program here in Alberta.

They would pick him up and feed him alcohol and food all day while getting him to blow into the device on regular intervals. Then once the day was done he would get a couple hundred bucks and get driven home.

Now that is a job for me sign me up I am a pro drinker and I eat regularly so this is a perfect fit! I would do it for free let alone a couple hundred

[D'z Nutz]

Holy that's hilarious, but at the same time not. How long has this particular piece of code been in use?

I'd actually like to see this spaghetti code. I don't think I could even write code that bad on purpose.

[evoXfan]

Originally posted by rage2

Buffer overflow! So can you figure out a way to breath a certain amount of alcohol and make it run your own code?

Thanks for the

[Fuji]

Originally posted by rage2

Buffer overflow! So can you figure out a way to breath a certain amount of alcohol and make it run your own code?

It's gotta be pungent to do that.... don't ever brush your teeth or fart on it.

[Spoons]

Originally posted by rage2

Buffer overflow! So can you figure out a way to breath a certain amount of alcohol and make it run your own code?

Some of the code doesn't even make sense. I worked on it a bit in my 233 class (class mate got a source, can't remember where, but if I find it I will post) for shits and giggles. Some of the coding is fucking stupid.

I mean me, a first year engineering student at the time with limited programming skills could of programmed it better.